/* Remove all rules for all ip addresses (and general rules) on a network */ void networkRemoveFirewallRules(virNetworkDefPtr def) { size_t i; virNetworkIpDefPtr ipdef; virFirewallPtr fw = NULL; fw = virFirewallNew(); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); networkRemoveChecksumFirewallRules(fw, def); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); for (i = 0; (ipdef = virNetworkDefGetIpByIndex(def, AF_UNSPEC, i)); i++) { if (networkRemoveIpSpecificFirewallRules(fw, def, ipdef) < 0) goto cleanup; } networkRemoveGeneralFirewallRules(fw, def); virFirewallApply(fw); cleanup: virFirewallFree(fw); }
int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { virFirewallPtr fw = NULL; int ret = -1; fw = virFirewallNew(); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, "--new-chain", ctx->chain, NULL); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, "--insert", "FORWARD", "--jump", ctx->chain, NULL); virFirewallStartTransaction(fw, 0); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, "-P", ctx->chain, "DROP", NULL); if (virFirewallApply(fw) < 0) goto cleanup; ret = 0; cleanup: virFirewallFree(fw); return ret; }
/* * Allow all traffic destined to the bridge, with a valid network address */ static int ebtablesForwardAllowIn(ebtablesContext *ctx, const char *iface, const char *macaddr, int action) { virFirewallPtr fw = NULL; int ret = -1; fw = virFirewallNew(); virFirewallStartTransaction(fw, 0); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, action == ADD ? "--insert" : "--delete", ctx->chain, "--in-interface", iface, "--source", macaddr, "--jump", "ACCEPT", NULL); if (virFirewallApply(fw) < 0) goto cleanup; ret = 0; cleanup: virFirewallFree(fw); return ret; }
static int testFirewallSingleGroup(const void *opaque) { virBuffer cmdbuf = VIR_BUFFER_INITIALIZER; virFirewallPtr fw = NULL; int ret = -1; const char *actual = NULL; const char *expected = IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n" IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"; const struct testFirewallData *data = opaque; fwDisabled = data->fwDisabled; if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) virCommandSetDryRun(&cmdbuf, NULL, NULL); else fwBuf = &cmdbuf; fw = virFirewallNew(); virFirewallStartTransaction(fw, 0); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", "--source-host", "192.168.122.1", "--jump", "ACCEPT", NULL); virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", "--source-host", "!192.168.122.1", "--jump", "REJECT", NULL); if (virFirewallApply(fw) < 0) goto cleanup; if (virBufferError(&cmdbuf)) goto cleanup; actual = virBufferCurrentContent(&cmdbuf); if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexected command execution\n"); virTestDifference(stderr, expected, actual); goto cleanup; } ret = 0; cleanup: virBufferFreeAndReset(&cmdbuf); fwBuf = NULL; virCommandSetDryRun(NULL, NULL, NULL); virFirewallFree(fw); return ret; }