openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

nwfilter: use shell variable to invoke 'ip(6)tables' command 

Introduce a shell variable 'IBT' to invoke the ip(6)tables command.

Tested with libvirt-tck.
This commit is contained in:
Stefan Berger 2011-11-22 15:12:04 -05:00 committed by Stefan Berger
parent 970b417abb
commit aa1cb7e706
1 changed files with 155 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

313
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -147,6 +147,10 @@ static const char ebiptables_script_set_ifs[] =
#define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \ #define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path); virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path);
#define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \
virBufferAsprintf(BUFPTR, "IPT=%s\n", iptables_cmd_path);
#define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \
virBufferAsprintf(BUFPTR, "IPT=%s\n", ip6tables_cmd_path);
#define VIRT_IN_CHAIN "libvirt-in" #define VIRT_IN_CHAIN "libvirt-in"
#define VIRT_OUT_CHAIN "libvirt-out" #define VIRT_OUT_CHAIN "libvirt-out"
@ -494,66 +498,60 @@ ebtablesHandleEthHdr(virBufferPtr buf,
/************************ iptables support ************************/ /************************ iptables support ************************/
static int iptablesLinkIPTablesBaseChain(const char *iptables_cmd, static int iptablesLinkIPTablesBaseChain(virBufferPtr buf,
virBufferPtr buf,
const char *udchain, const char *udchain,
const char *syschain, const char *syschain,
unsigned int pos, unsigned int pos,
int stopOnError) int stopOnError)
{ {
virBufferAsprintf(buf, virBufferAsprintf(buf,
"res=$(%s -L %s -n --line-number | " "res=$($IPT -L %s -n --line-number | "
"%s \" %s \")\n" "%s \" %s \")\n"
"if [ $? -ne 0 ]; then\n" "if [ $? -ne 0 ]; then\n"
" %s -I %s %d -j %s\n" " $IPT -I %s %d -j %s\n"
"else\n" "else\n"
" r=$(echo $res | %s '{print $1}')\n" " r=$(echo $res | %s '{print $1}')\n"
" if [ \"${r}\" != \"%d\" ]; then\n" " if [ \"${r}\" != \"%d\" ]; then\n"
" " CMD_DEF("%s -I %s %d -j %s") CMD_SEPARATOR " " CMD_DEF("$IPT -I %s %d -j %s") CMD_SEPARATOR
" " CMD_EXEC " " CMD_EXEC
" %s" " %s"
" r=$(( $r + 1 ))\n" " r=$(( $r + 1 ))\n"
" " CMD_DEF("%s -D %s ${r}") CMD_SEPARATOR " " CMD_DEF("$IPT -D %s ${r}") CMD_SEPARATOR
" " CMD_EXEC " " CMD_EXEC
" %s" " %s"
" fi\n" " fi\n"
"fi\n", "fi\n",
iptables_cmd, syschain, syschain,
grep_cmd_path, udchain, grep_cmd_path, udchain,
iptables_cmd, syschain, pos, udchain, syschain, pos, udchain,
gawk_cmd_path, gawk_cmd_path,
pos, pos,
iptables_cmd, syschain, pos, udchain, syschain, pos, udchain,
CMD_STOPONERR(stopOnError), CMD_STOPONERR(stopOnError),
iptables_cmd, syschain, syschain,
CMD_STOPONERR(stopOnError)); CMD_STOPONERR(stopOnError));
return 0; return 0;
} }
static int iptablesCreateBaseChains(const char *iptables_cmd, static int iptablesCreateBaseChains(virBufferPtr buf)
virBufferPtr buf)
{ {
virBufferAsprintf(buf,"%s -N " VIRT_IN_CHAIN CMD_SEPARATOR virBufferAddLit(buf, "$IPT -N " VIRT_IN_CHAIN CMD_SEPARATOR
"%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR "$IPT -N " VIRT_OUT_CHAIN CMD_SEPARATOR
"%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR "$IPT -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
"%s -N " HOST_IN_CHAIN CMD_SEPARATOR, "$IPT -N " HOST_IN_CHAIN CMD_SEPARATOR);
iptables_cmd, iptablesLinkIPTablesBaseChain(buf,
iptables_cmd,
iptables_cmd,
iptables_cmd);
iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
VIRT_IN_CHAIN , "FORWARD", 1, 1); VIRT_IN_CHAIN , "FORWARD", 1, 1);
iptablesLinkIPTablesBaseChain(iptables_cmd, buf, iptablesLinkIPTablesBaseChain(buf,
VIRT_OUT_CHAIN , "FORWARD", 2, 1); VIRT_OUT_CHAIN , "FORWARD", 2, 1);
