Fix formatting of network address in iptables helpers

The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in

Fix formatting of network address in iptables helpers
The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
eff1735e · Daniel P. Berrange · 1a29a14a · eff1735e · eff1735e · eff1735e
5 changed file
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -438,10 +438,6 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)
            goto error;
        }
-        def->network = def->ipAddress;
-        def->network.data.inet4.sin_addr.s_addr &=
-            def->netmask.data.inet4.sin_addr.s_addr;
        if ((ip = virXPathNode("./ip[1]", ctxt)) &&
            virNetworkIPParseXML(def, ip) < 0)
            goto error;

--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -72,7 +72,6 @@ struct _virNetworkDef {
    virSocketAddr ipAddress;    /* Bridge IP address */
    virSocketAddr netmask;
-    virSocketAddr network;
    unsigned int nranges;        /* Zero or more dhcp ranges */
    virNetworkDHCPRangeDefPtr ranges;

--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -671,7 +671,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
    int err;
    /* allow forwarding packets from the bridge interface */
    if ((err = iptablesAddForwardAllowOut(driver->iptables,
-                                          &network->def->network,
+                                          &network->def->ipAddress,
+                                          &network->def->netmask,
                                          network->def->bridge,
                                          network->def->forwardDev))) {
        virReportSystemError(err,
@@ -682,9 +683,10 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
    /* allow forwarding packets to the bridge interface if they are part of an existing connection */
    if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables,
-                                         &network->def->network,
+                                                &network->def->ipAddress,
-                                         network->def->bridge,
+                                                &network->def->netmask,
-                                         network->def->forwardDev))) {
+                                                network->def->bridge,
+                                                network->def->forwardDev))) {
        virReportSystemError(err,
                             _("failed to add iptables rule to allow forwarding to '%s'"),
                             network->def->bridge);
@@ -716,7 +718,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
    /* First the generic masquerade rule for other protocols */
    if ((err = iptablesAddForwardMasquerade(driver->iptables,
-                                            &network->def->network,
+                                            &network->def->ipAddress,
+                                            &network->def->netmask,
                                            network->def->forwardDev,
                                            NULL))) {
        virReportSystemError(err,
@@ -727,7 +730,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
    /* UDP with a source port restriction */
    if ((err = iptablesAddForwardMasquerade(driver->iptables,
-                                            &network->def->network,
+                                            &network->def->ipAddress,
+                                            &network->def->netmask,
                                            network->def->forwardDev,
                                            "udp"))) {
        virReportSystemError(err,
@@ -738,7 +742,8 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
    /* TCP with a source port restriction */
    if ((err = iptablesAddForwardMasquerade(driver->iptables,
-                                            &network->def->network,
+                                            &network->def->ipAddress,
+                                            &network->def->netmask,
                                            network->def->forwardDev,
                                            "tcp"))) {
        virReportSystemError(err,
@@ -751,22 +756,26 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
 masqerr5:
    iptablesRemoveForwardMasquerade(driver->iptables,
-                                    &network->def->network,
+                                    &network->def->ipAddress,
+                                    &network->def->netmask,
                                    network->def->forwardDev,
                                    "udp");
 masqerr4:
    iptablesRemoveForwardMasquerade(driver->iptables,
-                                    &network->def->network,
+                                    &network->def->ipAddress,
+                                    &network->def->netmask,
                                    network->def->forwardDev,
                                    NULL);
 masqerr3:
    iptablesRemoveForwardAllowRelatedIn(driver->iptables,
-                                 &network->def->network,
+                                        &network->def->ipAddress,
-                                 network->def->bridge,
+                                        &network->def->netmask,
-                                 network->def->forwardDev);
+                                        network->def->bridge,
+                                        network->def->forwardDev);
 masqerr2:
