diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 0bc5a5495d073e17e27a7fa077bbc5c1e4039428..3f2bf1f5ed7457e89bb9acc4ab576478225f2dfb 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -438,10 +438,6 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt) goto error; } - def->network = def->ipAddress; - def->network.data.inet4.sin_addr.s_addr &= - def->netmask.data.inet4.sin_addr.s_addr; - if ((ip = virXPathNode("./ip[1]", ctxt)) && virNetworkIPParseXML(def, ip) < 0) goto error; diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index 5a01bbf6acfbfd84c376a90c1006b4c353f8d462..7d316933327508505ed51fd4949e57da57b02723 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -72,7 +72,6 @@ struct _virNetworkDef { virSocketAddr ipAddress; /* Bridge IP address */ virSocketAddr netmask; - virSocketAddr network; unsigned int nranges; /* Zero or more dhcp ranges */ virNetworkDHCPRangeDefPtr ranges; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 5ee47eb0a77992555b9d53ea156bd3cc901a8483..87217473ed07081c8c1f444f3b55550661fb5afb 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -671,7 +671,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, int err; /* allow forwarding packets from the bridge interface */ if ((err = iptablesAddForwardAllowOut(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev))) { virReportSystemError(err, @@ -682,9 +683,10 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, /* allow forwarding packets to the bridge interface if they are part of an existing connection */ if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables, - &network->def->network, - network->def->bridge, - network->def->forwardDev))) { + &network->def->ipAddress, + &network->def->netmask, + network->def->bridge, + network->def->forwardDev))) { virReportSystemError(err, _("failed to add iptables rule to allow forwarding to '%s'"), network->def->bridge); @@ -716,7 +718,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, /* First the generic masquerade rule for other protocols */ if ((err = iptablesAddForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, NULL))) { virReportSystemError(err, @@ -727,7 +730,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, /* UDP with a source port restriction */ if ((err = iptablesAddForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, "udp"))) { virReportSystemError(err, @@ -738,7 +742,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, /* TCP with a source port restriction */ if ((err = iptablesAddForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, "tcp"))) { virReportSystemError(err, @@ -751,22 +756,26 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, masqerr5: iptablesRemoveForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, "udp"); masqerr4: iptablesRemoveForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, NULL); masqerr3: iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &network->def->network, - network->def->bridge, - network->def->forwardDev); + &network->def->ipAddress, + &network->def->netmask, + network->def->bridge, + network->def->forwardDev); masqerr2: iptablesRemoveForwardAllowOut(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev); masqerr1: @@ -779,7 +788,8 @@ networkAddRoutingIptablesRules(struct network_driver *driver, int err; /* allow routing packets from the bridge interface */ if ((err = iptablesAddForwardAllowOut(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev))) { virReportSystemError(err, @@ -790,7 +800,8 @@ networkAddRoutingIptablesRules(struct network_driver *driver, /* allow routing packets to the bridge interface */ if ((err = iptablesAddForwardAllowIn(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev))) { virReportSystemError(err, @@ -804,7 +815,8 @@ networkAddRoutingIptablesRules(struct network_driver *driver, routeerr2: iptablesRemoveForwardAllowOut(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev); routeerr1: @@ -943,29 +955,35 @@ networkRemoveIptablesRules(struct network_driver *driver, if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) { if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) { iptablesRemoveForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, "tcp"); iptablesRemoveForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, "udp"); iptablesRemoveForwardMasquerade(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->forwardDev, NULL); iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev); } else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE) iptablesRemoveForwardAllowIn(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev); iptablesRemoveForwardAllowOut(driver->iptables, - &network->def->network, + &network->def->ipAddress, + &network->def->netmask, network->def->bridge, network->def->forwardDev); } diff --git a/src/util/iptables.c b/src/util/iptables.c index 64efd45cdca862a73f66de5ddedf648e6bd9c86a..fc656b9128c47ce91366f03441d0fbdba948cd79 100644 --- a/src/util/iptables.c +++ b/src/util/iptables.c @@ -44,8 +44,9 @@ #include "virterror_internal.h" #include "logging.h" +#define VIR_FROM_THIS VIR_FROM_NONE #define iptablesError(code, ...) \ - virReportErrorHelper(NULL, VIR_FROM_NONE, code, __FILE__, \ + virReportErrorHelper(NULL, VIR_FROM_THIS, code, __FILE__, \ __FUNCTION__, __LINE__, __VA_ARGS__) enum { @@ -323,26 +324,55 @@ iptablesRemoveUdpInput(iptablesContext *ctx, } +static char *iptablesFormatNetwork(virSocketAddr *netaddr, + virSocketAddr *netmask) +{ + virSocketAddr network; + int prefix; + char *netstr; + char *ret; + + if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET) || + !VIR_SOCKET_IS_FAMILY(netmask, AF_INET)) { + iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Only IPv4 addresses can be used with iptables")); + return NULL; + } + + network = *netaddr; + network.data.inet4.sin_addr.s_addr &= + netmask->data.inet4.sin_addr.s_addr; + + prefix = virSocketGetNumNetmaskBits(netmask); + + netstr = virSocketFormatAddr(&network); + + if (!netstr) + return NULL; + + if (virAsprintf(&ret, "%s/%d", netstr, prefix) < 0) + virReportOOMError(); + + VIR_FREE(netstr); + return ret; +} + + /* Allow all traffic coming from the bridge, with a valid network address * to proceed to WAN */ static int iptablesForwardAllowOut(iptablesContext *ctx, - virSocketAddr *network, - const char *iface, - const char *physdev, - int action) + virSocketAddr *netaddr, + virSocketAddr *netmask, + const char *iface, + const char *physdev, + int action) { int ret; char *networkstr; - if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) { - iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, - _("Only IPv4 addresses can be used with iptables")); - return -1; - } - - if (!