From b238953664fffd85c3dc35554ba7ab62638aeb5e Mon Sep 17 00:00:00 2001

Message-Id: <b238953664fffd85c3dc35554ba7ab62638aeb5e@dist-git>

From: Laine Stump <laine@laine.org>

Date: Sat, 27 Aug 2016 12:28:08 -0400

Subject: [PATCH] network: new network forward mode 'open'

The new forward mode 'open' is just like mode='route', except that no

firewall rules are added to assure that any traffic does or doesn't

pass. It is assumed that either they aren't necessary, or they will be

setup outside the scope of libvirt.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=846810

(cherry picked from commit 25e8112d7c32ab271b9cae28f3ccbf5835206693)

---

 docs/formatnetwork.html.in                         | 22 ++++++++++++

 docs/schemas/network.rng                           |  1 +

 src/conf/network_conf.c                            | 25 +++++++++++--

 src/conf/network_conf.h                            |  1 +

 src/network/bridge_driver.c                        | 41 +++++++++++++++-------

 tests/networkxml2confdata/open-network.conf        | 11 ++++++

 tests/networkxml2confdata/open-network.xml         |  9 +++++

 tests/networkxml2conftest.c                        |  1 +

 .../open-network-with-forward-dev.xml              |  9 +++++

 tests/networkxml2xmlin/open-network.xml            |  9 +++++

 tests/networkxml2xmlout/open-network.xml           |  9 +++++

 tests/networkxml2xmltest.c                         |  2 ++

 12 files changed, 125 insertions(+), 15 deletions(-)

 create mode 100644 tests/networkxml2confdata/open-network.conf

 create mode 100644 tests/networkxml2confdata/open-network.xml

 create mode 100644 tests/networkxml2xmlin/open-network-with-forward-dev.xml

 create mode 100644 tests/networkxml2xmlin/open-network.xml

 create mode 100644 tests/networkxml2xmlout/open-network.xml

diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in

index 1cea931..619b10e 100644

--- a/docs/formatnetwork.html.in

+++ b/docs/formatnetwork.html.in

@@ -250,6 +250,28 @@

             Since 0.4.2

+          
open

+          

+            As with mode='route', guest network traffic will be

+            forwarded to the physical network via the host's IP

+            routing stack, but there will be no firewall rules added

+            to either enable or prevent any of this traffic. When

+            forward='open' is set, the dev attribute

+            cannot be set (because the forward dev is enforced with

+            firewall rules, and the purpose of forward='open' is to

+            have a forwarding mode where libvirt doesn't add any

+            firewall rules).  This mode presumes that the local LAN

+            router has suitable routing table entries to return

+            traffic to this host, and that some other management

+            system has been used to put in place any necessary

+            firewall rules. Although no firewall rules will be added

+            for the network, it is of course still possible to add

+            restrictions for specific guests using

+            nwfilter rules on the

+            guests' interfaces.)

+            Since 2.2.0

+          

+

           
bridge

             This network describes either 1) an existing host bridge

diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng

index 4edb6eb..8a1be68 100644

--- a/docs/schemas/network.rng

+++ b/docs/schemas/network.rng

@@ -101,6 +101,7 @@

                 <choice>

                   <value>nat</value>

                   <value>route</value>

+                  <value>open</value>

                   <value>bridge</value>

                   <value>passthrough</value>

                   <value>private</value>

diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c

index 2d904df..1990cfc 100644

--- a/src/conf/network_conf.c

+++ b/src/conf/network_conf.c

@@ -57,7 +57,9 @@ struct _virNetworkObjList {

 VIR_ENUM_IMPL(virNetworkForward,

               VIR_NETWORK_FORWARD_LAST,

-              "none", "nat", "route", "bridge", "private", "vepa", "passthrough", "hostdev")

+              "none", "nat", "route", "open",

+              "bridge", "private", "vepa", "passthrough",

+              "hostdev")

 VIR_ENUM_IMPL(virNetworkBridgeMACTableManager,

               VIR_NETWORK_BRIDGE_MAC_TABLE_MANAGER_LAST,

@@ -2329,6 +2331,7 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)

     case VIR_NETWORK_FORWARD_ROUTE:

     case VIR_NETWORK_FORWARD_NAT:

+    case VIR_NETWORK_FORWARD_OPEN:

         /* It's pointless to specify L3 forwarding without specifying

          * the network we're on.

          */

@@ -2347,6 +2350,19 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt)

                            def->name);

             goto error;

         }

+

+        if (def->forward.type == VIR_NETWORK_FORWARD_OPEN && def->forward.nifs) {

+            /* an open network by definition can't place any restrictions

+             * on what traffic is allowed or where it goes, so specifying

+             * a forwarding device is nonsensical.

+             */

+            virReportError(VIR_ERR_XML_ERROR,

+                           _("forward dev not allowed for "

+                             "network '%s' with forward mode='%s'"),

+                           def->name,

+                           virNetworkForwardTypeToString(def->forward.type));

+            goto error;

+        }

         break;

     case VIR_NETWORK_FORWARD_PRIVATE:

@@ -2820,13 +2836,15 @@ virNetworkDefFormatBuf(virBufferPtr buf,

     if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||

         def->forward.type == VIR_NETWORK_FORWARD_NAT ||

         def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||

+        def->forward.type == VIR_NETWORK_FORWARD_OPEN ||

         def->bridge || def->macTableManager) {

         virBufferAddLit(buf, "

         virBufferEscapeString(buf, " name='%s'", def->bridge);

         if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||

             def->forward.type == VIR_NETWORK_FORWARD_NAT ||

-            def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {

+            def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||

+            def->forward.type == VIR_NETWORK_FORWARD_OPEN) {

             virBufferAsprintf(buf, " stp='%s' delay='%ld'",

                               def->stp ? "on" : "off", def->delay);

         }

@@ -3199,7 +3217,8 @@ virNetworkObjPtr virNetworkLoadConfig(virNetworkObjListPtr nets,

     if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||

         def->forward.type == VIR_NETWORK_FORWARD_NAT ||

-        def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {

+        def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||

+        def->forward.type == VIR_NETWORK_FORWARD_OPEN) {

         if (!def->mac_specified) {

             virNetworkSetBridgeMacAddr(def);

diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h

index e7ce674..bba99e2 100644

--- a/src/conf/network_conf.h

+++ b/src/conf/network_conf.h

@@ -46,6 +46,7 @@ typedef enum {

     VIR_NETWORK_FORWARD_NONE   = 0,

     VIR_NETWORK_FORWARD_NAT,

     VIR_NETWORK_FORWARD_ROUTE,

+    VIR_NETWORK_FORWARD_OPEN,

     VIR_NETWORK_FORWARD_BRIDGE,

     VIR_NETWORK_FORWARD_PRIVATE,

     VIR_NETWORK_FORWARD_VEPA,

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c

index 0221a38..c6ab6a1 100644

--- a/src/network/bridge_driver.c

+++ b/src/network/bridge_driver.c

@@ -400,6 +400,7 @@ networkUpdateState(virNetworkObjPtr obj,

     case VIR_NETWORK_FORWARD_NONE:

     case VIR_NETWORK_FORWARD_NAT:

     case VIR_NETWORK_FORWARD_ROUTE:

+    case VIR_NETWORK_FORWARD_OPEN:

         /* If bridge doesn't exist, then mark it inactive */

         if (!(obj->def->bridge && virNetDevExists(obj->def->bridge) == 1))

             obj->active = 0;

@@ -1815,7 +1816,8 @@ networkRefreshDaemonsHelper(virNetworkObjPtr net,

     if (virNetworkObjIsActive(net) &&

         ((net->def->forward.type == VIR_NETWORK_FORWARD_NONE) ||

          (net->def->forward.type == VIR_NETWORK_FORWARD_NAT) ||

-         (net->def->forward.type == VIR_NETWORK_FORWARD_ROUTE))) {

+         (net->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) ||

+         (net->def->forward.type == VIR_NETWORK_FORWARD_OPEN))) {

         /* Only the three L3 network types that are configured by

          * libvirt will have a dnsmasq or radvd daemon associated

          * with them.  Here we send a SIGHUP to an existing

@@ -1851,8 +1853,10 @@ networkReloadFirewallRulesHelper(virNetworkObjPtr net,

         ((net->def->forward.type == VIR_NETWORK_FORWARD_NONE) ||

          (net->def->forward.type == VIR_NETWORK_FORWARD_NAT) ||

          (net->def->forward.type == VIR_NETWORK_FORWARD_ROUTE))) {

-        /* Only the three L3 network types that are configured by libvirt

-         * need to have iptables rules reloaded.

+        /* Only three of the L3 network types that are configured by

+         * libvirt need to have iptables rules reloaded. The 4th L3

+         * network type, forward='open', doesn't need this because it

+         * has no iptables rules.