iptablesLinkIPTablesBaseChain(iptables_cmd, buf, iptablesLinkIPTablesBaseChain(buf,
VIRT_IN_POST_CHAIN, "FORWARD", 3, 1); VIRT_IN_POST_CHAIN, "FORWARD", 3, 1);
iptablesLinkIPTablesBaseChain(iptables_cmd, buf, iptablesLinkIPTablesBaseChain(buf,
HOST_IN_CHAIN , "INPUT" , 1, 1); HOST_IN_CHAIN , "INPUT" , 1, 1);
return 0; return 0;
@ -561,8 +559,7 @@ static int iptablesCreateBaseChains(const char *iptables_cmd,
static int static int
iptablesCreateTmpRootChain(const char *iptables_cmd, iptablesCreateTmpRootChain(virBufferPtr buf,
virBufferPtr buf,
char prefix, char prefix,
int incoming, const char *ifname, int incoming, const char *ifname,
int stopOnError) int stopOnError)
@ -577,10 +574,9 @@ iptablesCreateTmpRootChain(const char *iptables_cmd,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
CMD_DEF("%s -N %s") CMD_SEPARATOR CMD_DEF("$IPT -N %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
iptables_cmd,
chain, chain,
CMD_STOPONERR(stopOnError)); CMD_STOPONERR(stopOnError));
@ -589,20 +585,18 @@ iptablesCreateTmpRootChain(const char *iptables_cmd,
static int static int
iptablesCreateTmpRootChains(const char *iptables_cmd, iptablesCreateTmpRootChains(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 0, ifname, 1); iptablesCreateTmpRootChain(buf, 'F', 0, ifname, 1);
iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 1, ifname, 1); iptablesCreateTmpRootChain(buf, 'F', 1, ifname, 1);
iptablesCreateTmpRootChain(iptables_cmd, buf, 'H', 1, ifname, 1); iptablesCreateTmpRootChain(buf, 'H', 1, ifname, 1);
return 0; return 0;
} }
static int static int
_iptablesRemoveRootChain(const char *iptables_cmd, _iptablesRemoveRootChain(virBufferPtr buf,
virBufferPtr buf,
char prefix, char prefix,
int incoming, const char *ifname, int incoming, const char *ifname,
int isTempChain) int isTempChain)
@ -622,66 +616,60 @@ _iptablesRemoveRootChain(const char *iptables_cmd,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -F %s" CMD_SEPARATOR "$IPT -F %s" CMD_SEPARATOR
"%s -X %s" CMD_SEPARATOR, "$IPT -X %s" CMD_SEPARATOR,
iptables_cmd, chain, chain,
iptables_cmd, chain); chain);
return 0; return 0;
} }
static int static int
iptablesRemoveRootChain(const char *iptables_cmd, iptablesRemoveRootChain(virBufferPtr buf,
virBufferPtr buf,
char prefix, char prefix,
int incoming, int incoming,
const char *ifname) const char *ifname)
{ {
return _iptablesRemoveRootChain(iptables_cmd, return _iptablesRemoveRootChain(buf, prefix, incoming, ifname, 0);
buf, prefix, incoming, ifname, 0);
} }
static int static int
iptablesRemoveTmpRootChain(const char *iptables_cmd, iptablesRemoveTmpRootChain(virBufferPtr buf,
virBufferPtr buf,
char prefix, char prefix,
int incoming, int incoming,
const char *ifname) const char *ifname)
{ {
return _iptablesRemoveRootChain(iptables_cmd, buf, prefix, return _iptablesRemoveRootChain(buf, prefix,
incoming, ifname, 1); incoming, ifname, 1);
} }
static int static int
iptablesRemoveTmpRootChains(const char *iptables_cmd, iptablesRemoveTmpRootChains(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 0, ifname); iptablesRemoveTmpRootChain(buf, 'F', 0, ifname);
iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 1, ifname); iptablesRemoveTmpRootChain(buf, 'F', 1, ifname);
iptablesRemoveTmpRootChain(iptables_cmd, buf, 'H', 1, ifname); iptablesRemoveTmpRootChain(buf, 'H', 1, ifname);
return 0; return 0;
} }
static int static int
iptablesRemoveRootChains(const char *iptables_cmd, iptablesRemoveRootChains(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
iptablesRemoveRootChain(iptables_cmd, buf, 'F', 0, ifname); iptablesRemoveRootChain(buf, 'F', 0, ifname);
iptablesRemoveRootChain(iptables_cmd, buf, 'F', 1, ifname); iptablesRemoveRootChain(buf, 'F', 1, ifname);
iptablesRemoveRootChain(iptables_cmd, buf, 'H', 1, ifname); iptablesRemoveRootChain(buf, 'H', 1, ifname);
return 0; return 0;
} }
static int static int
iptablesLinkTmpRootChain(const char *iptables_cmd, iptablesLinkTmpRootChain(virBufferPtr buf,
virBufferPtr buf,
const char *basechain, const char *basechain,
char prefix, char prefix,
int incoming, const char *ifname, int incoming, const char *ifname,
@ -699,11 +687,10 @@ iptablesLinkTmpRootChain(const char *iptables_cmd,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
CMD_DEF("%s -A %s " CMD_DEF("$IPT -A %s "
"%s %s -g %s") CMD_SEPARATOR "%s %s -g %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
iptables_cmd,
basechain, basechain,
match, ifname, chain, match, ifname, chain,
@ -714,37 +701,33 @@ iptablesLinkTmpRootChain(const char *iptables_cmd,
static int static int
iptablesLinkTmpRootChains(const char *cmd, iptablesLinkTmpRootChains(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
iptablesLinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1); iptablesLinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1);
iptablesLinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1); iptablesLinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1);
iptablesLinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname, 1); iptablesLinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname, 1);
return 0; return 0;
} }
static int static int
iptablesSetupVirtInPost(const char *iptables_cmd, iptablesSetupVirtInPost(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
const char *match = MATCH_PHYSDEV_IN; const char *match = MATCH_PHYSDEV_IN;
virBufferAsprintf(buf, virBufferAsprintf(buf,
"res=$(%s -n -L " VIRT_IN_POST_CHAIN "res=$($IPT -n -L " VIRT_IN_POST_CHAIN
" | grep \"\\%s %s\")\n" " | grep \"\\%s %s\")\n"
"if [ \"${res}\" = \"\" ]; then " "if [ \"${res}\" = \"\" ]; then "
CMD_DEF("%s" CMD_DEF("$IPT"
" -A " VIRT_IN_POST_CHAIN " -A " VIRT_IN_POST_CHAIN
" %s %s -j ACCEPT") CMD_SEPARATOR " %s %s -j ACCEPT") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s" "%s"
"fi\n", "fi\n",
iptables_cmd,
PHYSDEV_IN, ifname, PHYSDEV_IN, ifname,
iptables_cmd,
match, ifname, match, ifname,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
return 0; return 0;
@ -752,22 +735,19 @@ iptablesSetupVirtInPost(const char *iptables_cmd,
static int static int
iptablesClearVirtInPost(const char *iptables_cmd, iptablesClearVirtInPost(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
const char *match = MATCH_PHYSDEV_IN; const char *match = MATCH_PHYSDEV_IN;
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -D " VIRT_IN_POST_CHAIN "$IPT -D " VIRT_IN_POST_CHAIN
" %s %s -j ACCEPT" CMD_SEPARATOR, " %s %s -j ACCEPT" CMD_SEPARATOR,
iptables_cmd,
match, ifname); match, ifname);
return 0; return 0;
} }
static int static int
_iptablesUnlinkRootChain(const char *iptables_cmd, _iptablesUnlinkRootChain(virBufferPtr buf,
virBufferPtr buf,
const char *basechain, const char *basechain,
char prefix, char prefix,
int incoming, const char *ifname, int incoming, const char *ifname,
@ -789,9 +769,8 @@ _iptablesUnlinkRootChain(const char *iptables_cmd,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -D %s " "$IPT -D %s "
"%s %s -g %s" CMD_SEPARATOR, "%s %s -g %s" CMD_SEPARATOR,
iptables_cmd,
basechain, basechain,
match, ifname, chain); match, ifname, chain);
@ -800,57 +779,52 @@ _iptablesUnlinkRootChain(const char *iptables_cmd,
static int static int
iptablesUnlinkRootChain(const char *iptables_cmd, iptablesUnlinkRootChain(virBufferPtr buf,
virBufferPtr buf,
const char *basechain, const char *basechain,
char prefix, char prefix,
int incoming, const char *ifname) int incoming, const char *ifname)
{ {