(networkstr = virSocketFormatAddr(network))) + if (!(networkstr = iptablesFormatNetwork(netaddr, netmask))) return -1; if (physdev && physdev[0]) { @@ -380,11 +410,12 @@ iptablesForwardAllowOut(iptablesContext *ctx, */ int iptablesAddForwardAllowOut(iptablesContext *ctx, - virSocketAddr *network, - const char *iface, - const char *physdev) + virSocketAddr *netaddr, + virSocketAddr *netmask, + const char *iface, + const char *physdev) { - return iptablesForwardAllowOut(ctx, network, iface, physdev, ADD); + return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, ADD); } /** @@ -402,11 +433,12 @@ iptablesAddForwardAllowOut(iptablesContext *ctx, */ int iptablesRemoveForwardAllowOut(iptablesContext *ctx, - virSocketAddr *network, - const char *iface, - const char *physdev) + virSocketAddr *netaddr, + virSocketAddr *netmask, + const char *iface, + const char *physdev) { - return iptablesForwardAllowOut(ctx, network, iface, physdev, REMOVE); + return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, REMOVE); } @@ -415,21 +447,16 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx, */ static int iptablesForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *network, - const char *iface, - const char *physdev, - int action) + virSocketAddr *netaddr, + virSocketAddr *netmask, + const char *iface, + const char *physdev, + int action) { int ret; char *networkstr; - if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) { - iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, - _("Only IPv4 addresses can be used with iptables")); - return -1; - } - - if (!(networkstr = virSocketFormatAddr(network))) + if (!(networkstr = iptablesFormatNetwork(netaddr, netmask))) return -1; if (physdev && physdev[0]) { @@ -471,11 +498,12 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, */ int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *network, - const char *iface, - const char *physdev) + virSocketAddr *netaddr, + virSocketAddr *netmask, + const char *iface, + const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, ADD); } /** @@ -493,18 +521,20 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, */ int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *network, - const char *iface, - const char *physdev) + virSocketAddr *netaddr, + virSocketAddr *netmask, + const char *iface, + const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev, int action) @@ -512,13 +542,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, int ret; char *networkstr; - if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) { - iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, - _("Only IPv4 addresses can be used with iptables")); - return -1; - } - - if (!(networkstr = virSocketFormatAddr(network))) + if (!(networkstr = iptablesFormatNetwork(netaddr, netmask))) return -1; if (physdev && physdev[0]) { @@ -556,11 +580,12 @@ iptablesForwardAllowIn(iptablesContext *ctx, */ int iptablesAddForwardAllowIn(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, network, iface, physdev, ADD); + return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, ADD); } /** @@ -578,11 +603,12 @@ iptablesAddForwardAllowIn(iptablesContext *ctx, */ int iptablesRemoveForwardAllowIn(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, network, iface, physdev, REMOVE); + return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, REMOVE); } @@ -744,7 +770,8 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx, */ static int iptablesForwardMasquerade(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *physdev, const char *protocol, int action) @@ -752,13 +779,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, int ret; char *networkstr; - if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) { - iptablesError(VIR_ERR_CONFIG_UNSUPPORTED, - _("Only IPv4 addresses can be used with iptables")); - return -1; - } - - if (!(networkstr = virSocketFormatAddr(network))) + if (!(networkstr = iptablesFormatNetwork(netaddr, netmask))) return -1; if (protocol && protocol[0]) { @@ -819,11 +840,12 @@ iptablesForwardMasquerade(iptablesContext *ctx, */ int iptablesAddForwardMasquerade(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *physdev, const char *protocol) { - return iptablesForwardMasquerade(ctx, network, physdev, protocol, ADD); + return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, ADD); } /** @@ -841,11 +863,12 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, */ int iptablesRemoveForwardMasquerade(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *physdev, const char *protocol) { - return iptablesForwardMasquerade(ctx, network, physdev, protocol, REMOVE); + return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, REMOVE); } diff --git a/src/util/iptables.h b/src/util/iptables.h index fd49685d6840843755fe68b4b090a7f6dcdade17..ed843ec5d9c213a41523fa3887adb107ce78143d 100644 --- a/src/util/iptables.h +++ b/src/util/iptables.h @@ -44,29 +44,35 @@ int iptablesRemoveUdpInput (iptablesContext *ctx, int port); int iptablesAddForwardAllowOut (iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev); int iptablesRemoveForwardAllowOut (iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev); int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev); int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev); int iptablesAddForwardAllowIn (iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev); int iptablesRemoveForwardAllowIn (iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *iface, const char *physdev); @@ -86,11 +92,13 @@ int iptablesRemoveForwardRejectIn (iptablesContext *ctx, const char *iface); int iptablesAddForwardMasquerade (iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *physdev, const char *protocol); int iptablesRemoveForwardMasquerade (iptablesContext *ctx, - virSocketAddr *network, + virSocketAddr *netaddr, + virSocketAddr *netmask, const char *physdev, const char *protocol); int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx,