diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 073b852abce2623d564a9d57bfe2a2944f931bd4..4a60e2ea9adf8ea855aa0efd838121092bcb0d0b 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -1196,6 +1196,26 @@ UINT16 End of range of valid destination ports; requires protocol + + type(Since 1.2.12) + UINT8 + ICMPv6 type; requires protocol to be set to icmpv6 + + + typeend(Since 1.2.12) + UINT8 + ICMPv6 type end of range; requires protocol to be set to icmpv6 + + + code(Since 1.2.12) + UINT8 + ICMPv6 code; requires protocol to be set to icmpv6 + + + code(Since 1.2.12) + UINT8 + ICMPv6 code end of range; requires protocol to be set to icmpv6 + comment (Since 0.8.5) STRING diff --git a/docs/schemas/nwfilter.rng b/docs/schemas/nwfilter.rng index 2b54fd54a09613e99b909b15df409c0dcb094da9..9df39c0a64a4c492889399b4926349fb03d81b5d 100644 --- a/docs/schemas/nwfilter.rng +++ b/docs/schemas/nwfilter.rng @@ -90,6 +90,7 @@ + @@ -588,6 +589,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index 317792eb50a32c5507c25b49231107613e6ccc0d..aed82ad28847d781f8bf4899def86637bad62c60 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -1445,6 +1445,26 @@ static const virXMLAttr2Struct ipv6Attributes[] = { .datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX, .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.portData.dataDstPortEnd), }, + { + .name = "type", + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX, + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeStart), + }, + { + .name = "typeend", + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX, + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeEnd), + }, + { + .name = "code", + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX, + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeStart), + }, + { + .name = "codeend", + .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX, + .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeEnd), + }, COMMENT_PROP_IPHDR(ipv6HdrFilter), { .name = NULL, @@ -2219,6 +2239,12 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule) rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr); COPY_NEG_SIGN(rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask, rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr); + COPY_NEG_SIGN(rule->p.ipv6HdrFilter.dataICMPTypeEnd, + rule->p.ipv6HdrFilter.dataICMPTypeStart); + COPY_NEG_SIGN(rule->p.ipv6HdrFilter.dataICMPCodeStart, + rule->p.ipv6HdrFilter.dataICMPTypeStart); + COPY_NEG_SIGN(rule->p.ipv6HdrFilter.dataICMPCodeEnd, + rule->p.ipv6HdrFilter.dataICMPTypeStart); virNWFilterRuleDefFixupIPSet(&rule->p.ipv6HdrFilter.ipHdr); break; diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index f81df60dc3aea30952ff153bf9b4886308b4182a..6e68ecc8577c46a0079ba58c7120ec66932d0998 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -265,6 +265,10 @@ struct _ipv6HdrFilterDef { ethHdrDataDef ethHdr; ipHdrDataDef ipHdr; portDataDef portData; + nwItemDesc dataICMPTypeStart; + nwItemDesc dataICMPTypeEnd; + nwItemDesc dataICMPCodeStart; + nwItemDesc dataICMPCodeEnd; }; diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 377b59bcaa8165a3ab18e12f250286edb4091052..423d069e1b268eb60fc61b44e2b3244bacbeb596 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1826,6 +1826,7 @@ ebtablesCreateRuleInstance(virFirewallPtr fw, bool hasMask = false; virFirewallRulePtr fwrule; int ret = -1; + virBuffer buf = VIR_BUFFER_INITIALIZER; if (STREQ(chainSuffix, virNWFilterChainSuffixTypeToString( @@ -2342,6 +2343,83 @@ ebtablesCreateRuleInstance(virFirewallPtr fw, virFirewallRuleAddArg(fw, fwrule, number); } } + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart) || + HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd) || + HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeStart) || + HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd)) { + bool lo = false; + char *r; + + virFirewallRuleAddArg(fw, fwrule, + "--ip6-icmp-type"); + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) { + if (printDataType(vars, + number, sizeof(number), + &rule->p.ipv6HdrFilter.dataICMPTypeStart) < 0) + goto cleanup; + lo = true; + } else { + ignore_value(virStrcpyStatic(number, "0")); + } + + virBufferStrcat(&buf, number, ":", NULL); + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd)) { + if (printDataType(vars, + numberalt, sizeof(numberalt), + &rule->p.ipv6HdrFilter.dataICMPTypeEnd) < 0) + goto cleanup; + } else { + if (lo) + ignore_value(virStrcpyStatic(numberalt, number)); + else + ignore_value(virStrcpyStatic(numberalt, "255")); + } + + virBufferStrcat(&buf, numberalt, "/", NULL); + + lo = false; + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeStart)) { + if (printDataType(vars, + number, sizeof(number), + &rule->p.ipv6HdrFilter.dataICMPCodeStart) < 0) + goto cleanup; + lo = true; + } else { + ignore_value(virStrcpyStatic(number, "0")); + } + + virBufferStrcat(&buf, number, ":", NULL); + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd)) { + if (printDataType(vars, + numberalt, sizeof(numberalt), + &rule->p.ipv6HdrFilter.dataICMPCodeEnd) < 0) + goto cleanup; + } else { + if (lo) + ignore_value(virStrcpyStatic(numberalt, number)); + else + ignore_value(virStrcpyStatic(numberalt, "255")); + } + + virBufferStrcat(&buf, numberalt, NULL); + + if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) + virFirewallRuleAddArg(fw, fwrule, "!"); + + if (virBufferCheckError(&buf) < 0) + goto cleanup; + + r = virBufferContentAndReset(&buf); + + virFirewallRuleAddArg(fw, fwrule, r); + + VIR_FREE(r); + } break; case VIR_NWFILTER_RULE_PROTOCOL_NONE: @@ -2376,6 +2454,8 @@ ebtablesCreateRuleInstance(virFirewallPtr fw, ret = 0; cleanup: + virBufferFreeAndReset(&buf); + return ret; } diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args b/tests/nwfilterxml2firewalldata/ipv6-linux.args index a42566ca702e6d7ce9244fbef088fb47937b9833..735f663716e152e7d3b18353155448a56487d77d 100644 --- a/tests/nwfilterxml2firewalldata/ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args @@ -18,3 +18,19 @@ ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ --ip6-source a:b:c::/65 --ip6-protocol 18 -j ACCEPT ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ --ip6-destination a:b:c::/65 --ip6-protocol 18 -j ACCEPT +ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ +--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:11/10:11 -j ACCEPT +ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ +--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:11/10:11 -j ACCEPT +ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ +--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/10:10 -j ACCEPT +ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ +--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/10:10 -j ACCEPT +ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ +--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 0:255/10:10 -j ACCEPT +ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ +--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 0:255/10:10 -j ACCEPT +ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ +--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/0:255 -j ACCEPT +ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ +--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/0:255 -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/ipv6.xml b/tests/nwfilterxml2firewalldata/ipv6.xml index 9f67bea737d82f70192fd4ce6ca6ce79dc2c591f..2400958030de1f989ca495e4b9bc7a282594b1db 100644 --- a/tests/nwfilterxml2firewalldata/ipv6.xml +++ b/tests/nwfilterxml2firewalldata/ipv6.xml @@ -40,4 +40,42 @@ /> + + + + + + + + + + + + + + + + diff --git a/tests/nwfilterxml2xmlin/ipv6-test.xml b/tests/nwfilterxml2xmlin/ipv6-test.xml index 556796fa0110333d41bcdc3ceda057ab5246e262..2daa3b96ddb270d4fb33c748d3e5d672f0b359f8 100644 --- a/tests/nwfilterxml2xmlin/ipv6-test.xml +++ b/tests/nwfilterxml2xmlin/ipv6-test.xml @@ -40,4 +40,42 @@ /> + + + + + + + + + + + + + + + + diff --git a/tests/nwfilterxml2xmlout/ipv6-test.xml b/tests/nwfilterxml2xmlout/ipv6-test.xml index fcc5c0da2684e817010615a963976c2d10d42a0e..ce9dd062338cae6d121db065b2a0beb588f79cf8 100644 --- a/tests/nwfilterxml2xmlout/ipv6-test.xml +++ b/tests/nwfilterxml2xmlout/ipv6-test.xml @@ -12,4 +12,16 @@ + + + + + + + + + + + +