- 04 2月, 2020 1 次提交
-
-
由 Daniel P. Berrangé 提交于
Most code now uses the virProcess / virCommand APIs, so the need for sys/wait.h is quite limited. Removing this include removes the dependency on GNULIB providing a dummy sys/wait.h for Windows. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 15 11月, 2019 1 次提交
-
-
由 Pavel Hrdina 提交于
Glib implementation follows the ISO C99 standard so it's safe to replace the gnulib implementation. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
-
- 12 11月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
-
- 19 10月, 2019 1 次提交
-
-
由 Malina Salina 提交于
While the default iptables setup used by Fedora/RHEL distros only restricts traffic on the INPUT and/or FORWARD rules, some users might have custom firewalls that restrict the OUTPUT rules too. These can prevent DHCP/DNS/TFTP responses from dnsmasq from reaching the guest VMs. We should thus whitelist these protocols in the OUTPUT chain, as well as the INPUT chain. Signed-off-by: NMalina Salina <malina.salina@protonmail.com> Initial patch then modified to add unit tests and IPv6 support Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 16 10月, 2019 1 次提交
-
-
由 Ján Tomko 提交于
Since commit 44e7f029 util: rewrite auto cleanup macros to use glib's equivalent VIR_AUTOFREE is just an alias for g_autofree. Use the GLib macros directly instead of our custom aliases. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 15 10月, 2019 1 次提交
-
-
由 Ján Tomko 提交于
Prefer the GLib version of the macro. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 19 3月, 2019 1 次提交
-
-
由 Daniel P. Berrangé 提交于
During startup libvirtd creates top level chains for both ipv4 and ipv6 protocols. If this fails for any reason then startup of virtual networks is blocked. The default virtual network, however, only requires use of ipv4 and some servers have ipv6 disabled so it is expected that ipv6 chain creation will fail. There could equally be servers with no ipv4, only ipv6. This patch thus makes error reporting a little more fine grained so that it works more sensibly when either ipv4 or ipv6 is disabled on the server. Only the protocols that are actually used by the virtual network have errors reported. Reviewed-by: NAndrea Bolognani <abologna@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 29 1月, 2019 2 次提交
-
-
由 Daniel P. Berrangé 提交于
The previous commit created new chains to hold the firewall rules. This commit changes the code that creates rules to place them in the new private chains instead of the builtin top level chains. With two networks running, the rules in the filter table now look like -N LIBVIRT_FWI -N LIBVIRT_FWO -N LIBVIRT_FWX -N LIBVIRT_INP -N LIBVIRT_OUT -A INPUT -j LIBVIRT_INP -A FORWARD -j LIBVIRT_FWX -A FORWARD -j LIBVIRT_FWI -A FORWARD -j LIBVIRT_FWO -A OUTPUT -j LIBVIRT_OUT -A LIBVIRT_FWI -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWI -d 192.168.1.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.0.0/24 -i virbr0 -j ACCEPT -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWO -s 192.168.1.0/24 -i virbr1 -j ACCEPT -A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT -A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT While in the nat table: -N LIBVIRT_PRT -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -s 192.168.0.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.0.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE -A LIBVIRT_PRT -s 192.168.1.0/24 -d 224.0.0.0/24 -j RETURN -A LIBVIRT_PRT -s 192.168.1.0/24 -d 255.255.255.255/32 -j RETURN -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE And finally the mangle table: -N LIBVIRT_PRT -A POSTROUTING -j LIBVIRT_PRT -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Historically firewall rules for virtual networks were added straight into the base chains. This works but has a number of bugs and design limitations: - It is inflexible for admins wanting to add extra rules ahead of libvirt's rules, via hook scripts. - It is not clear to the admin that the rules were created by libvirt - Each rule must be deleted by libvirt individually since they are all directly in the builtin chains - The ordering of rules in the forward chain is incorrect when multiple networks are created, allowing traffic to mistakenly flow between networks in one direction. To address all of these problems, libvirt needs to move to creating rules in its own private chains. In the top level builtin chains, libvirt will add links to its own private top level chains. Addressing the traffic ordering bug requires some extra steps. With everything going into the FORWARD chain there was interleaving of rules for outbound traffic and inbound traffic for each network: -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable The rule allowing outbound traffic from virbr1 would mistakenly allow packets from virbr1 to virbr0, before the rule denying input to virbr0 gets a chance to run. What we really need todo is group the forwarding rules into three distinct sets: * Cross rules - LIBVIRT_FWX -A FORWARD -i virbr1 -o virbr1 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT * Incoming rules - LIBVIRT_FWI -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable * Outgoing rules - LIBVIRT_FWO -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable There is thus no risk of outgoing rules for one network mistakenly allowing incoming traffic for another network, as all incoming rules are evalated first. With this in mind, we'll thus need three distinct chains linked from the FORWARD chain, so we end up with: INPUT --> LIBVIRT_INP (filter) OUTPUT --> LIBVIRT_OUT (filter) FORWARD +-> LIBVIRT_FWX (filter) +-> LIBVIRT_FWO \-> LIBVIRT_FWI POSTROUTING --> LIBVIRT_PRT (nat & mangle) Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 14 12月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
In many files there are header comments that contain an Author: statement, supposedly reflecting who originally wrote the code. In a large collaborative project like libvirt, any non-trivial file will have been modified by a large number of different contributors. IOW, the Author: comments are quickly out of date, omitting people who have made significant contribitions. In some places Author: lines have been added despite the person merely being responsible for creating the file by moving existing code out of another file. IOW, the Author: lines give an incorrect record of authorship. With this all in mind, the comments are useless as a means to identify who to talk to about code in a particular file. Contributors will always be better off using 'git log' and 'git blame' if they need to find the author of a particular bit of code. This commit thus deletes all Author: comments from the source and adds a rule to prevent them reappearing. The Copyright headers are similarly misleading and inaccurate, however, we cannot delete these as they have legal meaning, despite being largely inaccurate. In addition only the copyright holder is permitted to change their respective copyright statement. Reviewed-by: NErik Skultety <eskultet@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 07 12月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
Most of the iptables APIs share code for the add/delete paths, but a couple were separated. Merge the remaining APIs to facilitate future changes. Reviewed-by: NLaine Stump <laine@laine.org> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 20 9月, 2018 2 次提交
-
-
由 Erik Skultety 提交于
All of the ones being removed are pulled in by internal.h. The only exception is sanlock which expects the application to include <stdint.h> before sanlock's headers, because sanlock prototypes use fixed width int, but they don't include stdint.h themselves, so we have to leave that one in place. Signed-off-by: NErik Skultety <eskultet@redhat.com> Acked-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Erik Skultety 提交于
It doesn't really make sense for us to have stdlib.h and string.h but not stdio.h in the internal.h header. Signed-off-by: NErik Skultety <eskultet@redhat.com> Acked-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 27 7月, 2018 1 次提交
-
-
由 Sukrit Bhatnagar 提交于
By making use of GNU C's cleanup attribute handled by the VIR_AUTOFREE macro for declaring scalar variables, majority of the VIR_FREE calls can be dropped, which in turn leads to getting rid of most of our cleanup sections. Signed-off-by: NSukrit Bhatnagar <skrtbhtngr@gmail.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 18 3月, 2016 1 次提交
-
-
由 Michal Privoznik 提交于
We include the file in plenty of places. This is mostly due to historical reasons. The only place that needs something from the header file is storage_backend_fs which opens _PATH_MOUNTED. But it gets the file included indirectly via mntent.h. At no other place in our code we need _PATH_.*. Drop the include and configure check then. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 14 11月, 2014 1 次提交
-
-
由 Daniel P. Berrange 提交于
A previous commit introduced use of locking with invocation of iptables in the viriptables.c module commit ba95426d Author: Serge Hallyn <serge.hallyn@ubuntu.com> Date: Fri Nov 1 12:36:59 2013 -0500 util: use -w flag when calling iptables This only ever had effect with the virtual network driver, as it was not wired up into the nwfilter driver. Unfortunately in the firewall refactoring the use of the -w flag was accidentally lost. This patch introduces it to the virfirewall.c module so that both the virtual network and nwfilter drivers will be using it. It also ensures that the equivalent --concurrent flag to ebtables is used.
-
- 25 4月, 2014 1 次提交
-
-
由 Daniel P. Berrange 提交于
Update the iptablesXXXX methods so that instead of directly executing iptables commands, they populate rules in an instance of virFirewallPtr. The bridge driver can thus construct the ruleset and then invoke it in one operation having rollback handled automatically. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 25 3月, 2014 1 次提交
-
-
由 Ján Tomko 提交于
-
- 18 3月, 2014 1 次提交
-
-
由 Daniel P. Berrange 提交于
Any source file which calls the logging APIs now needs to have a VIR_LOG_INIT("source.name") declaration at the start of the file. This provides a static variable of the virLogSource type. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 12 3月, 2014 1 次提交
-
-
由 Eric Blake 提交于
Commit b9dd878f caused a regression in iptables interaction by logging non-zero status at a higher level than VIR_INFO. Revert that portion of the commit, as well as adding a comment explaining why we check the status ourselves. Reported by Nehal J Wani. * src/util/viriptables.c (virIpTablesOnceInit): Undo log regression. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 04 3月, 2014 1 次提交
-
-
由 Eric Blake 提交于
Auditing all callers of virCommandRun and virCommandWait that passed a non-NULL pointer for exit status turned up some interesting observations. Many callers were merely passing a pointer to avoid the overall command dying, but without caring what the exit status was - but these callers would be better off treating a child death by signal as an abnormal exit. Other callers were actually acting on the status, but not all of them remembered to filter by WIFEXITED and convert with WEXITSTATUS; depending on the platform, this can result in a status being reported as 256 times too big. And among those that correctly parse the output, it gets rather verbose. Finally, there were the callers that explicitly checked that the status was 0, and gave their own message, but with fewer details than what virCommand gives for free. So the best idea is to move the complexity out of callers and into virCommand - by default, we return the actual exit status already cleaned through WEXITSTATUS and treat signals as a failed command; but the few callers that care can ask for raw status and act on it themselves. * src/util/vircommand.h (virCommandRawStatus): New prototype. * src/libvirt_private.syms (util/command.h): Export it. * docs/internals/command.html.in: Document it. * src/util/vircommand.c (virCommandRawStatus): New function. (virCommandWait): Adjust semantics. * tests/commandtest.c (test1): Test it. * daemon/remote.c (remoteDispatchAuthPolkit): Adjust callers. * src/access/viraccessdriverpolkit.c (virAccessDriverPolkitCheck): Likewise. * src/fdstream.c (virFDStreamCloseInt): Likewise. * src/lxc/lxc_process.c (virLXCProcessStart): Likewise. * src/qemu/qemu_command.c (qemuCreateInBridgePortWithHelper): Likewise. * src/xen/xen_driver.c (xenUnifiedXendProbe): Simplify. * tests/reconnect.c (mymain): Likewise. * tests/statstest.c (mymain): Likewise. * src/bhyve/bhyve_process.c (virBhyveProcessStart) (virBhyveProcessStop): Don't overwrite virCommand error. * src/libvirt.c (virConnectAuthGainPolkit): Likewise. * src/openvz/openvz_driver.c (openvzDomainGetBarrierLimit) (openvzDomainSetBarrierLimit): Likewise. * src/util/virebtables.c (virEbTablesOnceInit): Likewise. * src/util/viriptables.c (virIpTablesOnceInit): Likewise. * src/util/virnetdevveth.c (virNetDevVethCreate): Fix debug message. * src/qemu/qemu_capabilities.c (virQEMUCapsInitQMP): Add comment. * src/storage/storage_backend_iscsi.c (virStorageBackendISCSINodeUpdate): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 08 1月, 2014 1 次提交
-
-
由 Lénaïc Huard 提交于
When the host is configured with very restrictive firewall (default policy is DROP for all chains, including OUTPUT), the bridge driver for Linux adds netfilter entries to allow DHCP and DNS requests to go from the VM to the dnsmasq of the host. The issue that this commit fixes is the fact that a DROP policy on the OUTPUT chain blocks the DHCP replies from the host’s dnsmasq to the VM. As DHCP replies are sent in UDP, they are not caught by any --ctstate ESTABLISHED rule and so, need to be explicitly allowed. Signed-off-by: NLénaïc Huard <lenaic@lhuard.fr.eu.org>
-
- 08 11月, 2013 1 次提交
-
-
由 Serge Hallyn 提交于
When supported, ask iptables to wait rather than fail if it is in use by another caller (like ufw). (See https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1245322) Signed-off-by: NSerge Hallyn <serge.hallyn@ubuntu.com>
-
- 25 9月, 2013 1 次提交
-
-
由 Laszlo Ersek 提交于
The functions - iptablesAddForwardDontMasquerade(), - iptablesRemoveForwardDontMasquerade handle exceptions in the masquerading implemented in the POSTROUTING chain of the "nat" table. Such exceptions should be added as chronologically latest, logically top-most rules. The bridge driver will call these functions beginning with the next patch: some special destination IP addresses always refer to the local subnetwork, even though they don't match any practical subnetwork's netmask. Packets from virbrN targeting such IP addresses are never routed outwards, but the current rules treat them as non-virbrN-destined packets and masquerade them. This causes problems for some receivers on virbrN. Signed-off-by: NLaszlo Ersek <lersek@redhat.com>
-
- 10 7月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
-
- 02 7月, 2013 1 次提交
-
-
由 Roman Bogorodskiy 提交于
iptablesContext holds only 4 pairs of iptables (table, chain) and there's no need to pass it around. This is a first step towards separating bridge_driver.c in platform-specific parts.
-
- 24 5月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
-
- 11 5月, 2013 1 次提交
-
-
由 Laine Stump 提交于
These all existed before virfile.c was created, and for some reason weren't moved. This is mostly straightfoward, although the syntax rule prohibiting write() had to be changed to have an exception for virfile.c instead of virutil.c. This movement pointed out that there is a function called virBuildPath(), and another almost identical function called virFileBuildPath(). They really should be a single function, which I'll take care of as soon as I figure out what the arglist should look like.
-
- 02 5月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
The source code base needs to be adapted as well. Some files include virutil.h just for the string related functions (here, the include is substituted to match the new file), some include virutil.h without any need (here, the include is removed), and some require both.
-
- 28 3月, 2013 1 次提交
-
-
由 Stefan Seyfried 提交于
iptables-1.4.18 removed the long deprecated "state" match. Use "conntrack" instead in forwarding rules. Fixes openSUSE bug https://bugzilla.novell.com/811251 #811251.
-
- 20 2月, 2013 3 次提交
-
-
由 Natanael Copa 提交于
We pass over the address/port start/end values many times so we put them in structs. Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org> Signed-off-by: NLaine Stump <laine@laine.org>
-
由 Natanael Copa 提交于
Let users set the port range to be used for forward mode NAT: ... <forward mode='nat'> <nat> <port start='1024' end='65535'/> </nat> </forward> ... Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org> Signed-off-by: NLaine Stump <laine@laine.org>
-
由 Natanael Copa 提交于
Support setting which public ip to use for NAT via attribute address in subelement <nat> in <forward>: ... <forward mode='nat'> <address start='1.2.3.4' end='1.2.3.10'/> </forward> ... This will construct an iptables line using: '-j SNAT --to-source <start>-<end>' instead of: '-j MASQUERADE' Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org> Signed-off-by: NLaine Stump <laine@laine.org>
-
- 09 2月, 2013 1 次提交
-
-
由 Natanael Copa 提交于
Instead of creating an iptables command in one shot, do it in steps so we can add conditional options like physdev and protocol. This removes code duplication while keeping existing behaviour. Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org> Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 21 12月, 2012 6 次提交
-
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-