return _iptablesUnlinkRootChain(iptables_cmd, buf, return _iptablesUnlinkRootChain(buf,
basechain, prefix, incoming, ifname, 0); basechain, prefix, incoming, ifname, 0);
} }
static int static int
iptablesUnlinkTmpRootChain(const char *iptables_cmd, iptablesUnlinkTmpRootChain(virBufferPtr buf,
virBufferPtr buf,
const char *basechain, const char *basechain,
char prefix, char prefix,
int incoming, const char *ifname) int incoming, const char *ifname)
{ {
return _iptablesUnlinkRootChain(iptables_cmd, buf, return _iptablesUnlinkRootChain(buf,
basechain, prefix, incoming, ifname, 1); basechain, prefix, incoming, ifname, 1);
} }
static int static int
iptablesUnlinkRootChains(const char *cmd, iptablesUnlinkRootChains(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
iptablesUnlinkRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname); iptablesUnlinkRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname);
iptablesUnlinkRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname); iptablesUnlinkRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname);
iptablesUnlinkRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname); iptablesUnlinkRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname);
return 0; return 0;
} }
static int static int
iptablesUnlinkTmpRootChains(const char *cmd, iptablesUnlinkTmpRootChains(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
iptablesUnlinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname); iptablesUnlinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname);
iptablesUnlinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname); iptablesUnlinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname);
iptablesUnlinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname); iptablesUnlinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname);
return 0; return 0;
} }
static int static int
iptablesRenameTmpRootChain(const char *iptables_cmd, iptablesRenameTmpRootChain(virBufferPtr buf,
virBufferPtr buf,
char prefix, char prefix,
int incoming, int incoming,
const char *ifname) const char *ifname)
@ -871,8 +845,7 @@ iptablesRenameTmpRootChain(const char *iptables_cmd,
PRINT_IPT_ROOT_CHAIN( chain, chainPrefix, ifname); PRINT_IPT_ROOT_CHAIN( chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -E %s %s" CMD_SEPARATOR, "$IPT -E %s %s" CMD_SEPARATOR,
iptables_cmd,
tmpchain, tmpchain,
chain); chain);
return 0; return 0;
@ -880,13 +853,12 @@ iptablesRenameTmpRootChain(const char *iptables_cmd,
static int static int
iptablesRenameTmpRootChains(const char *iptables_cmd, iptablesRenameTmpRootChains(virBufferPtr buf,
virBufferPtr buf,
const char *ifname) const char *ifname)
{ {
iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 0, ifname); iptablesRenameTmpRootChain(buf, 'F', 0, ifname);
iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 1, ifname); iptablesRenameTmpRootChain(buf, 'F', 1, ifname);
iptablesRenameTmpRootChain(iptables_cmd, buf, 'H', 1, ifname); iptablesRenameTmpRootChain(buf, 'H', 1, ifname);
return 0; return 0;
} }
@ -1262,8 +1234,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p tcp"); virBufferAddLit(&buf, " -p tcp");
@ -1318,8 +1289,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_UDP: case VIR_NWFILTER_RULE_PROTOCOL_UDP:
case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p udp"); virBufferAddLit(&buf, " -p udp");
@ -1352,8 +1322,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p udplite"); virBufferAddLit(&buf, " -p udplite");
@ -1381,8 +1350,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ESP: case VIR_NWFILTER_RULE_PROTOCOL_ESP:
case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p esp"); virBufferAddLit(&buf, " -p esp");
@ -1410,8 +1378,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p ah"); virBufferAddLit(&buf, " -p ah");