    iptablesRemoveForwardAllowOut(driver->iptables,
-                                  &network->def->network,
+                                  &network->def->ipAddress,
+                                  &network->def->netmask,
                                  network->def->bridge,
                                  network->def->forwardDev);
 masqerr1:
@@ -779,7 +788,8 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
    int err;
    /* allow routing packets from the bridge interface */
    if ((err = iptablesAddForwardAllowOut(driver->iptables,
-                                          &network->def->network,
+                                          &network->def->ipAddress,
+                                          &network->def->netmask,
                                          network->def->bridge,
                                          network->def->forwardDev))) {
        virReportSystemError(err,
@@ -790,7 +800,8 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
    /* allow routing packets to the bridge interface */
    if ((err = iptablesAddForwardAllowIn(driver->iptables,
-                                         &network->def->network,
+                                         &network->def->ipAddress,
+                                         &network->def->netmask,
                                         network->def->bridge,
                                         network->def->forwardDev))) {
        virReportSystemError(err,
@@ -804,7 +815,8 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
 routeerr2:
    iptablesRemoveForwardAllowOut(driver->iptables,
-                                  &network->def->network,
+                                  &network->def->ipAddress,
+                                  &network->def->netmask,
                                  network->def->bridge,
                                  network->def->forwardDev);
 routeerr1:
@@ -943,29 +955,35 @@ networkRemoveIptablesRules(struct network_driver *driver,
    if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
        if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) {
            iptablesRemoveForwardMasquerade(driver->iptables,
-                                            &network->def->network,
+                                            &network->def->ipAddress,
+                                            &network->def->netmask,
                                            network->def->forwardDev,
                                            "tcp");
            iptablesRemoveForwardMasquerade(driver->iptables,
-                                            &network->def->network,
+                                            &network->def->ipAddress,
+                                            &network->def->netmask,
                                            network->def->forwardDev,
                                            "udp");
            iptablesRemoveForwardMasquerade(driver->iptables,
-                                            &network->def->network,
+                                            &network->def->ipAddress,
+                                            &network->def->netmask,
                                            network->def->forwardDev,
                                            NULL);
            iptablesRemoveForwardAllowRelatedIn(driver->iptables,
-                                                &network->def->network,
+                                                &network->def->ipAddress,
+                                                &network->def->netmask,
                                                network->def->bridge,
                                                network->def->forwardDev);
        } else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)
            iptablesRemoveForwardAllowIn(driver->iptables,
-                                         &network->def->network,
+                                         &network->def->ipAddress,
+                                         &network->def->netmask,
                                         network->def->bridge,
                                         network->def->forwardDev);
        iptablesRemoveForwardAllowOut(driver->iptables,
-                                      &network->def->network,
+                                      &network->def->ipAddress,
+                                      &network->def->netmask,
                                      network->def->bridge,
                                      network->def->forwardDev);
    }

--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -44,8 +44,9 @@
 #include "virterror_internal.h"
 #include "logging.h"
+#define VIR_FROM_THIS VIR_FROM_NONE
 #define iptablesError(code, ...)                                        \
-    virReportErrorHelper(NULL, VIR_FROM_NONE, code, __FILE__,           \
+    virReportErrorHelper(NULL, VIR_FROM_THIS, code, __FILE__,           \
                         __FUNCTION__, __LINE__, __VA_ARGS__)
 enum {
@@ -323,26 +324,55 @@ iptablesRemoveUdpInput(iptablesContext *ctx,
 }
+static char *iptablesFormatNetwork(virSocketAddr *netaddr,
+                                   virSocketAddr *netmask)
+{
+    virSocketAddr network;
+    int prefix;
+    char *netstr;
+    char *ret;
+    if (!VIR_SOCKET_IS_FAMILY(netaddr, AF_INET) ||
+        !VIR_SOCKET_IS_FAMILY(netmask, AF_INET)) {
+        iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
+                      _("Only IPv4 addresses can be used with iptables"));
+        return NULL;
