1 /* 2 * nwfilter_conf.h: network filter XML processing 3 * (derived from storage_conf.h) 4 * 5 * Copyright (C) 2006-2010, 2012-2018 Red Hat, Inc. 6 * Copyright (C) 2006-2008 Daniel P. Berrange 7 * 8 * Copyright (C) 2010 IBM Corporation 9 * 10 * This library is free software; you can redistribute it and/or 11 * modify it under the terms of the GNU Lesser General Public 12 * License as published by the Free Software Foundation; either 13 * version 2.1 of the License, or (at your option) any later version. 14 * 15 * This library is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 18 * Lesser General Public License for more details. 19 * 20 * You should have received a copy of the GNU Lesser General Public 21 * License along with this library. If not, see 22 * <http://www.gnu.org/licenses/>. 23 */ 24 25 #pragma once 26 27 #include "internal.h" 28 29 #include "virhash.h" 30 #include "virxml.h" 31 #include "virbuffer.h" 32 #include "virsocketaddr.h" 33 #include "virmacaddr.h" 34 #include "virdomainobjlist.h" 35 #include "virenum.h" 36 37 /* XXX 38 * The config parser/structs should not be using platform specific 39 * constants. Win32 lacks these constants, breaking the parser, 40 * so temporarily define them until this can be re-written to use 41 * locally defined enums for all constants 42 */ 43 #ifndef ETHERTYPE_IP 44 # define ETHERTYPE_IP 0x0800 45 #endif 46 #ifndef ETHERTYPE_ARP 47 # define ETHERTYPE_ARP 0x0806 48 #endif 49 #ifndef ETHERTYPE_REVARP 50 # define ETHERTYPE_REVARP 0x8035 51 #endif 52 #ifndef ETHERTYPE_IPV6 53 # define ETHERTYPE_IPV6 0x86dd 54 #endif 55 #ifndef ETHERTYPE_VLAN 56 # define ETHERTYPE_VLAN 0x8100 57 #endif 58 59 /** 60 * Chain suffix size is: 61 * max. user define table name length - 62 * sizeof("FO-") - 63 * max. interface name size - 64 * sizeof("-") - 65 * terminating '0' = 66 * 32-3-15-1-1 = 12 67 */ 68 #define MAX_CHAIN_SUFFIX_SIZE 12 69 70 71 typedef enum { 72 NWFILTER_ENTRY_ITEM_FLAG_EXISTS = 1 << 0, 73 NWFILTER_ENTRY_ITEM_FLAG_IS_NEG = 1 << 1, 74 NWFILTER_ENTRY_ITEM_FLAG_HAS_VAR = 1 << 2, 75 } virNWFilterEntryItemFlags; 76 77 78 #define MAX_COMMENT_LENGTH 256 79 #define MAX_IPSET_NAME_LENGTH 32 /* incl. terminating '\0' */ 80 81 #define HAS_ENTRY_ITEM(data) \ 82 (((data)->flags) & NWFILTER_ENTRY_ITEM_FLAG_EXISTS) 83 84 #define ENTRY_WANT_NEG_SIGN(data) \ 85 (((data)->flags) & NWFILTER_ENTRY_ITEM_FLAG_IS_NEG) 86 87 /* datatypes appearing in rule attributes */ 88 typedef enum attrDatatype { 89 DATATYPE_UINT16 = (1 << 0), 90 DATATYPE_UINT8 = (1 << 1), 91 DATATYPE_UINT16_HEX = (1 << 2), 92 DATATYPE_UINT8_HEX = (1 << 3), 93 DATATYPE_MACADDR = (1 << 4), 94 DATATYPE_MACMASK = (1 << 5), 95 DATATYPE_IPADDR = (1 << 6), 96 DATATYPE_IPMASK = (1 << 7), 97 DATATYPE_STRING = (1 << 8), 98 DATATYPE_IPV6ADDR = (1 << 9), 99 DATATYPE_IPV6MASK = (1 << 10), 100 DATATYPE_STRINGCOPY = (1 << 11), 101 DATATYPE_BOOLEAN = (1 << 12), 102 DATATYPE_UINT32 = (1 << 13), 103 DATATYPE_UINT32_HEX = (1 << 14), 104 DATATYPE_IPSETNAME = (1 << 15), 105 DATATYPE_IPSETFLAGS = (1 << 16), 106 107 DATATYPE_LAST = (1 << 17), 108 } virNWFilterAttrDataType; 109 110 #define NWFILTER_MAC_BGA "01:80:c2:00:00:00" 111 112 113 typedef struct _nwItemDesc nwItemDesc; 114 struct _nwItemDesc { 115 virNWFilterEntryItemFlags flags; 116 virNWFilterVarAccess *varAccess; 117 enum attrDatatype datatype; 118 union { 119 virMacAddr macaddr; 120 virSocketAddr ipaddr; 121 bool boolean; 122 uint8_t u8; 123 uint16_t u16; 124 uint32_t u32; 125 char protocolID[10]; 126 char *string; 127 struct { 128 uint8_t mask; 129 uint8_t flags; 130 } tcpFlags; 131 struct { 132 char setname[MAX_IPSET_NAME_LENGTH]; 133 uint8_t numFlags; 134 uint8_t flags; 135 } ipset; 136 } u; 137 }; 138 139 #define VALID_IPSETNAME \ 140 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.:-+ " 141 142 typedef struct _ethHdrDataDef ethHdrDataDef; 143 struct _ethHdrDataDef { 144 nwItemDesc dataSrcMACAddr; 145 nwItemDesc dataSrcMACMask; 146 nwItemDesc dataDstMACAddr; 147 nwItemDesc dataDstMACMask; 148 }; 149 150 151 typedef struct _ethHdrFilterDef ethHdrFilterDef; 152 struct _ethHdrFilterDef { 153 ethHdrDataDef ethHdr; 154 nwItemDesc dataProtocolID; 155 nwItemDesc dataComment; 156 }; 157 158 159 typedef struct _vlanHdrFilterDef vlanHdrFilterDef; 160 struct _vlanHdrFilterDef { 161 ethHdrDataDef ethHdr; 162 nwItemDesc dataVlanID; 163 nwItemDesc dataVlanEncap; 164 nwItemDesc dataComment; 165 }; 166 167 168 typedef struct _stpHdrFilterDef stpHdrFilterDef; 169 struct _stpHdrFilterDef { 170 ethHdrDataDef ethHdr; 171 nwItemDesc dataType; 172 nwItemDesc dataFlags; 173 nwItemDesc dataRootPri; 174 nwItemDesc dataRootPriHi; 175 nwItemDesc dataRootAddr; 176 nwItemDesc dataRootAddrMask; 177 nwItemDesc dataRootCost; 178 nwItemDesc dataRootCostHi; 179 nwItemDesc dataSndrPrio; 180 nwItemDesc dataSndrPrioHi; 181 nwItemDesc dataSndrAddr; 182 nwItemDesc dataSndrAddrMask; 183 nwItemDesc dataPort; 184 nwItemDesc dataPortHi; 185 nwItemDesc dataAge; 186 nwItemDesc dataAgeHi; 187 nwItemDesc dataMaxAge; 188 nwItemDesc dataMaxAgeHi; 189 nwItemDesc dataHelloTime; 190 nwItemDesc dataHelloTimeHi; 191 nwItemDesc dataFwdDelay; 192 nwItemDesc dataFwdDelayHi; 193 nwItemDesc dataComment; 194 }; 195 196 197 typedef struct _arpHdrFilterDef arpHdrFilterDef; 198 struct _arpHdrFilterDef { 199 