@ -1439,8 +1406,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p sctp"); virBufferAddLit(&buf, " -p sctp");
@ -1473,8 +1439,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP) if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
@ -1539,8 +1504,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_IGMP: case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p igmp"); virBufferAddLit(&buf, " -p igmp");
@ -1568,8 +1532,7 @@ _iptablesCreateRuleInstance(int directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ALL: case VIR_NWFILTER_RULE_PROTOCOL_ALL:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -%%c %s %%s", CMD_DEF_PRE "$IPT -%%c %s %%s",
iptables_cmd,
chain); chain);
virBufferAddLit(&buf, " -p all"); virBufferAddLit(&buf, " -p all");
@ -3696,24 +3659,32 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
goto tear_down_tmpebchains; goto tear_down_tmpebchains;
if (haveIptables) { if (haveIptables) {
iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);
iptablesCreateBaseChains(iptables_cmd_path, &buf); iptablesUnlinkTmpRootChains(&buf, ifname);
iptablesRemoveTmpRootChains(&buf, ifname);
iptablesCreateBaseChains(&buf);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpebchains; goto tear_down_tmpebchains;
iptablesCreateTmpRootChains(iptables_cmd_path, &buf, ifname); NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
iptablesCreateTmpRootChains(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpiptchains; goto tear_down_tmpiptchains;
iptablesLinkTmpRootChains(iptables_cmd_path, &buf, ifname); NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
iptablesSetupVirtInPost(iptables_cmd_path, &buf, ifname);
iptablesLinkTmpRootChains(&buf, ifname);
iptablesSetupVirtInPost(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpiptchains; goto tear_down_tmpiptchains;
NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
for (i = 0; i < nruleInstances; i++) { for (i = 0; i < nruleInstances; i++) {
sa_assert (inst); sa_assert (inst);
if (inst[i]->ruleType == RT_IPTABLES) if (inst[i]->ruleType == RT_IPTABLES)
@ -3729,24 +3700,32 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
if (haveIp6tables) { if (haveIp6tables) {
iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);
iptablesCreateBaseChains(ip6tables_cmd_path, &buf); iptablesUnlinkTmpRootChains(&buf, ifname);
iptablesRemoveTmpRootChains(&buf, ifname);
iptablesCreateBaseChains(&buf);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpiptchains; goto tear_down_tmpiptchains;
iptablesCreateTmpRootChains(ip6tables_cmd_path, &buf, ifname); NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
iptablesCreateTmpRootChains(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpip6tchains; goto tear_down_tmpip6tchains;
iptablesLinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
iptablesSetupVirtInPost(ip6tables_cmd_path, &buf, ifname);
iptablesLinkTmpRootChains(&buf, ifname);
iptablesSetupVirtInPost(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpip6tchains; goto tear_down_tmpip6tchains;
NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
for (i = 0; i < nruleInstances; i++) { for (i = 0; i < nruleInstances; i++) {
if (inst[i]->ruleType == RT_IP6TABLES) if (inst[i]->ruleType == RT_IP6TABLES)
iptablesInstCommand(&buf, iptablesInstCommand(&buf,
@ -3791,14 +3770,18 @@ tear_down_ebsubchains_and_unlink:
tear_down_tmpip6tchains: tear_down_tmpip6tchains:
if (haveIp6tables) { if (haveIp6tables) {
iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);
iptablesUnlinkTmpRootChains(&buf, ifname);
iptablesRemoveTmpRootChains(&buf, ifname);
} }
tear_down_tmpiptchains: tear_down_tmpiptchains:
if (haveIptables) { if (haveIptables) {
iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);
iptablesUnlinkTmpRootChains(&buf, ifname);
iptablesRemoveTmpRootChains(&buf, ifname);
} }
tear_down_tmpebchains: tear_down_tmpebchains:
@ -3841,13 +3824,17 @@ ebiptablesTearNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
virBuffer buf = VIR_BUFFER_INITIALIZER; virBuffer buf = VIR_BUFFER_INITIALIZER;
if (iptables_cmd_path) { if (iptables_cmd_path) {
iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);
iptablesUnlinkTmpRootChains(&buf, ifname);
iptablesRemoveTmpRootChains(&buf, ifname);
} }
if (ip6tables_cmd_path) { if (ip6tables_cmd_path) {
iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);
iptablesUnlinkTmpRootChains(&buf, ifname);
iptablesRemoveTmpRootChains(&buf, ifname);
} }
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
@ -3876,18 +3863,22 @@ ebiptablesTearOldRules(virConnectPtr conn ATTRIBUTE_UNUSED,
/* switch to new iptables user defined chains */ /* switch to new iptables user defined chains */
if (iptables_cmd_path) { if (iptables_cmd_path) {
iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname); NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname);
iptablesRenameTmpRootChains(iptables_cmd_path, &buf, ifname); iptablesUnlinkRootChains(&buf, ifname);
iptablesRemoveRootChains(&buf, ifname);
iptablesRenameTmpRootChains(&buf, ifname);
ebiptablesExecCLI(&buf, &cli_status, NULL); ebiptablesExecCLI(&buf, &cli_status, NULL);
} }
if (ip6tables_cmd_path) { if (ip6tables_cmd_path) {
iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname); NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname);
iptablesRenameTmpRootChains(ip6tables_cmd_path, &buf, ifname); iptablesUnlinkRootChains(&buf, ifname);
iptablesRemoveRootChains(&buf, ifname);
iptablesRenameTmpRootChains(&buf, ifname);
ebiptablesExecCLI(&buf, &cli_status, NULL); ebiptablesExecCLI(&buf, &cli_status, NULL);
} }
@ -3974,15 +3965,19 @@ ebiptablesAllTeardown(const char *ifname)
int cli_status; int cli_status;
if (iptables_cmd_path) { if (iptables_cmd_path) {
iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname); NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
iptablesClearVirtInPost (iptables_cmd_path, &buf, ifname);
iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname); iptablesUnlinkRootChains(&buf, ifname);
iptablesClearVirtInPost (&buf, ifname);
iptablesRemoveRootChains(&buf, ifname);
} }
if (ip6tables_cmd_path) { if (ip6tables_cmd_path) {
iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname); NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
iptablesClearVirtInPost (ip6tables_cmd_path, &buf, ifname);
iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname); iptablesUnlinkRootChains(&buf, ifname);
iptablesClearVirtInPost (&buf, ifname);
iptablesRemoveRootChains(&buf, ifname);
} }
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
@ -4056,11 +4051,12 @@ ebiptablesDriverInit(bool privileged)
iptables_cmd_path = virFindFileInPath("iptables"); iptables_cmd_path = virFindFileInPath("iptables");
if (iptables_cmd_path) { if (iptables_cmd_path) {
NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
iptables_cmd_path,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
if (ebiptablesExecCLI(&buf, NULL, NULL) < 0) if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
@ -4069,11 +4065,12 @@ ebiptablesDriverInit(bool privileged)
ip6tables_cmd_path = virFindFileInPath("ip6tables"); ip6tables_cmd_path = virFindFileInPath("ip6tables");
if (ip6tables_cmd_path) { if (ip6tables_cmd_path) {
NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ip6tables_cmd_path,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
if (ebiptablesExecCLI(&buf, NULL, NULL) < 0) if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)