          */

         networkRemoveFirewallRules(net->def);

         if (networkAddFirewallRules(net->def) < 0) {

@@ -2135,7 +2139,8 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,

         goto err1;

     /* Add "once per network" rules */

-    if (networkAddFirewallRules(network->def) < 0)

+    if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN &&

+        networkAddFirewallRules(network->def) < 0)

         goto err1;

     for (i = 0;

@@ -2237,7 +2242,8 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,

  err2:

     if (!save_err)

         save_err = virSaveLastError();

-    networkRemoveFirewallRules(network->def);

+    if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN)

+        networkRemoveFirewallRules(network->def);

  err1:

     if (!save_err)

@@ -2293,7 +2299,8 @@ networkShutdownNetworkVirtual(virNetworkDriverStatePtr driver,

     ignore_value(virNetDevSetOnline(network->def->bridge, 0));

-    networkRemoveFirewallRules(network->def);

+    if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN)

+        networkRemoveFirewallRules(network->def);

     ignore_value(virNetDevBridgeDelete(network->def->bridge));

@@ -2400,6 +2407,7 @@ networkCreateInterfacePool(virNetworkDefPtr netdef)

         case VIR_NETWORK_FORWARD_NONE:

         case VIR_NETWORK_FORWARD_NAT:

         case VIR_NETWORK_FORWARD_ROUTE:

+        case VIR_NETWORK_FORWARD_OPEN:

         case VIR_NETWORK_FORWARD_LAST:

             /* by definition these will never be encountered here */

             break;

@@ -2493,6 +2501,7 @@ networkStartNetwork(virNetworkDriverStatePtr driver,

     case VIR_NETWORK_FORWARD_NONE:

     case VIR_NETWORK_FORWARD_NAT:

     case VIR_NETWORK_FORWARD_ROUTE:

+    case VIR_NETWORK_FORWARD_OPEN:

         if (networkStartNetworkVirtual(driver, network) < 0)

             goto cleanup;

         break;

@@ -2571,6 +2580,7 @@ networkShutdownNetwork(virNetworkDriverStatePtr driver,

     case VIR_NETWORK_FORWARD_NONE:

     case VIR_NETWORK_FORWARD_NAT:

     case VIR_NETWORK_FORWARD_ROUTE:

+    case VIR_NETWORK_FORWARD_OPEN:

         ret = networkShutdownNetworkVirtual(driver, network);

         break;

@@ -2919,7 +2929,8 @@ networkValidate(virNetworkDriverStatePtr driver,

      */

     if (def->forward.type == VIR_NETWORK_FORWARD_NONE ||

         def->forward.type == VIR_NETWORK_FORWARD_NAT ||

-        def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {

+        def->forward.type == VIR_NETWORK_FORWARD_ROUTE ||

+        def->forward.type == VIR_NETWORK_FORWARD_OPEN) {

         /* if no bridge name was given in the config, find a name

          * unused by any other libvirt networks and assign it.

@@ -3360,8 +3371,10 @@ networkUpdate(virNetworkPtr net,

                  * old rules (and remember to load new ones after the

                  * update).

                  */

-                networkRemoveFirewallRules(network->def);

-                needFirewallRefresh = true;

+                if (network->def->forward.type != VIR_NETWORK_FORWARD_OPEN) {

+                    networkRemoveFirewallRules(network->def);

+                    needFirewallRefresh = true;

+                }

                 break;

             default:

                 break;

@@ -4037,7 +4050,8 @@ networkAllocateActualDevice(virDomainDefPtr dom,

     if ((netdef->forward.type == VIR_NETWORK_FORWARD_NONE) ||

         (netdef->forward.type == VIR_NETWORK_FORWARD_NAT) ||

-        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE)) {

+        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE) ||

+        (netdef->forward.type == VIR_NETWORK_FORWARD_OPEN)) {

         /* for these forward types, the actual net type really *is*

          * NETWORK; we just keep the info from the portgroup in

          * iface->data.network.actual

@@ -4581,7 +4595,8 @@ networkReleaseActualDevice(virDomainDefPtr dom,

     if (iface->data.network.actual &&

         (netdef->forward.type == VIR_NETWORK_FORWARD_NONE ||

          netdef->forward.type == VIR_NETWORK_FORWARD_NAT ||

-         netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE) &&

+         netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE ||

+         netdef->forward.type == VIR_NETWORK_FORWARD_OPEN) &&

         networkUnplugBandwidth(network, iface) < 0)

         goto error;

@@ -4728,6 +4743,7 @@ networkGetNetworkAddress(const char *netname, char **netaddr)

     case VIR_NETWORK_FORWARD_NONE:

     case VIR_NETWORK_FORWARD_NAT:

     case VIR_NETWORK_FORWARD_ROUTE:

+    case VIR_NETWORK_FORWARD_OPEN:

         ipdef = virNetworkDefGetIPByIndex(netdef, AF_UNSPEC, 0);

         if (!ipdef) {

             virReportError(VIR_ERR_INTERNAL_ERROR,

@@ -4811,7 +4827,8 @@ networkGetActualType(virDomainNetDefPtr iface)

     if ((netdef->forward.type == VIR_NETWORK_FORWARD_NONE) ||

         (netdef->forward.type == VIR_NETWORK_FORWARD_NAT) ||

-        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE)) {

+        (netdef->forward.type == VIR_NETWORK_FORWARD_ROUTE) ||

+        (netdef->forward.type == VIR_NETWORK_FORWARD_OPEN)) {

         /* for these forward types, the actual net type really *is*

          * NETWORK; we just keep the info from the portgroup in

          * iface->data.network.actual

diff --git a/tests/networkxml2confdata/open-network.conf b/tests/networkxml2confdata/open-network.conf

new file mode 100644

index 0000000..ff09984

--- /dev/null

+++ b/tests/networkxml2confdata/open-network.conf

@@ -0,0 +1,11 @@

+##WARNING:  THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE

+##OVERWRITTEN AND LOST.  Changes to this configuration should be made using:

+##    virsh net-edit open

+## or other application using the libvirt API.

+##

+## dnsmasq conf file created by libvirt

+strict-order

+except-interface=lo

+bind-dynamic

+interface=virbr1

+addn-hosts=/var/lib/libvirt/dnsmasq/open.addnhosts

diff --git a/tests/networkxml2confdata/open-network.xml b/tests/networkxml2confdata/open-network.xml

new file mode 100644

index 0000000..e0b3f03

--- /dev/null

+++ b/tests/networkxml2confdata/open-network.xml

@@ -0,0 +1,9 @@

+<network>

+  <name>open</name>

+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>

+  <forward mode='open'/>

+  <bridge name='virbr1' stp='on' delay='0'/>

+  <mac address='12:34:56:78:9A:BC'/>

+  <ip address='192.168.122.1' netmask='255.255.255.0'>

+  </ip>

+</network>

diff --git a/tests/networkxml2conftest.c b/tests/networkxml2conftest.c

index 11e08c0..77acc53 100644

--- a/tests/networkxml2conftest.c

+++ b/tests/networkxml2conftest.c

@@ -117,6 +117,7 @@ mymain(void)

     DO_TEST("nat-network-dns-srv-record-minimal", restricted);

     DO_TEST("nat-network-name-with-quotes", restricted);

     DO_TEST("routed-network", full);

+    DO_TEST("open-network", full);

     DO_TEST("nat-network", dhcpv6);

     DO_TEST("nat-network-dns-txt-record", full);

     DO_TEST("nat-network-dns-srv-record", full);

diff --git a/tests/networkxml2xmlin/open-network-with-forward-dev.xml b/tests/networkxml2xmlin/open-network-with-forward-dev.xml

new file mode 100644

index 0000000..33e8bb5

--- /dev/null

+++ b/tests/networkxml2xmlin/open-network-with-forward-dev.xml

@@ -0,0 +1,9 @@

+<network>

+  <name>open</name>

+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>

+  <bridge name="virbr1"/>

+  <mac address='12:34:56:78:9A:BC'/>

+  <forward mode="open" dev="eth0"/>

+  <ip address="192.168.122.1" netmask="255.255.255.0">

+  </ip>

+</network>

diff --git a/tests/networkxml2xmlin/open-network.xml b/tests/networkxml2xmlin/open-network.xml

new file mode 100644

index 0000000..2e4b9b2

--- /dev/null

+++ b/tests/networkxml2xmlin/open-network.xml

@@ -0,0 +1,9 @@

+<network>

+  <name>open</name>

+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>

+  <bridge name="virbr1"/>

+  <mac address='12:34:56:78:9A:BC'/>

+  <forward mode="open"/>

+  <ip address="192.168.122.1" netmask="255.255.255.0">

+  </ip>

+</network>

diff --git a/tests/networkxml2xmlout/open-network.xml b/tests/networkxml2xmlout/open-network.xml

new file mode 100644

index 0000000..29e9684

--- /dev/null

+++ b/tests/networkxml2xmlout/open-network.xml

@@ -0,0 +1,9 @@

+<network>

+  <name>open</name>

+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>

+  <forward mode='open'/>

+  <bridge name='virbr1' stp='on' delay='0'/>

+  <mac address='12:34:56:78:9a:bc'/>

+  <ip address='192.168.122.1' netmask='255.255.255.0'>

+  </ip>

+</network>

diff --git a/tests/networkxml2xmltest.c b/tests/networkxml2xmltest.c

index d65f6aa..9114c1e 100644

--- a/tests/networkxml2xmltest.c

+++ b/tests/networkxml2xmltest.c

@@ -127,6 +127,8 @@ mymain(void)

     DO_TEST("empty-allow-ipv6");

     DO_TEST("isolated-network");

     DO_TEST("routed-network");

+    DO_TEST("open-network");

+    DO_TEST_PARSE_ERROR("open-network-with-forward-dev");

     DO_TEST("nat-network");

     DO_TEST("netboot-network");

     DO_TEST("netboot-proxy-network");

-- 

2.10.0