+    }
+    network = *netaddr;
+    network.data.inet4.sin_addr.s_addr &=
+        netmask->data.inet4.sin_addr.s_addr;
+    prefix = virSocketGetNumNetmaskBits(netmask);
+    netstr = virSocketFormatAddr(&network);
+    if (!netstr)
+        return NULL;
+    if (virAsprintf(&ret, "%s/%d", netstr, prefix) < 0)
+        virReportOOMError();
+    VIR_FREE(netstr);
+    return ret;
+}
 /* Allow all traffic coming from the bridge, with a valid network address
 * to proceed to WAN
 */
 static int
 iptablesForwardAllowOut(iptablesContext *ctx,
-                         virSocketAddr *network,
+                        virSocketAddr *netaddr,
-                         const char *iface,
+                        virSocketAddr *netmask,
-                         const char *physdev,
+                        const char *iface,
-                         int action)
+                        const char *physdev,
+                        int action)
 {
    int ret;
    char *networkstr;
-    if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
+    if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
-        iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
-                      _("Only IPv4 addresses can be used with iptables"));
-        return -1;
-    }
-    if (!(networkstr = virSocketFormatAddr(network)))
        return -1;
    if (physdev && physdev[0]) {
@@ -380,11 +410,12 @@ iptablesForwardAllowOut(iptablesContext *ctx,
 */
 int
 iptablesAddForwardAllowOut(iptablesContext *ctx,
-                            virSocketAddr *network,
+                           virSocketAddr *netaddr,
-                            const char *iface,
+                           virSocketAddr *netmask,
-                            const char *physdev)
+                           const char *iface,
+                           const char *physdev)
 {
-    return iptablesForwardAllowOut(ctx, network, iface, physdev, ADD);
+    return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, ADD);
 }
 /**
@@ -402,11 +433,12 @@ iptablesAddForwardAllowOut(iptablesContext *ctx,
 */
 int
 iptablesRemoveForwardAllowOut(iptablesContext *ctx,
-                               virSocketAddr *network,
+                              virSocketAddr *netaddr,
-                               const char *iface,
+                              virSocketAddr *netmask,
-                               const char *physdev)
+                              const char *iface,
+                              const char *physdev)
 {
-    return iptablesForwardAllowOut(ctx, network, iface, physdev, REMOVE);
+    return iptablesForwardAllowOut(ctx, netaddr, netmask, iface, physdev, REMOVE);
 }
@@ -415,21 +447,16 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx,
 */
 static int
 iptablesForwardAllowRelatedIn(iptablesContext *ctx,
-                       virSocketAddr *network,
+                              virSocketAddr *netaddr,
-                       const char *iface,
+                              virSocketAddr *netmask,
-                       const char *physdev,
+                              const char *iface,
-                       int action)
+                              const char *physdev,
+                              int action)
 {
    int ret;
    char *networkstr;
-    if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
+    if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
-        iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
-                      _("Only IPv4 addresses can be used with iptables"));
-        return -1;
-    }
-    if (!(networkstr = virSocketFormatAddr(network)))
        return -1;
    if (physdev && physdev[0]) {
@@ -471,11 +498,12 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
 */
 int
 iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
-                          virSocketAddr *network,
+                                 virSocketAddr *netaddr,
-                          const char *iface,
+                                 virSocketAddr *netmask,
-                          const char *physdev)
+                                 const char *iface,
+                                 const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD);
+    return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, ADD);
 }
 /**
@@ -493,18 +521,20 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
 */
 int
 iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
-                             virSocketAddr *network,
+                                    virSocketAddr *netaddr,
-                             const char *iface,
+                                    virSocketAddr *netmask,
-                             const char *physdev)
+                                    const char *iface,
+                                    const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE);
+    return iptablesForwardAllowRelatedIn(ctx, netaddr, netmask, iface, physdev, REMOVE);
 }
 /* Allow all traffic destined to the bridge, with a valid network address
 */
 static int
 iptablesForwardAllowIn(iptablesContext *ctx,
-                       virSocketAddr *network,
+                       virSocketAddr *netaddr,
+                       virSocketAddr *netmask,
                       const char *iface,
                       const char *physdev,
                       int action)
@@ -512,13 +542,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
    int ret;
    char *networkstr;
-    if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
