openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Convert virNetwork to use virSocketAddr everywhere 

Instead of storing the IP address string in virNetwork related
structs, store the parsed virSocketAddr. This will make it
easier to add IPv6 support in the future, by letting driver
code directly check what address family is present

* src/conf/network_conf.c, src/conf/network_conf.h,
  src/network/bridge_driver.c: Convert to use virSocketAddr
  in virNetwork, instead of char *.
* src/util/bridge.c, src/util/bridge.h,
  src/util/dnsmasq.c, src/util/dnsmasq.h,
  src/util/iptables.c, src/util/iptables.h: Convert to
  take a virSocketAddr instead of char * for any IP
  address parameters
* src/util/network.h: Add macros to determine if an address
  is set, and what address family is set.
This commit is contained in:
Daniel P. Berrange 2010-10-21 13:14:33 +01:00
parent 4b16b9c77f
commit 090404acfe
11 changed files with 360 additions and 246 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
po/POTFILES.in
View File

@ -81,6 +81,7 @@ src/util/dnsmasq.c
src/util/hooks.c src/util/hooks.c
src/util/hostusb.c src/util/hostusb.c
src/util/interface.c src/util/interface.c
src/util/iptables.c
src/util/json.c src/util/json.c
src/util/macvtap.c src/util/macvtap.c
src/util/network.c src/util/network.c

121
src/conf/network_conf.c
View File

@ -21,8 +21,6 @@
* Author: Daniel P. Berrange <berrange@redhat.com> * Author: Daniel P. Berrange <berrange@redhat.com>
*/ */
#include <config.h> #include <config.h>
#include <unistd.h> #include <unistd.h>
@ -99,27 +97,18 @@ void virNetworkDefFree(virNetworkDefPtr def)
VIR_FREE(def->name); VIR_FREE(def->name);
VIR_FREE(def->bridge); VIR_FREE(def->bridge);
VIR_FREE(def->forwardDev); VIR_FREE(def->forwardDev);
VIR_FREE(def->ipAddress);
VIR_FREE(def->network);
VIR_FREE(def->netmask);
VIR_FREE(def->domain); VIR_FREE(def->domain);
for (i = 0 ; i < def->nranges && def->ranges ; i++) {
VIR_FREE(def->ranges[i].start);
VIR_FREE(def->ranges[i].end);
}
VIR_FREE(def->ranges); VIR_FREE(def->ranges);
for (i = 0 ; i < def->nhosts && def->hosts ; i++) { for (i = 0 ; i < def->nhosts && def->hosts ; i++) {
VIR_FREE(def->hosts[i].mac); VIR_FREE(def->hosts[i].mac);
VIR_FREE(def->hosts[i].ip);
VIR_FREE(def->hosts[i].name); VIR_FREE(def->hosts[i].name);
} }
VIR_FREE(def->hosts); VIR_FREE(def->hosts);
VIR_FREE(def->tftproot); VIR_FREE(def->tftproot);
VIR_FREE(def->bootfile); VIR_FREE(def->bootfile);
VIR_FREE(def->bootserver);
VIR_FREE(def); VIR_FREE(def);
} }
@ -270,9 +259,8 @@ virNetworkDHCPRangeDefParseXML(virNetworkDefPtr def,
virReportOOMError(); virReportOOMError();
return -1; return -1;
} }
def->ranges[def->nranges].start = (char *)start; def->ranges[def->nranges].start = saddr;
def->ranges[def->nranges].end = (char *)end; def->ranges[def->nranges].end = eaddr;
def->ranges[def->nranges].size = range;
def->nranges++; def->nranges++;
} else if (cur->type == XML_ELEMENT_NODE && } else if (cur->type == XML_ELEMENT_NODE &&
xmlStrEqual(cur->name, BAD_CAST "host")) { xmlStrEqual(cur->name, BAD_CAST "host")) {
@ -321,20 +309,26 @@ virNetworkDHCPRangeDefParseXML(virNetworkDefPtr def,
} }
def->hosts[def->nhosts].mac = (char *)mac; def->hosts[def->nhosts].mac = (char *)mac;
def->hosts[def->nhosts].name = (char *)name; def->hosts[def->nhosts].name = (char *)name;
def->hosts[def->nhosts].ip = (char *)ip; def->hosts[def->nhosts].ip = inaddr;
def->nhosts++; def->nhosts++;
} else if (cur->type == XML_ELEMENT_NODE && } else if (cur->type == XML_ELEMENT_NODE &&
xmlStrEqual(cur->name, BAD_CAST "bootp")) { xmlStrEqual(cur->name, BAD_CAST "bootp")) {
xmlChar *file; xmlChar *file;
xmlChar *server;
virSocketAddr inaddr;
if (!(file = xmlGetProp(cur, BAD_CAST "file"))) { if (!(file = xmlGetProp(cur, BAD_CAST "file"))) {
cur = cur->next; cur = cur->next;
continue; continue;
} }
server = xmlGetProp(cur, BAD_CAST "server");
if (virSocketParseAddr((const char *)server, &inaddr, AF_UNSPEC) < 0)
return -1;
def->bootfile = (char *)file; def->bootfile = (char *)file;
def->bootserver = (char *) xmlGetProp(cur, BAD_CAST "server"); def->bootserver = inaddr;
} }
cur = cur->next; cur = cur->next;
@ -378,6 +372,8 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
{ {
virNetworkDefPtr def; virNetworkDefPtr def;
char *tmp; char *tmp;
char *ipAddress;
char *netmask;
if (VIR_ALLOC(def) < 0) { if (VIR_ALLOC(def) < 0) {
virReportOOMError(); virReportOOMError();
@ -421,49 +417,41 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
if (virXPathULong("string(./bridge[1]/@delay)", ctxt, &def->delay) < 0) if (virXPathULong("string(./bridge[1]/@delay)", ctxt, &def->delay) < 0)
def->delay = 0; def->delay = 0;
def->ipAddress = virXPathString("string(./ip[1]/@address)", ctxt); ipAddress = virXPathString("string(./ip[1]/@address)", ctxt);
def->netmask = virXPathString("string(./ip[1]/@netmask)", ctxt); netmask = virXPathString("string(./ip[1]/@netmask)", ctxt);
if (def->ipAddress && if (ipAddress &&
def->netmask) { netmask) {
virSocketAddr inaddress, innetmask;
char *netaddr;
xmlNodePtr ip; xmlNodePtr ip;
if (virSocketParseAddr(def->ipAddress, &inaddress, AF_UNSPEC) < 0) if (virSocketParseAddr(ipAddress, &def->ipAddress, AF_UNSPEC) < 0)
goto error; goto error;
if (virSocketParseAddr(def->netmask, &innetmask, AF_UNSPEC) < 0) if (virSocketParseAddr(netmask, &def->netmask, AF_UNSPEC) < 0)
goto error; goto error;
/* XXX someday we want IPv6, so will need to relax this */ /* XXX someday we want IPv6, so will need to relax this */
if (inaddress.data.sa.sa_family != AF_INET || if (!VIR_SOCKET_IS_FAMILY(&def->ipAddress, AF_INET) ||
innetmask.data.sa.sa_family != AF_INET) { !VIR_SOCKET_IS_FAMILY(&def->netmask, AF_INET)) {
virNetworkReportError(VIR_ERR_CONFIG_UNSUPPORTED, virNetworkReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("Only IPv4 addresses are supported")); "%s", _("Only IPv4 addresses are supported"));
goto error; goto error;
} }
inaddress.data.inet4.sin_addr.s_addr &= def->network = def->ipAddress;
innetmask.data.inet4.sin_addr.s_addr; def->network.data.inet4.sin_addr.s_addr &=
if (!(netaddr = virSocketFormatAddr(&inaddress))) def->netmask.data.inet4.sin_addr.s_addr;
goto error;
if (virAsprintf(&def->network, "%s/%s", netaddr, def->netmask) < 0) {
VIR_FREE(netaddr);
virReportOOMError();
goto error;
}
VIR_FREE(netaddr);
if ((ip = virXPathNode("./ip[1]", ctxt)) && if ((ip = virXPathNode("./ip[1]", ctxt)) &&
virNetworkIPParseXML(def, ip) < 0) virNetworkIPParseXML(def, ip) < 0)
goto error; goto error;
} }
VIR_FREE(ipAddress);
VIR_FREE(netmask);
/* IPv4 forwarding setup */ /* IPv4 forwarding setup */
if (virXPathBoolean("count(./forward) > 0", ctxt)) { if (virXPathBoolean("count(./forward) > 0", ctxt)) {
if (!def->ipAddress || if (def->ipAddress.data.sa.sa_family != AF_INET ||
!def->netmask) { def->netmask.data.sa.sa_family != AF_INET) {
virNetworkReportError(VIR_ERR_INTERNAL_ERROR, virNetworkReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Forwarding requested, but no IPv4 address/netmask provided")); "%s", _("Forwarding requested, but no IPv4 address/netmask provided"));
goto error; goto error;
@ -583,14 +571,25 @@ char *virNetworkDefFormat(const virNetworkDefPtr def)
if (def->domain) if (def->domain)
virBufferVSprintf(&buf, " <domain name='%s'/>\n", def->domain); virBufferVSprintf(&buf, " <domain name='%s'/>\n", def->domain);
if (def->ipAddress || def->netmask) { if (VIR_SOCKET_HAS_ADDR(&def->ipAddress) ||
VIR_SOCKET_HAS_ADDR(&def->netmask)) {
virBufferAddLit(&buf, " <ip"); virBufferAddLit(&buf, " <ip");
if (def->ipAddress) if (VIR_SOCKET_HAS_ADDR(&def->ipAddress)) {
virBufferVSprintf(&buf, " address='%s'", def->ipAddress); char *addr = virSocketFormatAddr(&def->ipAddress);
if (!addr)
goto error;
virBufferVSprintf(&buf, " address='%s'", addr);
VIR_FREE(addr);
}
if (def->netmask) if (VIR_SOCKET_HAS_ADDR(&def->netmask)) {
virBufferVSprintf(&buf, " netmask='%s'", def->netmask); char *addr = virSocketFormatAddr(&def->netmask);
if (!addr)
goto error;
virBufferVSprintf(&buf, " netmask='%s'", addr);
VIR_FREE(addr);
}
virBufferAddLit(&buf, ">\n"); virBufferAddLit(&buf, ">\n");
@ -601,25 +600,44 @@ char *virNetworkDefFormat(const virNetworkDefPtr def)
if ((def->nranges || def->nhosts)) { if ((def->nranges || def->nhosts)) {
int i; int i;
virBufferAddLit(&buf, " <dhcp>\n"); virBufferAddLit(&buf, " <dhcp>\n");
for (i = 0 ; i < def->nranges ; i++) for (i = 0 ; i < def->nranges ; i++) {
char *saddr = virSocketFormatAddr(&def->ranges[i].start);
if (!saddr)
goto error;
char *eaddr = virSocketFormatAddr(&def->ranges[i].end);
if (!eaddr) {
VIR_FREE(saddr);
goto error;
}
virBufferVSprintf(&buf, " <range start='%s' end='%s' />\n", virBufferVSprintf(&buf, " <range start='%s' end='%s' />\n",
def->ranges[i].start, def->ranges[i].end); saddr, eaddr);
VIR_FREE(saddr);
VIR_FREE(eaddr);
}
for (i = 0 ; i < def->nhosts ; i++) { for (i = 0 ; i < def->nhosts ; i++) {
virBufferAddLit(&buf, " <host "); virBufferAddLit(&buf, " <host ");
if (def->hosts[i].mac) if (def->hosts[i].mac)
virBufferVSprintf(&buf, "mac='%s' ", def->hosts[i].mac); virBufferVSprintf(&buf, "mac='%s' ", def->hosts[i].mac);
if (def->hosts[i].name) if (def->hosts[i].name)
virBufferVSprintf(&buf, "name='%s' ", def->hosts[i].name); virBufferVSprintf(&buf, "name='%s' ", def->hosts[i].name);
if (def->hosts[i].ip) if (VIR_SOCKET_HAS_ADDR(&def->hosts[i].ip)) {
virBufferVSprintf(&buf, "ip='%s' ", def->hosts[i].ip); char *ipaddr = virSocketFormatAddr(&def->hosts[i].ip);
if (!ipaddr)
goto error;
virBufferVSprintf(&buf, "ip='%s' ", ipaddr);
VIR_FREE(ipaddr);
}
virBufferAddLit(&buf, "/>\n"); virBufferAddLit(&buf, "/>\n");
} }
if (def->bootfile) { if (def->bootfile) {
virBufferEscapeString(&buf, " <bootp file='%s' ", virBufferEscapeString(&buf, " <bootp file='%s' ",
def->bootfile); def->bootfile);
if (def->bootserver) { if (VIR_SOCKET_HAS_ADDR(&def->bootserver)) {
virBufferEscapeString(&buf, "server='%s' ", char *ipaddr = virSocketFormatAddr(&def->bootserver);
def->bootserver); if (!ipaddr)
goto error;
virBufferEscapeString(&buf, "server='%s' ", ipaddr);
VIR_FREE(ipaddr);
} }
virBufferAddLit(&buf, "/>\n"); virBufferAddLit(&buf, "/>\n");
} }
@ -639,6 +657,7 @@ char *virNetworkDefFormat(const virNetworkDefPtr def)
no_memory: no_memory:
virReportOOMError(); virReportOOMError();
error:
virBufferFreeAndReset(&buf); virBufferFreeAndReset(&buf);
return NULL; return NULL;
} }

16
src/conf/network_conf.h
View File

@ -30,6 +30,7 @@
# include "internal.h" # include "internal.h"
# include "threads.h" # include "threads.h"
# include "network.h"
/* 2 possible types of forwarding */ /* 2 possible types of forwarding */
enum virNetworkForwardType { enum virNetworkForwardType {
@ -43,9 +44,8 @@ enum virNetworkForwardType {
typedef struct _virNetworkDHCPRangeDef virNetworkDHCPRangeDef; typedef struct _virNetworkDHCPRangeDef virNetworkDHCPRangeDef;
typedef virNetworkDHCPRangeDef *virNetworkDHCPRangeDefPtr; typedef virNetworkDHCPRangeDef *virNetworkDHCPRangeDefPtr;
struct _virNetworkDHCPRangeDef { struct _virNetworkDHCPRangeDef {
char *start; virSocketAddr start;
char *end; virSocketAddr end;
int size;
}; };
typedef struct _virNetworkDHCPHostDef virNetworkDHCPHostDef; typedef struct _virNetworkDHCPHostDef virNetworkDHCPHostDef;
@ -53,7 +53,7 @@ typedef virNetworkDHCPHostDef *virNetworkDHCPHostDefPtr;
struct _virNetworkDHCPHostDef { struct _virNetworkDHCPHostDef {
char *mac; char *mac;
char *name; char *name;
char *ip; virSocketAddr ip;
}; };
typedef struct _virNetworkDef virNetworkDef; typedef struct _virNetworkDef virNetworkDef;
@ -70,9 +70,9 @@ struct _virNetworkDef {
int forwardType; /* One of virNetworkForwardType constants */ int forwardType; /* One of virNetworkForwardType constants */
char *forwardDev; /* Destination device for forwarding */ char *forwardDev; /* Destination device for forwarding */
char *ipAddress; /* Bridge IP address */ virSocketAddr ipAddress; /* Bridge IP address */
char *netmask; virSocketAddr netmask;
char *network; virSocketAddr network;
unsigned int nranges; /* Zero or more dhcp ranges */ unsigned int nranges; /* Zero or more dhcp ranges */
virNetworkDHCPRangeDefPtr ranges; virNetworkDHCPRangeDefPtr ranges;
@ -82,7 +82,7 @@ struct _virNetworkDef {
char *tftproot; char *tftproot;
char *bootfile; char *bootfile;
char *bootserver; virSocketAddr bootserver;
}; };
typedef struct _virNetworkObj virNetworkObj; typedef struct _virNetworkObj virNetworkObj;

162
src/network/bridge_driver.c
View File

@ -143,7 +143,7 @@ networkFindActiveConfigs(struct network_driver *driver) {
obj->active = 1; obj->active = 1;
/* Finally try and read dnsmasq pid if any */ /* Finally try and read dnsmasq pid if any */
if ((obj->def->ipAddress || if ((VIR_SOCKET_HAS_ADDR(&obj->def->ipAddress) ||
obj->def->nranges) && obj->def->nranges) &&
virFileReadPid(NETWORK_PID_DIR, obj->def->name, virFileReadPid(NETWORK_PID_DIR, obj->def->name,
&obj->dnsmasqPid) == 0) { &obj->dnsmasqPid) == 0) {
@ -375,8 +375,8 @@ networkSaveDnsmasqHostsfile(virNetworkObjPtr network,
for (i = 0 ; i < network->def->nhosts ; i++) { for (i = 0 ; i < network->def->nhosts ; i++) {
virNetworkDHCPHostDefPtr host = &(network->def->hosts[i]); virNetworkDHCPHostDefPtr host = &(network->def->hosts[i]);
if ((host->mac) && (host->ip)) if ((host->mac) && VIR_SOCKET_HAS_ADDR(&host->ip))
dnsmasqAddDhcpHost(dctx, host->mac, host->ip, host->name); dnsmasqAddDhcpHost(dctx, host->mac, &host->ip, host->name);
} }
if (dnsmasqSave(dctx) < 0) if (dnsmasqSave(dctx) < 0)
@ -395,6 +395,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
char *pidfileArg; char *pidfileArg;
char buf[1024]; char buf[1024];
unsigned int ranges; unsigned int ranges;
char *ipAddr;
/* /*
* For static-only DHCP, i.e. with no range but at least one host element, * For static-only DHCP, i.e. with no range but at least one host element,
@ -491,27 +492,46 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
* APPEND_ARG(*argv, i++, network->def->bridge); * APPEND_ARG(*argv, i++, network->def->bridge);
*/ */
APPEND_ARG(*argv, i++, "--listen-address"); APPEND_ARG(*argv, i++, "--listen-address");
APPEND_ARG(*argv, i++, network->def->ipAddress); if (!(ipAddr = virSocketFormatAddr(&network->def->ipAddress)))
goto error;
APPEND_ARG_LIT(*argv, i++, ipAddr);
APPEND_ARG(*argv, i++, "--except-interface"); APPEND_ARG(*argv, i++, "--except-interface");
APPEND_ARG(*argv, i++, "lo"); APPEND_ARG(*argv, i++, "lo");
for (r = 0 ; r < network->def->nranges ; r++) { for (r = 0 ; r < network->def->nranges ; r++) {
snprintf(buf, sizeof(buf), "%s,%s", char *saddr = virSocketFormatAddr(&network->def->ranges[r].start);
network->def->ranges[r].start, if (!saddr)
network->def->ranges[r].end); goto error;
char *eaddr = virSocketFormatAddr(&network->def->ranges[r].end);
if (!eaddr) {
VIR_FREE(saddr);
goto error;
}
char *range;
int rc = virAsprintf(&range, "%s,%s", saddr, eaddr);
VIR_FREE(saddr);
VIR_FREE(eaddr);
if (rc < 0)
goto no_memory;
APPEND_ARG(*argv, i++, "--dhcp-range"); APPEND_ARG(*argv, i++, "--dhcp-range");
APPEND_ARG(*argv, i++, buf); APPEND_ARG_LIT(*argv, i++, range);
nbleases += network->def->ranges[r].size; nbleases += virSocketGetRange(&network->def->ranges[r].start,
&network->def->ranges[r].end);
} }
if (!network->def->nranges && network->def->nhosts) { if (!network->def->nranges && network->def->nhosts) {
snprintf(buf, sizeof(buf), "%s,static", char *ipaddr = virSocketFormatAddr(&network->def->ipAddress);
network->def->ipAddress); if (!ipaddr)
goto error;
char *range;
int rc = virAsprintf(&range, "%s,static", ipaddr);
VIR_FREE(ipaddr);
if (rc < 0)
goto no_memory;
APPEND_ARG(*argv, i++, "--dhcp-range"); APPEND_ARG(*argv, i++, "--dhcp-range");
APPEND_ARG(*argv, i++, buf); APPEND_ARG_LIT(*argv, i++, range);
} }
if (network->def->nranges > 0) { if (network->def->nranges > 0) {
@ -546,13 +566,22 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
APPEND_ARG(*argv, i++, network->def->tftproot); APPEND_ARG(*argv, i++, network->def->tftproot);
} }
if (network->def->bootfile) { if (network->def->bootfile) {
snprintf(buf, sizeof(buf), "%s%s%s", char *ipaddr = NULL;
network->def->bootfile, if (VIR_SOCKET_HAS_ADDR(&network->def->bootserver)) {
network->def->bootserver ? ",," : "", if (!(ipaddr = virSocketFormatAddr(&network->def->bootserver)))
network->def->bootserver ? network->def->bootserver : ""); goto error;
}
char *boot;
int rc = virAsprintf(&boot, "%s%s%s",
network->def->bootfile,
ipaddr ? ",," : "",
ipaddr ? ipaddr : "");
VIR_FREE(ipaddr);
if (rc < 0)
goto no_memory;
APPEND_ARG(*argv, i++, "--dhcp-boot"); APPEND_ARG(*argv, i++, "--dhcp-boot");
APPEND_ARG(*argv, i++, buf); APPEND_ARG_LIT(*argv, i++, boot);
} }
#undef APPEND_ARG #undef APPEND_ARG
@ -560,12 +589,13 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
return 0; return 0;
no_memory: no_memory:
virReportOOMError();
error:
if (*argv) { if (*argv) {
for (i = 0; (*argv)[i]; i++) for (i = 0; (*argv)[i]; i++)
VIR_FREE((*argv)[i]); VIR_FREE((*argv)[i]);
VIR_FREE(*argv); VIR_FREE(*argv);
} }
virReportOOMError();
return -1; return -1;
} }
@ -579,9 +609,9 @@ dhcpStartDhcpDaemon(virNetworkObjPtr network)
network->dnsmasqPid = -1; network->dnsmasqPid = -1;
if (network->def->ipAddress == NULL) { if (!VIR_SOCKET_IS_FAMILY(&network->def->ipAddress, AF_INET)) {
networkReportError(VIR_ERR_INTERNAL_ERROR, networkReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("cannot start dhcp daemon without IP address for server")); "%s", _("cannot start dhcp daemon without IPv4 address for server"));
return -1; return -1;
} }
@ -641,7 +671,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
int err; int err;
/* allow forwarding packets from the bridge interface */ /* allow forwarding packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables, if ((err = iptablesAddForwardAllowOut(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev))) { network->def->forwardDev))) {
virReportSystemError(err, virReportSystemError(err,
@ -652,7 +682,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
/* allow forwarding packets to the bridge interface if they are part of an existing connection */ /* allow forwarding packets to the bridge interface if they are part of an existing connection */
if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables, if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev))) { network->def->forwardDev))) {
virReportSystemError(err, virReportSystemError(err,
@ -686,7 +716,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
/* First the generic masquerade rule for other protocols */ /* First the generic masquerade rule for other protocols */
if ((err = iptablesAddForwardMasquerade(driver->iptables, if ((err = iptablesAddForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
NULL))) { NULL))) {
virReportSystemError(err, virReportSystemError(err,
@ -697,7 +727,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
/* UDP with a source port restriction */ /* UDP with a source port restriction */
if ((err = iptablesAddForwardMasquerade(driver->iptables, if ((err = iptablesAddForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
"udp"))) { "udp"))) {
virReportSystemError(err, virReportSystemError(err,
@ -708,7 +738,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
/* TCP with a source port restriction */ /* TCP with a source port restriction */
if ((err = iptablesAddForwardMasquerade(driver->iptables, if ((err = iptablesAddForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
"tcp"))) { "tcp"))) {
virReportSystemError(err, virReportSystemError(err,
@ -721,22 +751,22 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
masqerr5: masqerr5:
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
"udp"); "udp");
masqerr4: masqerr4:
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
NULL); NULL);
masqerr3: masqerr3:
iptablesRemoveForwardAllowRelatedIn(driver->iptables, iptablesRemoveForwardAllowRelatedIn(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev); network->def->forwardDev);
masqerr2: masqerr2:
iptablesRemoveForwardAllowOut(driver->iptables, iptablesRemoveForwardAllowOut(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev); network->def->forwardDev);
masqerr1: masqerr1:
@ -749,7 +779,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
int err; int err;
/* allow routing packets from the bridge interface */ /* allow routing packets from the bridge interface */
if ((err = iptablesAddForwardAllowOut(driver->iptables, if ((err = iptablesAddForwardAllowOut(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev))) { network->def->forwardDev))) {
virReportSystemError(err, virReportSystemError(err,
@ -760,7 +790,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
/* allow routing packets to the bridge interface */ /* allow routing packets to the bridge interface */
if ((err = iptablesAddForwardAllowIn(driver->iptables, if ((err = iptablesAddForwardAllowIn(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev))) { network->def->forwardDev))) {
virReportSystemError(err, virReportSystemError(err,
@ -774,7 +804,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
routeerr2: routeerr2:
iptablesRemoveForwardAllowOut(driver->iptables, iptablesRemoveForwardAllowOut(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev); network->def->forwardDev);
routeerr1: routeerr1:
@ -866,7 +896,8 @@ networkAddIptablesRules(struct network_driver *driver,
* aborting, since not all iptables implementations support it). * aborting, since not all iptables implementations support it).
*/ */
if ((network->def->ipAddress || network->def->nranges) && if ((VIR_SOCKET_HAS_ADDR(&network->def->ipAddress) ||
network->def->nranges) &&
(iptablesAddOutputFixUdpChecksum(driver->iptables, (iptablesAddOutputFixUdpChecksum(driver->iptables,
network->def->bridge, 68) != 0)) { network->def->bridge, 68) != 0)) {
VIR_WARN("Could not add rule to fixup DHCP response checksums " VIR_WARN("Could not add rule to fixup DHCP response checksums "
@ -904,36 +935,37 @@ networkAddIptablesRules(struct network_driver *driver,
static void static void
networkRemoveIptablesRules(struct network_driver *driver, networkRemoveIptablesRules(struct network_driver *driver,
virNetworkObjPtr network) { virNetworkObjPtr network) {
if (network->def->ipAddress || network->def->nranges) { if (VIR_SOCKET_HAS_ADDR(&network->def->ipAddress) ||
network->def->nranges) {
iptablesRemoveOutputFixUdpChecksum(driver->iptables, iptablesRemoveOutputFixUdpChecksum(driver->iptables,
network->def->bridge, 68); network->def->bridge, 68);
} }
if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) { if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) { if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) {
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
"tcp"); "tcp");
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
"udp"); "udp");
iptablesRemoveForwardMasquerade(driver->iptables, iptablesRemoveForwardMasquerade(driver->iptables,
network->def->network, &network->def->network,
network->def->forwardDev, network->def->forwardDev,
NULL); NULL);
iptablesRemoveForwardAllowRelatedIn(driver->iptables, iptablesRemoveForwardAllowRelatedIn(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev); network->def->forwardDev);
} else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE) } else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)
iptablesRemoveForwardAllowIn(driver->iptables, iptablesRemoveForwardAllowIn(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev); network->def->forwardDev);
iptablesRemoveForwardAllowOut(driver->iptables, iptablesRemoveForwardAllowOut(driver->iptables,
network->def->network, &network->def->network,
network->def->bridge, network->def->bridge,
network->def->forwardDev); network->def->forwardDev);
} }
@ -1041,25 +1073,15 @@ static int networkCheckRouteCollision(virNetworkObjPtr network)
unsigned int net_dest; unsigned int net_dest;
char *cur, *buf = NULL; char *cur, *buf = NULL;
enum {MAX_ROUTE_SIZE = 1024*64}; enum {MAX_ROUTE_SIZE = 1024*64};
virSocketAddr inaddress, innetmask;
if (!network->def->ipAddress || !network->def->netmask) if (!VIR_SOCKET_IS_FAMILY(&network->def->ipAddress, AF_INET) ||
return 0; !VIR_SOCKET_IS_FAMILY(&network->def->netmask, AF_INET)) {
if (virSocketParseAddr(network->def->ipAddress, &inaddress, AF_UNSPEC) < 0)
goto error;
if (virSocketParseAddr(network->def->netmask, &innetmask, AF_UNSPEC) < 0)
goto error;
if (inaddress.data.stor.ss_family != AF_INET ||
innetmask.data.stor.ss_family != AF_INET) {
/* Only support collision check for IPv4 */ /* Only support collision check for IPv4 */
goto out; return 0;
} }
net_dest = (inaddress.data.inet4.sin_addr.s_addr & net_dest = (network->def->ipAddress.data.inet4.sin_addr.s_addr &
innetmask.data.inet4.sin_addr.s_addr); network->def->netmask.data.inet4.sin_addr.s_addr);
/* Read whole routing table into memory */ /* Read whole routing table into memory */
if ((len = virFileReadAll(PROC_NET_ROUTE, MAX_ROUTE_SIZE, &buf)) < 0) if ((len = virFileReadAll(PROC_NET_ROUTE, MAX_ROUTE_SIZE, &buf)) < 0)
@ -1112,12 +1134,10 @@ static int networkCheckRouteCollision(virNetworkObjPtr network)
addr_val &= mask_val; addr_val &= mask_val;
if ((net_dest == addr_val) && if ((net_dest == addr_val) &&
(innetmask.data.inet4.sin_addr.s_addr == mask_val)) { (network->def->netmask.data.inet4.sin_addr.s_addr == mask_val)) {
networkReportError(VIR_ERR_INTERNAL_ERROR, networkReportError(VIR_ERR_INTERNAL_ERROR,
_("Network %s/%s is already in use by " _("Network is already in use by interface %s"),
"interface %s"), iface);
network->def->ipAddress,
network->def->netmask, iface);
goto error; goto error;
} }
} }
@ -1160,19 +1180,21 @@ static int networkStartNetworkDaemon(struct network_driver *driver,
if (brSetEnableSTP(driver->brctl, network->def->bridge, network->def->stp ? 1 : 0) < 0) if (brSetEnableSTP(driver->brctl, network->def->bridge, network->def->stp ? 1 : 0) < 0)
goto err_delbr; goto err_delbr;
if (network->def->ipAddress && if (VIR_SOCKET_HAS_ADDR(&network->def->ipAddress) &&
(err = brSetInetAddress(driver->brctl, network->def->bridge, network->def->ipAddress))) { (err = brSetInetAddress(driver->brctl, network->def->bridge,
&network->def->ipAddress))) {
virReportSystemError(err, virReportSystemError(err,
_("cannot set IP address on bridge '%s' to '%s'"), _("cannot set IP address on bridge '%s'"),
network->def->bridge, network->def->ipAddress); network->def->bridge);
goto err_delbr; goto err_delbr;
} }
if (network->def->netmask && if (VIR_SOCKET_HAS_ADDR(&network->def->netmask) &&
(err = brSetInetNetmask(driver->brctl, network->def->bridge, network->def->netmask))) { (err = brSetInetNetmask(driver->brctl, network->def->bridge,
&network->def->netmask))) {
virReportSystemError(err, virReportSystemError(err,
_("cannot set netmask on bridge '%s' to '%s'"), _("cannot set netmask on bridge '%s'"),
network->def->bridge, network->def->netmask); network->def->bridge);
goto err_delbr; goto err_delbr;
} }
@ -1193,7 +1215,7 @@ static int networkStartNetworkDaemon(struct network_driver *driver,
goto err_delbr2; goto err_delbr2;
} }
if ((network->def->ipAddress || if ((VIR_SOCKET_HAS_ADDR(&network->def->ipAddress) ||
network->def->nranges) && network->def->nranges) &&
dhcpStartDhcpDaemon(network) < 0) dhcpStartDhcpDaemon(network) < 0)
goto err_delbr2; goto err_delbr2;

