/* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(iptablesContext *ctx, virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, int action) { int ret; char *networkstr; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; if (physdev && physdev[0]) { ret = iptablesAddRemoveRule(ctx->forward_filter, VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, "--jump", "ACCEPT", NULL); } else { ret = iptablesAddRemoveRule(ctx->forward_filter, VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", NULL); } VIR_FREE(networkstr); return ret; }
/* Allow all traffic destined to the bridge, with a valid network address * and associated with an existing connection */ static int iptablesForwardAllowRelatedIn(iptablesContext *ctx, const char *network, const char *iface, const char *physdev, int action) { if (physdev && physdev[0]) { return iptablesAddRemoveRule(ctx->forward_filter, action, "--destination", network, "--in-interface", physdev, "--out-interface", iface, "--match", "state", "--state", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } else { return iptablesAddRemoveRule(ctx->forward_filter, action, "--destination", network, "--out-interface", iface, "--match", "state", "--state", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } }
/* Masquerade all traffic coming from the network associated * with the bridge */ static int iptablesForwardMasquerade(iptablesContext *ctx, const char *network, const char *physdev, const char *protocol, int action) { if (protocol && protocol[0]) { if (physdev && physdev[0]) { return iptablesAddRemoveRule(ctx->nat_postrouting, action, "--source", network, "-p", protocol, "!", "--destination", network, "--out-interface", physdev, "--jump", "MASQUERADE", "--to-ports", "1024-65535", NULL); } else { return iptablesAddRemoveRule(ctx->nat_postrouting, action, "--source", network, "-p", protocol, "!", "--destination", network, "--jump", "MASQUERADE", "--to-ports", "1024-65535", NULL); } } else { if (physdev && physdev[0]) { return iptablesAddRemoveRule(ctx->nat_postrouting, action, "--source", network, "!", "--destination", network, "--out-interface", physdev, "--jump", "MASQUERADE", NULL); } else { return iptablesAddRemoveRule(ctx->nat_postrouting, action, "--source", network, "!", "--destination", network, "--jump", "MASQUERADE", NULL); } } }
/* Drop all traffic trying to forward to the bridge. * ie the bridge is the out interface */ static int iptablesForwardRejectIn(iptablesContext *ctx, const char *iface, int action) { return iptablesAddRemoveRule(ctx->forward_filter, action, "--out-interface", iface, "--jump", "REJECT", NULL); }
/* Allow all traffic between guests on the same bridge, * with a valid network address */ static int iptablesForwardAllowCross(iptablesContext *ctx, const char *iface, int action) { return iptablesAddRemoveRule(ctx->forward_filter, action, "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", NULL); }
/* Drop all traffic trying to forward to the bridge. * ie the bridge is the out interface */ static int iptablesForwardRejectIn(int family, const char *iface, int action) { return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--out-interface", iface, "--jump", "REJECT", NULL); }
/* Allow all traffic between guests on the same bridge, * with a valid network address */ static int iptablesForwardAllowCross(int family, const char *iface, int action) { return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", NULL); }
/* Allow all traffic destined to the bridge, with a valid network address * and associated with an existing connection */ static int iptablesForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, int action) { int ret; char *networkstr; if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; if (physdev && physdev[0]) { ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, "--match", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } else { ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "--jump", "ACCEPT", NULL); } VIR_FREE(networkstr); return ret; }
/* Allow all traffic coming from the bridge, with a valid network address * to proceed to WAN */ static int iptablesForwardAllowOut(iptablesContext *ctx, const char *network, const char *iface, const char *physdev, int action) { if (physdev && physdev[0]) { return iptablesAddRemoveRule(ctx->forward_filter, action, "--source", network, "--in-interface", iface, "--out-interface", physdev, "--jump", "ACCEPT", NULL); } else { return iptablesAddRemoveRule(ctx->forward_filter, action, "--source", network, "--in-interface", iface, "--jump", "ACCEPT", NULL); } }
static int iptablesOutputFixUdpChecksum(iptablesContext *ctx, const char *iface, int port, int action) { char portstr[32]; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; return iptablesAddRemoveRule(ctx->mangle_postrouting, action, "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, "--jump", "CHECKSUM", "--checksum-fill", NULL); }
static int iptablesOutputFixUdpChecksum(const char *iface, int port, int action) { char portstr[32]; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; return iptablesAddRemoveRule("mangle", "POSTROUTING", AF_INET, action, "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, "--jump", "CHECKSUM", "--checksum-fill", NULL); }
static int iptablesInput(iptablesContext *ctx, const char *iface, int port, int action, int tcp) { char portstr[32]; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; return iptablesAddRemoveRule(ctx->input_filter, action, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, "--jump", "ACCEPT", NULL); }
static int iptablesOutput(int family, const char *iface, int port, int action, int tcp) { char portstr[32]; snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; return iptablesAddRemoveRule("filter", "OUTPUT", family, action, "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, "--jump", "ACCEPT", NULL); }