+    if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
-        iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
-                      _("Only IPv4 addresses can be used with iptables"));
-        return -1;
-    }
-    if (!(networkstr = virSocketFormatAddr(network)))
        return -1;
    if (physdev && physdev[0]) {
@@ -556,11 +580,12 @@ iptablesForwardAllowIn(iptablesContext *ctx,
 */
 int
 iptablesAddForwardAllowIn(iptablesContext *ctx,
-                          virSocketAddr *network,
+                          virSocketAddr *netaddr,
+                          virSocketAddr *netmask,
                          const char *iface,
                          const char *physdev)
 {
-    return iptablesForwardAllowIn(ctx, network, iface, physdev, ADD);
+    return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, ADD);
 }
 /**
@@ -578,11 +603,12 @@ iptablesAddForwardAllowIn(iptablesContext *ctx,
 */
 int
 iptablesRemoveForwardAllowIn(iptablesContext *ctx,
-                             virSocketAddr *network,
+                             virSocketAddr *netaddr,
+                             virSocketAddr *netmask,
                             const char *iface,
                             const char *physdev)
 {
-    return iptablesForwardAllowIn(ctx, network, iface, physdev, REMOVE);
+    return iptablesForwardAllowIn(ctx, netaddr, netmask, iface, physdev, REMOVE);
 }
@@ -744,7 +770,8 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx,
 */
 static int
 iptablesForwardMasquerade(iptablesContext *ctx,
-                          virSocketAddr *network,
+                          virSocketAddr *netaddr,
+                          virSocketAddr *netmask,
                          const char *physdev,
                          const char *protocol,
                          int action)
@@ -752,13 +779,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
    int ret;
    char *networkstr;
-    if (!VIR_SOCKET_IS_FAMILY(network, AF_INET)) {
+    if (!(networkstr = iptablesFormatNetwork(netaddr, netmask)))
-        iptablesError(VIR_ERR_CONFIG_UNSUPPORTED,
-                      _("Only IPv4 addresses can be used with iptables"));
-        return -1;
-    }
-    if (!(networkstr = virSocketFormatAddr(network)))
        return -1;
    if (protocol && protocol[0]) {
@@ -819,11 +840,12 @@ iptablesForwardMasquerade(iptablesContext *ctx,
 */
 int
 iptablesAddForwardMasquerade(iptablesContext *ctx,
-                             virSocketAddr *network,
+                             virSocketAddr *netaddr,
+                             virSocketAddr *netmask,
                             const char *physdev,
                             const char *protocol)
 {
-    return iptablesForwardMasquerade(ctx, network, physdev, protocol, ADD);
+    return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, ADD);
 }
 /**
@@ -841,11 +863,12 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
 */
 int
 iptablesRemoveForwardMasquerade(iptablesContext *ctx,
-                                virSocketAddr *network,
+                                virSocketAddr *netaddr,
+                                virSocketAddr *netmask,
                                const char *physdev,
                                const char *protocol)
 {
-    return iptablesForwardMasquerade(ctx, network, physdev, protocol, REMOVE);
+    return iptablesForwardMasquerade(ctx, netaddr, netmask, physdev, protocol, REMOVE);
 }

--- a/src/util/iptables.h
+++ b/src/util/iptables.h
@@ -44,29 +44,35 @@ int              iptablesRemoveUdpInput          (iptablesContext *ctx,
                                                  int port);
 int              iptablesAddForwardAllowOut      (iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *iface,
                                                  const char *physdev);
 int              iptablesRemoveForwardAllowOut   (iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *iface,
                                                  const char *physdev);
 int              iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *iface,
                                                  const char *physdev);
 int              iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *iface,
                                                  const char *physdev);
 int              iptablesAddForwardAllowIn       (iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *iface,
                                                  const char *physdev);
 int              iptablesRemoveForwardAllowIn    (iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *iface,
                                                  const char *physdev);
@@ -86,11 +92,13 @@ int              iptablesRemoveForwardRejectIn   (iptablesContext *ctx,
                                                  const char *iface);
 int              iptablesAddForwardMasquerade    (iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *physdev,
                                                  const char *protocol);
 int              iptablesRemoveForwardMasquerade (iptablesContext *ctx,
-                                                  virSocketAddr *network,
+                                                  virSocketAddr *netaddr,
+                                                  virSocketAddr *netmask,
                                                  const char *physdev,
                                                  const char *protocol);
 int              iptablesAddOutputFixUdpChecksum (iptablesContext *ctx,