14
src/util/bridge.c
View File

@ -659,9 +659,8 @@ static int
brSetInetAddr(brControl *ctl, brSetInetAddr(brControl *ctl,
const char *ifname, const char *ifname,
int cmd, int cmd,
const char *addr) virSocketAddr *addr)
{ {
virSocketAddr sa;
struct ifreq ifr; struct ifreq ifr;
if (!ctl || !ctl->fd || !ifname || !addr) if (!ctl || !ctl->fd || !ifname || !addr)
@ -672,13 +671,10 @@ brSetInetAddr(brControl *ctl,
if (virStrcpyStatic(ifr.ifr_name, ifname) == NULL) if (virStrcpyStatic(ifr.ifr_name, ifname) == NULL)
return EINVAL; return EINVAL;
if (virSocketParseAddr(addr, &sa, AF_UNSPEC) < 0) if (!VIR_SOCKET_IS_FAMILY(addr, AF_INET))
return EINVAL; return EINVAL;
if (sa.data.sa.sa_family != AF_INET) ifr.ifr_addr = addr->data.sa;
return EINVAL;
ifr.ifr_addr = sa.data.sa;
if (ioctl(ctl->fd, cmd, &ifr) < 0) if (ioctl(ctl->fd, cmd, &ifr) < 0)
return errno; return errno;
@ -702,7 +698,7 @@ brSetInetAddr(brControl *ctl,
int int
brSetInetAddress(brControl *ctl, brSetInetAddress(brControl *ctl,
const char *ifname, const char *ifname,
const char *addr) virSocketAddr *addr)
{ {
return brSetInetAddr(ctl, ifname, SIOCSIFADDR, addr); return brSetInetAddr(ctl, ifname, SIOCSIFADDR, addr);
} }
@ -723,7 +719,7 @@ brSetInetAddress(brControl *ctl,
int int
brSetInetNetmask(brControl *ctl, brSetInetNetmask(brControl *ctl,
const char *ifname, const char *ifname,
const char *addr) virSocketAddr *addr)
{ {
return brSetInetAddr(ctl, ifname, SIOCSIFNETMASK, addr); return brSetInetAddr(ctl, ifname, SIOCSIFNETMASK, addr);
} }

5
src/util/bridge.h
View File

@ -28,6 +28,7 @@
# include <net/if.h> # include <net/if.h>
# include <netinet/in.h> # include <netinet/in.h>
# include "network.h"
/** /**
* BR_IFNAME_MAXLEN: * BR_IFNAME_MAXLEN:
@ -84,10 +85,10 @@ int brGetInterfaceUp (brControl *ctl,
int brSetInetAddress (brControl *ctl, int brSetInetAddress (brControl *ctl,
const char *ifname, const char *ifname,
const char *addr); virSocketAddr *addr);
int brSetInetNetmask (brControl *ctl, int brSetInetNetmask (brControl *ctl,
const char *ifname, const char *ifname,
const char *netmask); virSocketAddr *addr);
int brSetForwardDelay (brControl *ctl, int brSetForwardDelay (brControl *ctl,
const char *bridge, const char *bridge,

17
src/util/dnsmasq.c
View File

@ -76,23 +76,28 @@ hostsfileFree(dnsmasqHostsfile *hostsfile)
static int static int
hostsfileAdd(dnsmasqHostsfile *hostsfile, hostsfileAdd(dnsmasqHostsfile *hostsfile,
const char *mac, const char *mac,
const char *ip, virSocketAddr *ip,
const char *name) const char *name)
{ {
char *ipstr;
if (VIR_REALLOC_N(hostsfile->hosts, hostsfile->nhosts + 1) < 0) if (VIR_REALLOC_N(hostsfile->hosts, hostsfile->nhosts + 1) < 0)
goto alloc_error; goto alloc_error;
if (!(ipstr = virSocketFormatAddr(ip)))
return -1;
if (name) { if (name) {
if (virAsprintf(&hostsfile->hosts[hostsfile->nhosts].host, "%s,%s,%s", if (virAsprintf(&hostsfile->hosts[hostsfile->nhosts].host, "%s,%s,%s",
mac, ip, name) < 0) { mac, ipstr, name) < 0) {
goto alloc_error; goto alloc_error;
} }
} else { } else {
if (virAsprintf(&hostsfile->hosts[hostsfile->nhosts].host, "%s,%s", if (virAsprintf(&hostsfile->hosts[hostsfile->nhosts].host, "%s,%s",
mac, ip) < 0) { mac, ipstr) < 0) {
goto alloc_error; goto alloc_error;
} }
} }
VIR_FREE(ipstr);
hostsfile->nhosts++; hostsfile->nhosts++;
@ -100,7 +105,7 @@ hostsfileAdd(dnsmasqHostsfile *hostsfile,
alloc_error: alloc_error:
virReportOOMError(); virReportOOMError();
VIR_FREE(ipstr);
return -1; return -1;
} }
@ -279,7 +284,7 @@ dnsmasqContextFree(dnsmasqContext *ctx)
* dnsmasqAddDhcpHost: * dnsmasqAddDhcpHost:
* @ctx: pointer to the dnsmasq context for each network * @ctx: pointer to the dnsmasq context for each network
* @mac: pointer to the string contains mac address of the host * @mac: pointer to the string contains mac address of the host
* @ip: pointer to the string contains ip address of the host * @ip: pointer to the socket address contains ip of the host
* @name: pointer to the string contains hostname of the host or NULL * @name: pointer to the string contains hostname of the host or NULL
* *
* Add dhcp-host entry. * Add dhcp-host entry.
@ -287,7 +292,7 @@ dnsmasqContextFree(dnsmasqContext *ctx)
void void
dnsmasqAddDhcpHost(dnsmasqContext *ctx, dnsmasqAddDhcpHost(dnsmasqContext *ctx,
const char *mac, const char *mac,
const char *ip, virSocketAddr *ip,
const char *name) const char *name)
{ {
if (ctx->hostsfile) if (ctx->hostsfile)

4
src/util/dnsmasq.h
View File

@ -22,6 +22,8 @@
#ifndef __DNSMASQ_H__ #ifndef __DNSMASQ_H__
# define __DNSMASQ_H__ # define __DNSMASQ_H__
# include "network.h"
typedef struct typedef struct
{ {
/* /*
@ -50,7 +52,7 @@ dnsmasqContext * dnsmasqContextNew(const char *network_name,
void dnsmasqContextFree(dnsmasqContext *ctx); void dnsmasqContextFree(dnsmasqContext *ctx);
void dnsmasqAddDhcpHost(dnsmasqContext *ctx, void dnsmasqAddDhcpHost(dnsmasqContext *ctx,
const char *mac, const char *mac,
const char *ip, virSocketAddr *ip,
const char *name); const char *name);
int dnsmasqSave(const dnsmasqContext *ctx); int dnsmasqSave(const dnsmasqContext *ctx);
int dnsmasqDelete(const dnsmasqContext *ctx); int dnsmasqDelete(const dnsmasqContext *ctx);

