- 08 1月, 2014 1 次提交
-
-
由 Lénaïc Huard 提交于
When the host is configured with very restrictive firewall (default policy is DROP for all chains, including OUTPUT), the bridge driver for Linux adds netfilter entries to allow DHCP and DNS requests to go from the VM to the dnsmasq of the host. The issue that this commit fixes is the fact that a DROP policy on the OUTPUT chain blocks the DHCP replies from the host’s dnsmasq to the VM. As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED rule and so, need to be explicitly allowed. Signed-off-by: NLénaïc Huard <lenaic@lhuard.fr.eu.org>
-
- 25 9月, 2013 1 次提交
-
-
由 Laszlo Ersek 提交于
The functions - iptablesAddForwardDontMasquerade(), - iptablesRemoveForwardDontMasquerade handle exceptions in the masquerading implemented in the POSTROUTING chain of the "nat" table. Such exceptions should be added as chronologically latest, logically top-most rules. The bridge driver will call these functions beginning with the next patch: some special destination IP addresses always refer to the local subnetwork, even though they don't match any practical subnetwork's netmask. Packets from virbrN targeting such IP addresses are never routed outwards, but the current rules treat them as non-virbrN-destined packets and masquerade them. This causes problems for some receivers on virbrN. Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
-
- 02 7月, 2013 1 次提交
-
-
由 Roman Bogorodskiy 提交于
iptablesContext holds only 4 pairs of iptables (table, chain) and there's no need to pass it around. This is a first step towards separating bridge_driver.c in platform-specific parts.
-
- 20 2月, 2013 3 次提交
-
-
由 Natanael Copa 提交于
We pass over the address/port start/end values many times so we put them in structs. Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org> Signed-off-by: NLaine Stump <laine@laine.org>
-
由 Natanael Copa 提交于
Let users set the port range to be used for forward mode NAT: ... <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> ... Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org> Signed-off-by: NLaine Stump <laine@laine.org>
-
由 Natanael Copa 提交于
Support setting which public ip to use for NAT via attribute address in subelement <nat> in <forward>: ... <forward mode='nat'> <address start='1.2.3.4' end='1.2.3.10'/> </forward> ... This will construct an iptables line using: '-j SNAT --to-source <start>-<end>' instead of: '-j MASQUERADE' Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org> Signed-off-by: NLaine Stump <laine@laine.org>
-
- 21 12月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 21 9月, 2012 1 次提交
-
-
由 Eric Blake 提交于
https://www.gnu.org/licenses/gpl-howto.html recommends that the 'If not, see <url>.' phrase be a separate sentence. * tests/securityselinuxhelper.c: Remove doubled line. * tests/securityselinuxtest.c: Likewise. * globally: s/; If/. If/
-
- 23 7月, 2012 1 次提交
-
-
由 Osier Yang 提交于
Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c
-
- 15 11月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
The src/util/network.c file is a dumping ground for many different APIs. Split it up into 5 pieces, along functional lines - src/util/virnetdevbandwidth.c: virNetDevBandwidth type & helper APIs - src/util/virnetdevvportprofile.c: virNetDevVPortProfile type & helper APIs - src/util/virsocketaddr.c: virSocketAddr and APIs - src/conf/netdev_bandwidth_conf.c: XML parsing / formatting for virNetDevBandwidth - src/conf/netdev_vport_profile_conf.c: XML parsing / formatting for virNetDevVPortProfile * src/util/network.c, src/util/network.h: Split into 5 pieces * src/conf/netdev_bandwidth_conf.c, src/conf/netdev_bandwidth_conf.h, src/conf/netdev_vport_profile_conf.c, src/conf/netdev_vport_profile_conf.h, src/util/virnetdevbandwidth.c, src/util/virnetdevbandwidth.h, src/util/virnetdevvportprofile.c, src/util/virnetdevvportprofile.h, src/util/virsocketaddr.c, src/util/virsocketaddr.h: New pieces * daemon/libvirtd.h, daemon/remote.c, src/conf/domain_conf.c, src/conf/domain_conf.h, src/conf/network_conf.c, src/conf/network_conf.h, src/conf/nwfilter_conf.h, src/esx/esx_util.h, src/network/bridge_driver.c, src/qemu/qemu_conf.c, src/rpc/virnetsocket.c, src/rpc/virnetsocket.h, src/util/dnsmasq.h, src/util/interface.h, src/util/iptables.h, src/util/macvtap.c, src/util/macvtap.h, src/util/virnetdev.h, src/util/virnetdevtap.c, tools/virsh.c: Update include files
-
- 24 12月, 2010 2 次提交
-
-
由 Laine Stump 提交于
All of the iptables functions eventually call down to a single bottom-level function, and fortunately, ip6tables syntax (for all the args that we use) is identical to iptables format (except the addresses), so all we need to do is: 1) Get an address family down to the lowest level function in each case, either implied through an address, or explicitly when no address is in the parameter list, and 2) At the lowest level, just decide whether to call "iptables" or "ip6tables" based on the family. The location of the ip6tables binary is determined at build time by autoconf. If a particular target system happens to not have ip6tables installed, any attempts to run it will generate an error, but that won't happen unless someone tries to define an IPv6 address for a network. This is identical behavior to IPv4 addresses and iptables.
-
由 Laine Stump 提交于
IPv6 will use prefix exclusively, and IPv4 will also optionally be able to use it, and the iptables functions really need a prefix anyway, so use the new virNetworkDefPrefix() function to send prefixes into iptables functions instead of netmasks. Also, in a couple places where a netmask is actually needed, use the new private API function for it rather than getting it directly. This will allow for cases where no netmask or prefix is specified (it returns the default for the current class of network.)
-
- 26 10月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
The network address was being set to 192.168.122.0 instead of 192.168.122.0/24. Fix this by removing the unneccessary 'network' field from virNetworkDef and just pass the network address and netmask into the iptables APIs directly. * src/conf/network_conf.h, src/conf/network_conf.c: Remove the 'network' field from virNEtworkDef. * src/network/bridge_driver.c: Update for iptables API changes * src/util/iptables.c, src/util/iptables.h: Require the network address + netmask pair to be passed in
-
- 22 10月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
Instead of storing the IP address string in virNetwork related structs, store the parsed virSocketAddr. This will make it easier to add IPv6 support in the future, by letting driver code directly check what address family is present * src/conf/network_conf.c, src/conf/network_conf.h, src/network/bridge_driver.c: Convert to use virSocketAddr in virNetwork, instead of char *. * src/util/bridge.c, src/util/bridge.h, src/util/dnsmasq.c, src/util/dnsmasq.h, src/util/iptables.c, src/util/iptables.h: Convert to take a virSocketAddr instead of char * for any IP address parameters * src/util/network.h: Add macros to determine if an address is set, and what address family is set.
-
- 02 8月, 2010 1 次提交
-
-
由 Laine Stump 提交于
This patch attempts to take advantage of a newly added netfilter module to correct for a problem with some guest DHCP client implementations when used in conjunction with a DHCP server run on the host systems with packet checksum offloading enabled. The problem is that, when the guest uses a RAW socket to read the DHCP response packets, the checksum hasn't yet been fixed by the IP stack, so it is incorrect. The fix implemented here is to add a rule to the POSTROUTING chain of the mangle table in iptables that fixes up the checksum for packets on the virtual network's bridge that are destined for the bootpc port (ie "dhcpc", ie port 68) port on the guest. Only very new versions of iptables will have this support (it will be in the next upstream release), so a failure to add this rule only results in a warning message. The iptables patch is here: http://patchwork.ozlabs.org/patch/58525/ A corresponding kernel module patch is also required (the backend of the iptables patch) and that will be in the next release of the kernel.
-
- 19 7月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
IPtables will seek to preserve the source port unchanged when doing masquerading, if possible. NFS has a pseudo-security option where it checks for the source port <= 1023 before allowing a mount request. If an admin has used this to make the host OS trusted for mounts, the default iptables behaviour will potentially allow NAT'd guests access too. This needs to be stopped. With this change, the iptables -t nat -L -n -v rules for the default network will be Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes) pkts bytes target prot opt in out source destination 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24 * src/network/bridge_driver.c: Add masquerade rules for TCP and UDP protocols * src/util/iptables.c, src/util/iptables.c: Add source port mappings for TCP & UDP protocols when masquerading.
-
- 10 3月, 2010 1 次提交
-
-
由 Eric Blake 提交于
* global: patch created by running: for f in $(git ls-files '*.[ch]') ; do cppi $f > $f.t && mv $f.t $f done
-
- 10 12月, 2009 2 次提交
-
-
由 Mark McLoughlin 提交于
We don't use this method of reloading rules anymore, so we can just kill the code. This simplifies things a lot because we no longer need to keep a table of the rules we've added. * src/util/iptables.c: kill iptablesReloadRules()
-
由 Mark McLoughlin 提交于
Long ago we tried to use Fedora's lokkit utility in order to register our iptables rules so that 'service iptables restart' would automatically load our rules. There was one fatal flaw - if the user had configured iptables without lokkit, then we would clobber that configuration by running lokkit. We quickly disabled lokkit support, but never removed it. Let's do that now. The 'my virtual network stops working when I restart iptables' still remains. For all the background on this saga, see: https://bugzilla.redhat.com/227011 * src/util/iptables.c: remove lokkit support * configure.in: remove --enable-lokkit * libvirt.spec.in: remove the dirs used only for saving rules for lokkit * src/Makefile.am: ditto * src/libvirt_private.syms, src/network/bridge_driver.c, src/util/iptables.h: remove references to iptablesSaveRules
-
- 21 9月, 2009 1 次提交
-
-
由 Daniel P. Berrange 提交于
* src/bridge.c, src/bridge.h, src/buf.c, src/buf.h, src/cgroup.c, src/cgroup.h, src/conf.c, src/conf.h, src/event.c, src/event.h, src/hash.c, src/hash.h, src/hostusb.c, src/hostusb.h, src/iptables.c, src/iptables.h, src/logging.c, src/logging.h, src/memory.c, src/memory.h, src/pci.c, src/pci.h, src/qparams.c, src/qparams.h, src/stats_linux.c, src/stats_linux.h, src/threads-pthread.c, src/threads-pthread.h, src/threads-win32.c, src/threads-win32.h, src/threads.c, src/threads.h, src/util.c, src/util.h, src/uuid.c, src/uuid.h, src/virterror.c, src/virterror_internal.h, src/xml.c, src/xml.h: Move all files into src/util/ * daemon/Makefile.am: Add -Isrc/util/ to build flags * src/Makefile.am: Add -Isrc/util/ to build flags and update for moved files * src/libvirt_private.syms: Export cgroup APIs since they're now in util rather than linking directly to drivers * src/xen/xs_internal.c: Disable bogus virEventRemoveHandle call when built under PROXY * proxy/Makefile.am: Update for changed file locations. Remove bogus build of event.c * tools/Makefile.am, tests/Makefile.am: Add -Isrc/util/ to build flags
-
- 08 11月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
Avoid a build error when configuring --without-xen --without-qemu. * src/iptables.c [WITH_QEMU]: Don't #ifdef-out. * src/iptables.h [WITH_QEMU]: Don't #ifdef-out. * src/util.c (virRun) [__MINGW32__]: Define a stub that always fails.
-
- 11 4月, 2008 1 次提交
-
-
由 Jim Meyering 提交于
Done with these commands: git grep -l Local.variab|xargs \ perl -0x3b -pi -e 's,\n+/\*\n \* vim:(.|\n)*,\n,' git grep -l Local.variab|xargs \ perl -0x3b -pi -e 's,\n+/\*\n \* Local variables:\n(.|\n)*,\n,'
-
- 29 3月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 10 1月, 2008 1 次提交
-
-
由 Mark McLoughlin 提交于
and run lokkit each time a new rule is added.
-
- 07 12月, 2007 1 次提交
-
-
由 Richard W.M. Jones 提交于
* src/.cvsignore: Ignore *.loT files (generated under Windows). * proxy/libvirt_proxy.c: Bail out earlier --without-xen. * src/proxy_internal.c: Don't build proxy client side if configured --without-xen. * src/iptables.c, src/iptables.h: Disable this code if configured --without-qemu. * src/nodeinfo.c: If no 'uname' function, set model name to empty string (for Windows). * src/xen_unified.h, src/util.c, src/test.c: Include <winsock2.h> on Windows. * src/util.c: Disable virExec* and virFileLinkPointsTo on MinGW.
-
- 27 6月, 2007 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 11 4月, 2007 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 31 3月, 2007 2 次提交
-
-
由 Mark McLoughlin 提交于
* qemud/iptables.c: As suggested by danpb, make libvirt_qemud handle SIGHUP by re-loading the iptables rules.
-
由 Mark McLoughlin 提交于
* qemud/iptables.c: Remove the target interface parameter from iptablesPhysdevForward(). This rule is intended to allow frames to be forwarded across the bridge from the supplied bridge port. In this context, the --out parameter would match the outgoing bridge port, which will never be network->def->forwardDev.
-
- 14 3月, 2007 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 15 2月, 2007 1 次提交
-
-
由 Mark McLoughlin 提交于
* qemud/iptables.[ch]: add code for managing iptables rules. * qemud/Makefile.am: add iptables.[ch]. * qemud/qemud.c: add and remove iptables rules as appropriate. * qemud/conf.c: when starting a guess, add a rule allowing it to forward packets across the networks bridge. * qemud/internal.h: add iptables context ptr * configure.in: add --with-iptables-dir and --with-iptables-prefix to allow us to put our rules in a chain with the given prefix and save the rules in files in the given dir so as to integrate with the proposed "service iptables restart" solution in: https://bugzilla.redhat.com/227011
-