ethHdrDataDef ethHdr; 200 nwItemDesc dataHWType; 201 nwItemDesc dataProtocolType; 202 nwItemDesc dataOpcode; 203 nwItemDesc dataARPSrcMACAddr; 204 nwItemDesc dataARPSrcIPAddr; 205 nwItemDesc dataARPSrcIPMask; 206 nwItemDesc dataARPDstMACAddr; 207 nwItemDesc dataARPDstIPAddr; 208 nwItemDesc dataARPDstIPMask; 209 nwItemDesc dataGratuitousARP; 210 nwItemDesc dataComment; 211 }; 212 213 214 typedef struct _ipHdrDataDef ipHdrDataDef; 215 struct _ipHdrDataDef { 216 nwItemDesc dataIPVersion; 217 nwItemDesc dataSrcIPAddr; 218 nwItemDesc dataSrcIPMask; 219 nwItemDesc dataDstIPAddr; 220 nwItemDesc dataDstIPMask; 221 nwItemDesc dataProtocolID; 222 nwItemDesc dataSrcIPFrom; 223 nwItemDesc dataSrcIPTo; 224 nwItemDesc dataDstIPFrom; 225 nwItemDesc dataDstIPTo; 226 nwItemDesc dataDSCP; 227 nwItemDesc dataState; 228 nwItemDesc dataConnlimitAbove; 229 nwItemDesc dataComment; 230 nwItemDesc dataIPSet; 231 nwItemDesc dataIPSetFlags; 232 }; 233 234 235 typedef struct _portDataDef portDataDef; 236 struct _portDataDef { 237 nwItemDesc dataSrcPortStart; 238 nwItemDesc dataSrcPortEnd; 239 nwItemDesc dataDstPortStart; 240 nwItemDesc dataDstPortEnd; 241 }; 242 243 244 typedef struct _ipHdrFilterDef ipHdrFilterDef; 245 struct _ipHdrFilterDef { 246 ethHdrDataDef ethHdr; 247 ipHdrDataDef ipHdr; 248 portDataDef portData; 249 }; 250 251 252 typedef struct _ipv6HdrFilterDef ipv6HdrFilterDef; 253 struct _ipv6HdrFilterDef { 254 ethHdrDataDef ethHdr; 255 ipHdrDataDef ipHdr; 256 portDataDef portData; 257 nwItemDesc dataICMPTypeStart; 258 nwItemDesc dataICMPTypeEnd; 259 nwItemDesc dataICMPCodeStart; 260 nwItemDesc dataICMPCodeEnd; 261 }; 262 263 264 typedef struct _icmpHdrFilterDef icmpHdrFilterDef; 265 struct _icmpHdrFilterDef { 266 nwItemDesc dataSrcMACAddr; 267 ipHdrDataDef ipHdr; 268 nwItemDesc dataICMPType; 269 nwItemDesc dataICMPCode; 270 nwItemDesc dataStateFlags; 271 }; 272 273 274 typedef struct _allHdrFilterDef allHdrFilterDef; 275 struct _allHdrFilterDef { 276 nwItemDesc dataSrcMACAddr; 277 ipHdrDataDef ipHdr; 278 }; 279 280 281 typedef struct _igmpHdrFilterDef igmpHdrFilterDef; 282 struct _igmpHdrFilterDef { 283 nwItemDesc dataSrcMACAddr; 284 ipHdrDataDef ipHdr; 285 }; 286 287 288 typedef struct _tcpHdrFilterDef tcpHdrFilterDef; 289 struct _tcpHdrFilterDef { 290 nwItemDesc dataSrcMACAddr; 291 ipHdrDataDef ipHdr; 292 portDataDef portData; 293 nwItemDesc dataTCPOption; 294 nwItemDesc dataTCPFlags; 295 }; 296 297 298 typedef struct _udpHdrFilterDef udpHdrFilterDef; 299 struct _udpHdrFilterDef { 300 nwItemDesc dataSrcMACAddr; 301 ipHdrDataDef ipHdr; 302 portDataDef portData; 303 }; 304 305 306 typedef struct _sctpHdrFilterDef sctpHdrFilterDef; 307 struct _sctpHdrFilterDef { 308 nwItemDesc dataSrcMACAddr; 309 ipHdrDataDef ipHdr; 310 portDataDef portData; 311 }; 312 313 314 typedef struct _espHdrFilterDef espHdrFilterDef; 315 struct _espHdrFilterDef { 316 nwItemDesc dataSrcMACAddr; 317 ipHdrDataDef ipHdr; 318 }; 319 320 321 typedef struct _ahHdrFilterDef ahHdrFilterDef; 322 struct _ahHdrFilterDef { 323 nwItemDesc dataSrcMACAddr; 324 ipHdrDataDef ipHdr; 325 }; 326 327 328 typedef struct _udpliteHdrFilterDef udpliteHdrFilterDef; 329 struct _udpliteHdrFilterDef { 330 nwItemDesc dataSrcMACAddr; 331 ipHdrDataDef ipHdr; 332 }; 333 334 335 typedef enum { 336 VIR_NWFILTER_RULE_ACTION_DROP = 0, 337 VIR_NWFILTER_RULE_ACTION_ACCEPT, 338 VIR_NWFILTER_RULE_ACTION_REJECT, 339 VIR_NWFILTER_RULE_ACTION_RETURN, 340 VIR_NWFILTER_RULE_ACTION_CONTINUE, 341 342 VIR_NWFILTER_RULE_ACTION_LAST, 343 } virNWFilterRuleActionType; 344 345 typedef enum { 346 VIR_NWFILTER_RULE_DIRECTION_IN = 0, 347 VIR_NWFILTER_RULE_DIRECTION_OUT, 348 VIR_NWFILTER_RULE_DIRECTION_INOUT, 349 350 VIR_NWFILTER_RULE_DIRECTION_LAST, 351 } virNWFilterRuleDirectionType ; 352 353 typedef enum { 354 VIR_NWFILTER_CHAIN_POLICY_ACCEPT = 0, 355 VIR_NWFILTER_CHAIN_POLICY_DROP, 356 357 VIR_NWFILTER_CHAIN_POLICY_LAST, 358 } virNWFilterChainPolicyType; 359 360 361 /* 362 * If adding protocols be sure to update the 363 * virNWFilterRuleIsProtocolXXXX function impls 364 */ 365 typedef enum { 366 /* Ethernet layer protocols */ 367 VIR_NWFILTER_RULE_PROTOCOL_NONE = 0, 368 VIR_NWFILTER_RULE_PROTOCOL_MAC, 369 VIR_NWFILTER_RULE_PROTOCOL_VLAN, 370 VIR_NWFILTER_RULE_PROTOCOL_STP, 371 VIR_NWFILTER_RULE_PROTOCOL_ARP, 372 VIR_NWFILTER_RULE_PROTOCOL_RARP, 373 VIR_NWFILTER_RULE_PROTOCOL_IP, 374 VIR_NWFILTER_RULE_PROTOCOL_IPV6, 375 376 /* IPv4 layer protocols */ 377 VIR_NWFILTER_RULE_PROTOCOL_TCP, 378 VIR_NWFILTER_RULE_PROTOCOL_ICMP, 379 VIR_NWFILTER_RULE_PROTOCOL_IGMP, 380 VIR_NWFILTER_RULE_PROTOCOL_UDP, 381 VIR_NWFILTER_RULE_PROTOCOL_UDPLITE, 382 VIR_NWFILTER_RULE_PROTOCOL_ESP, 383 VIR_NWFILTER_RULE_PROTOCOL_AH, 384 VIR_NWFILTER_RULE_PROTOCOL_SCTP, 385 VIR_NWFILTER_RULE_PROTOCOL_ALL, 386 387 /* IPv6 layer protocols */ 388 VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6, 389 VIR_NWFILTER_RULE_PROTOCOL_ICMPV6, 390 VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6, 391 VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6, 392 VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6, 393 VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6, 394 VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6, 395 VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6, 396 397 VIR_NWFILTER_RULE_PROTOCOL_LAST 398 } virNWFilterRuleProtocolType; 399 400 typedef enum { 401 VIR_NWFILTER_EBTABLES_TABLE_FILTER = 0, 402 VIR_NWFILTER_EBTABLES_TABLE_NAT, 403 VIR_NWFILTER_EBTABLES_TABLE_BROUTE, 404 405 VIR_NWFILTER_EBTABLES_TABLE_LAST, 406 } virNWFilterEbtablesTableType; 407 408 409 #define MIN_RULE_PRIORITY -1000 410 #define MAX_RULE_PRIORITY 1000 411 412 #define NWFILTER_MIN_FILTER_PRIORITY -1000 413 #define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY 414 415 #define NWFILTER_ROOT_FILTER_PRI 0 416 #define NWFILTER_STP_FILTER_PRI -810 417 #define NWFILTER_MAC_FILTER_PRI -800 418 #define NWFILTER_VLAN_FILTER_PRI -750 419 #define NWFILTER_IPV4_FILTER_PRI -700 420 #define NWFILTER_IPV6_FILTER_PRI -600 421 #define NWFILTER_ARP_FILTER_PRI -500 422 #define NWFILTER_RARP_FILTER_PRI -400 423 424 typedef enum { 425 RULE_FLAG_NO_STATEMATCH = (1 << 0), 426 RULE_FLAG_STATE_NEW = (1 << 1), 427 RULE_FLAG_STATE_ESTABLISHED = (1 << 2), 428 RULE_FLAG_STATE_RELATED = (1 << 3), 429 RULE_FLAG_STATE_INVALID = (1 << 4), 430 RULE_FLAG_STATE_NONE = (1 << 5), 431 } virNWFilterRuleFlags; 432 433 434 #define IPTABLES_STATE_FLAGS \ 435 (RULE_FLAG_STATE_NEW | \ 436 RULE_FLAG_STATE_ESTABLISHED | \ 437 RULE_FLAG_STATE_RELATED | \ 438 RULE_FLAG_STATE_INVALID | \ 439 RULE_FLAG_STATE_NONE) 440 441 void virNWFilterPrintStateMatchFlags(virBuffer *buf, const char *prefix, 442 int32_t flags, bool disp_none); 443 444 typedef int32_t virNWFilterRulePriority; 445 446 typedef struct _virNWFilterRuleDef virNWFilterRuleDef; 447 struct _virNWFilterRuleDef { 448 virNWFilterRulePriority priority; 449 virNWFilterRuleFlags flags; 450 int action; /* virNWFilterRuleActionType */ 451 int tt; /* virNWFilterRuleDirectionType */ 452 virNWFilterRuleProtocolType prtclType; 453 union { 454 ethHdrFilterDef ethHdrFilter; 455 vlanHdrFilterDef vlanHdrFilter; 456 stpHdrFilterDef stpHdrFilter; 457 arpHdrFilterDef arpHdrFilter; /* also used for rarp */ 458 ipHdrFilterDef ipHdrFilter; 459 ipv6HdrFilterDef ipv6HdrFilter; 460 tcpHdrFilterDef tcpHdrFilter; 461 icmpHdrFilterDef icmpHdrFilter; 462 udpHdrFilterDef udpHdrFilter; 463 udpliteHdrFilterDef udpliteHdrFilter; 464 espHdrFilterDef espHdrFilter; 465 ahHdrFilterDef ahHdrFilter; 466 allHdrFilterDef allHdrFilter; 467 igmpHdrFilterDef igmpHdrFilter; 468 sctpHdrFilterDef sctpHdrFilter; 469 } p; 470 471 size_t nVarAccess; 472 virNWFilterVarAccess **varAccess; 473 474 size_t nstrings; 475 char **strings; 476 }; 477 478 479 typedef struct _virNWFilterIncludeDef virNWFilterIncludeDef; 480 struct _virNWFilterIncludeDef { 481 char *filterref; 482 GHashTable *params; 483 }; 484 485 486 typedef struct _virNWFilterEntry virNWFilterEntry; 487 struct _virNWFilterEntry { 488 virNWFilterRuleDef *rule; 489 virNWFilterIncludeDef *include; 490 }; 491 492 typedef enum { 493 VIR_NWFILTER_CHAINSUFFIX_ROOT = 0, 494 VIR_NWFILTER_CHAINSUFFIX_MAC, 495 VIR_NWFILTER_CHAINSUFFIX_VLAN, 496 VIR_NWFILTER_CHAINSUFFIX_STP, 497 VIR_NWFILTER_CHAINSUFFIX_ARP, 498 VIR_NWFILTER_CHAINSUFFIX_RARP, 499 VIR_NWFILTER_CHAINSUFFIX_IPv4, 500 VIR_NWFILTER_CHAINSUFFIX_IPv6, 501 502 VIR_NWFILTER_CHAINSUFFIX_LAST, 503 } virNWFilterChainSuffixType; 504 505 #define VALID_CHAINNAME \ 506 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.:-" 507 508 typedef int32_t virNWFilterChainPriority; 509 510 typedef struct _virNWFilterDef virNWFilterDef; 511 struct _virNWFilterDef { 512 char *name; 513 unsigned char uuid[VIR_UUID_BUFLEN]; 514 bool uuid_specified; 515 516 char *chainsuffix; 517 virNWFilterChainPriority chainPriority; 518 519 size_t nentries; 520 virNWFilterEntry **filterEntries; 521 }; 522 523 524 void 525 virNWFilterRuleDefFree(virNWFilterRuleDef *def); 526 527 void 528 virNWFilterDefFree(virNWFilterDef *def); 529 530 int 531 virNWFilterTriggerRebuild(void); 532 533 int 534 virNWFilterDeleteDef(const char *configDir, 535 virNWFilterDef *def); 536 537 virNWFilterDef * 538 virNWFilterDefParseNode(xmlDocPtr xml, 539 xmlNodePtr root); 540 541 char * 542 virNWFilterDefFormat(const virNWFilterDef *def); 543 544 int 545 virNWFilterSaveConfig(const char *configDir, 546 virNWFilterDef *def); 547 548 virNWFilterDef * 549 virNWFilterDefParseString(const char *xml, 550 unsigned int flags); 551 552 virNWFilterDef * 553 virNWFilterDefParseFile(const char *filename); 554 555 void 556 virNWFilterWriteLockFilterUpdates(void); 557 558 void 559 virNWFilterReadLockFilterUpdates(void); 560 561 void 562 virNWFilterUnlockFilterUpdates(void); 563 564 typedef int (*virNWFilterTriggerRebuildCallback)(void *opaque); 565 566 int 567 virNWFilterConfLayerInit(virNWFilterTriggerRebuildCallback cb, 568 void *opaque); 569 570 void 571 virNWFilterConfLayerShutdown(void); 572 573 574 char * 575 virNWFilterPrintTCPFlags(uint8_t flags); 576 577 bool 578 virNWFilterRuleIsProtocolIPv4(virNWFilterRuleDef *rule); 579 580 bool 581 virNWFilterRuleIsProtocolIPv6(virNWFilterRuleDef *rule); 582 583 bool 584 virNWFilterRuleIsProtocolEthernet(virNWFilterRuleDef *rule); 585 586 587 VIR_ENUM_DECL(virNWFilterRuleAction); 588 VIR_ENUM_DECL(virNWFilterRuleDirection); 589 VIR_ENUM_DECL(virNWFilterRuleProtocol); 590 VIR_ENUM_DECL(virNWFilterJumpTarget); 591 VIR_ENUM_DECL(virNWFilterChainPolicy); 592 VIR_ENUM_DECL(virNWFilterEbtablesTable); 593 VIR_ENUM_DECL(virNWFilterChainSuffix); 594