242
src/util/iptables.c
View File

@ -44,6 +44,10 @@
#include "virterror_internal.h" #include "virterror_internal.h"
#include "logging.h" #include "logging.h"
#define iptablesError(code, ...) \
virReportErrorHelper(NULL, VIR_FROM_NONE, code, __FILE__, \
__FUNCTION__, __LINE__, __VA_ARGS__)
enum { enum {
ADD = 0, ADD = 0,
REMOVE REMOVE
@ -324,27 +328,41 @@ iptablesRemoveUdpInput(iptablesContext *ctx,
*/ */
static int static int
iptablesForwardAllowOut(iptablesContext *ctx, iptablesForwardAllowOut(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev, const char *physdev,
int action) int action)
{ {
if (physdev && physdev[0]) { int ret;
return iptablesAddRemoveRule(ctx->forward_filter, char *networkstr;
action,
"--source", network, if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
"--in-interface", iface, iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
"--out-interface", physdev, _("Only IPv4 addresses can be used with iptables"));
"--jump", "ACCEPT", return -1;
NULL);
} else {
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--source", network,
"--in-interface", iface,
"--jump", "ACCEPT",
NULL);
} }
if (!(networkstr = virSocketFormatAddr(network)))
return -1;
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter,
action,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
"--jump", "ACCEPT",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
action,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
NULL);
}
VIR_FREE(networkstr);
return ret;
} }
/** /**
@ -362,7 +380,7 @@ iptablesForwardAllowOut(iptablesContext *ctx,
*/ */
int int
iptablesAddForwardAllowOut(iptablesContext *ctx, iptablesAddForwardAllowOut(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
@ -384,7 +402,7 @@ iptablesAddForwardAllowOut(iptablesContext *ctx,
*/ */
int int
iptablesRemoveForwardAllowOut(iptablesContext *ctx, iptablesRemoveForwardAllowOut(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
@ -397,31 +415,45 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx,
*/ */
static int static int
iptablesForwardAllowRelatedIn(iptablesContext *ctx, iptablesForwardAllowRelatedIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev, const char *physdev,
int action) int action)
{ {
if (physdev && physdev[0]) { int ret;
return iptablesAddRemoveRule(ctx->forward_filter, char *networkstr;
action,
"--destination", network, if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
"--in-interface", physdev, iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
"--out-interface", iface, _("Only IPv4 addresses can be used with iptables"));
"--match", "state", return -1;
"--state", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
} else {
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", network,
"--out-interface", iface,
"--match", "state",
"--state", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
} }
if (!(networkstr = virSocketFormatAddr(network)))
return -1;
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--match", "state",
"--state", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", networkstr,
"--out-interface", iface,
"--match", "state",
"--state", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
}
VIR_FREE(networkstr);
return ret;
} }
/** /**
@ -439,7 +471,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
*/ */
int int
iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
@ -461,7 +493,7 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
*/ */
int int
iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
@ -472,27 +504,41 @@ iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
*/ */
static int static int
iptablesForwardAllowIn(iptablesContext *ctx, iptablesForwardAllowIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev, const char *physdev,
int action) int action)
{ {
if (physdev && physdev[0]) { int ret;
return iptablesAddRemoveRule(ctx->forward_filter, char *networkstr;
action,
"--destination", network, if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
"--in-interface", physdev, iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
"--out-interface", iface, _("Only IPv4 addresses can be used with iptables"));
"--jump", "ACCEPT", return -1;
NULL);
} else {
return iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", network,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
} }
if (!(networkstr = virSocketFormatAddr(network)))
return -1;
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
action,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
}
VIR_FREE(networkstr);
return ret;
} }
/** /**
@ -510,7 +556,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
*/ */
int int
iptablesAddForwardAllowIn(iptablesContext *ctx, iptablesAddForwardAllowIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
@ -532,7 +578,7 @@ iptablesAddForwardAllowIn(iptablesContext *ctx,
*/ */
int int
iptablesRemoveForwardAllowIn(iptablesContext *ctx, iptablesRemoveForwardAllowIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev) const char *physdev)
{ {
@ -698,50 +744,64 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx,
*/ */
static int static int
iptablesForwardMasquerade(iptablesContext *ctx, iptablesForwardMasquerade(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *physdev, const char *physdev,
const char *protocol, const char *protocol,
int action) int action)
{ {
int ret;
char *networkstr;
if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
_("Only IPv4 addresses can be used with iptables"));
return -1;
}
if (!(networkstr = virSocketFormatAddr(network)))
return -1;
if (protocol && protocol[0]) { if (protocol && protocol[0]) {
if (physdev && physdev[0]) { if (physdev && physdev[0]) {
return iptablesAddRemoveRule(ctx->nat_postrouting, ret = iptablesAddRemoveRule(ctx->nat_postrouting,
action, action,
"--source", network, "--source", networkstr,
"-p", protocol, "-p", protocol,
"!", "--destination", network, "!", "--destination", networkstr,
"--out-interface", physdev, "--out-interface", physdev,
"--jump", "MASQUERADE", "--jump", "MASQUERADE",
"--to-ports", "1024-65535", "--to-ports", "1024-65535",
NULL); NULL);
} else { } else {
return iptablesAddRemoveRule(ctx->nat_postrouting, ret = iptablesAddRemoveRule(ctx->nat_postrouting,
action, action,
"--source", network, "--source", networkstr,
"-p", protocol, "-p", protocol,
"!", "--destination", network, "!", "--destination", networkstr,
"--jump", "MASQUERADE", "--jump", "MASQUERADE",
"--to-ports", "1024-65535", "--to-ports", "1024-65535",
NULL); NULL);
} }
} else { } else {
if (physdev && physdev[0]) { if (physdev && physdev[0]) {
return iptablesAddRemoveRule(ctx->nat_postrouting, ret = iptablesAddRemoveRule(ctx->nat_postrouting,
action, action,
"--source", network, "--source", networkstr,
"!", "--destination", network, "!", "--destination", networkstr,
"--out-interface", physdev, "--out-interface", physdev,
"--jump", "MASQUERADE", "--jump", "MASQUERADE",
NULL); NULL);
} else { } else {
return iptablesAddRemoveRule(ctx->nat_postrouting, ret = iptablesAddRemoveRule(ctx->nat_postrouting,
action, action,
"--source", network, "--source", networkstr,
"!", "--destination", network, "!", "--destination", networkstr,
"--jump", "MASQUERADE", "--jump", "MASQUERADE",
NULL); NULL);
} }
} }
VIR_FREE(networkstr);
return ret;
} }
/** /**
@ -759,7 +819,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
*/ */
int int
iptablesAddForwardMasquerade(iptablesContext *ctx, iptablesAddForwardMasquerade(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *physdev, const char *physdev,
const char *protocol) const char *protocol)
{ {
@ -781,7 +841,7 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
*/ */
int int
iptablesRemoveForwardMasquerade(iptablesContext *ctx, iptablesRemoveForwardMasquerade(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *physdev, const char *physdev,
const char *protocol) const char *protocol)
{ {

18
src/util/iptables.h
View File

@ -22,6 +22,8 @@
#ifndef __QEMUD_IPTABLES_H__ #ifndef __QEMUD_IPTABLES_H__
# define __QEMUD_IPTABLES_H__ # define __QEMUD_IPTABLES_H__
# include "network.h"
typedef struct _iptablesContext iptablesContext; typedef struct _iptablesContext iptablesContext;
iptablesContext *iptablesContextNew (void); iptablesContext *iptablesContextNew (void);
@ -42,29 +44,29 @@ int iptablesRemoveUdpInput (iptablesContext *ctx,
int port); int port);
int iptablesAddForwardAllowOut (iptablesContext *ctx, int iptablesAddForwardAllowOut (iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesRemoveForwardAllowOut (iptablesContext *ctx, int iptablesRemoveForwardAllowOut (iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesAddForwardAllowIn (iptablesContext *ctx, int iptablesAddForwardAllowIn (iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
int iptablesRemoveForwardAllowIn (iptablesContext *ctx, int iptablesRemoveForwardAllowIn (iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *iface, const char *iface,
const char *physdev); const char *physdev);
@ -84,11 +86,11 @@ int iptablesRemoveForwardRejectIn (iptablesContext *ctx,
const char *iface); const char *iface);
int iptablesAddForwardMasquerade (iptablesContext *ctx, int iptablesAddForwardMasquerade (iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *physdev, const char *physdev,
const char *protocol); const char *protocol);
int iptablesRemoveForwardMasquerade (iptablesContext *ctx, int iptablesRemoveForwardMasquerade (iptablesContext *ctx,
const char *network, virSocketAddr *network,
const char *physdev, const char *physdev,
const char *protocol); const char *protocol);
int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx,

6
src/util/network.h
View File

@ -34,6 +34,12 @@ typedef struct {
socklen_t len; socklen_t len;
} virSocketAddr; } virSocketAddr;
# define VIR_SOCKET_HAS_ADDR(s) \
((s)->data.sa.sa_family != AF_UNSPEC)
# define VIR_SOCKET_IS_FAMILY(s, f) \
((s)->data.sa.sa_family == f)
typedef virSocketAddr *virSocketAddrPtr; typedef virSocketAddr *virSocketAddrPtr;
int virSocketParseAddr (const char *val, int virSocketParseAddr (const char *val,