External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-21 19:02:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: change name of virFirewallRule to virFirewallCmd

Browse Source 
These objects aren't rules, they are commands that are executed that
may create a firewall rule, delete a firewall rule, or simply list the
existing firewall rules. It's confusing for the objects to be called
"Rule" (especially in the case of the function
virFirewallRemoveRule(), which doesn't remove a rule from the
firewall, it takes one of the objects out of the list of commands to
execute! In order to remove a rule from the host's firewall, you have
to Add a "rule" (now "cmd" aka command) to the list that will, when
applied/run, remove a rule from the host firewall.)

Changing the name to virFirewallCmd makes it all much less confusing.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Laine Stump 2024-04-19 22:19:42 -04:00
parent 5ac0dc4cef
commit 0817344ba7
7 changed files with 999 additions and 1002 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/libvirt_private.syms
View File

@ -2404,17 +2404,17 @@ virFileCacheSetPriv;
# util/virfirewall.h
virFirewallAddRuleFull;
virFirewallAddCmdFull;
virFirewallApply;
virFirewallCmdAddArg;
virFirewallCmdAddArgFormat;
virFirewallCmdAddArgList;
virFirewallCmdAddArgSet;
virFirewallCmdGetArgCount;
virFirewallCmdToString;
virFirewallFree;
virFirewallNew;
virFirewallRemoveRule;
virFirewallRuleAddArg;
virFirewallRuleAddArgFormat;
virFirewallRuleAddArgList;
virFirewallRuleAddArgSet;
virFirewallRuleGetArgCount;
virFirewallRuleToString;
virFirewallRemoveCmd;
virFirewallStartRollback;
virFirewallStartTransaction;

286
src/network/network_iptables.c
View File

@ -98,18 +98,18 @@ iptablesPrivateChainCreate(virFirewall *fw,
for (i = 0; i < data->nchains; i++) {
const char *from;
if (!virHashLookup(chains, data->chains[i].child)) {
virFirewallAddRule(fw, layer,
"--table", data->table,
"--new-chain", data->chains[i].child, NULL);
virFirewallAddCmd(fw, layer,
"--table", data->table,
"--new-chain", data->chains[i].child, NULL);
*data->changed = true;
}
from = virHashLookup(links, data->chains[i].child);
if (!from || STRNEQ(from, data->chains[i].parent))
virFirewallAddRule(fw, layer,
"--table", data->table,
"--insert", data->chains[i].parent,
"--jump", data->chains[i].child, NULL);
virFirewallAddCmd(fw, layer,
"--table", data->table,
"--insert", data->chains[i].parent,
"--jump", data->chains[i].child, NULL);
}
return 0;
@ -151,10 +151,10 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
virFirewallStartTransaction(fw, 0);
for (i = 0; i < G_N_ELEMENTS(data); i++)
virFirewallAddRuleFull(fw, data[i].layer,
false, iptablesPrivateChainCreate,
&(data[i]), "--table", data[i].table,
"--list-rules", NULL);
virFirewallAddCmdFull(fw, data[i].layer,
false, iptablesPrivateChainCreate,
&(data[i]), "--table", data[i].table,
"--list-rules", NULL);
if (virFirewallApply(fw) < 0)
return -1;
@ -173,15 +173,15 @@ iptablesInput(virFirewall *fw,
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
"--jump", "ACCEPT",
NULL);
}
static void
@ -194,15 +194,15 @@ iptablesOutput(virFirewall *fw,
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr,
"--jump", "ACCEPT",
NULL);
}
/**
@ -369,24 +369,24 @@ iptablesForwardAllowOut(virFirewall *fw,
return -1;
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
"--jump", "ACCEPT",
NULL);
else
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
NULL);
return 0;
}
@ -459,28 +459,28 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
return -1;
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--match", "conntrack",
"--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--match", "conntrack",
"--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
else
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
"--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--match", "conntrack",
"--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT",
NULL);
return 0;
}
@ -551,24 +551,24 @@ iptablesForwardAllowIn(virFirewall *fw,
return -1;
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--in-interface", physdev,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
else
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
return 0;
}
@ -626,14 +626,14 @@ iptablesForwardAllowCross(virFirewall *fw,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
}
/**
@ -680,13 +680,13 @@ iptablesForwardRejectOut(virFirewall *fw,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface,
"--jump", "REJECT",
NULL);
}
/**
@ -732,13 +732,13 @@ iptablesForwardRejectIn(virFirewall *fw,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface,
"--jump", "REJECT",
NULL);
}
/**
@ -796,7 +796,7 @@ iptablesForwardMasquerade(virFirewall *fw,
g_autofree char *addrEndStr = NULL;
g_autofree char *portRangeStr = NULL;
g_autofree char *natRangeStr = NULL;
virFirewallRule *rule;
virFirewallCmd *fwCmd;
int af = VIR_SOCKET_ADDR_FAMILY(netaddr);
virFirewallLayer layer = af == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@ -814,7 +814,7 @@ iptablesForwardMasquerade(virFirewall *fw,
}
if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, layer,
fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@ -823,7 +823,7 @@ iptablesForwardMasquerade(virFirewall *fw,
"!", "--destination", networkstr,
NULL);
} else {
rule = virFirewallAddRule(fw, layer,
fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@ -833,7 +833,7 @@ iptablesForwardMasquerade(virFirewall *fw,
}
if (physdev && physdev[0])
virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL);
virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NULL);
if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) {
@ -861,16 +861,16 @@ iptablesForwardMasquerade(virFirewall *fw,
portRangeStr ? portRangeStr : "");
}
virFirewallRuleAddArgList(fw, rule,
"--jump", "SNAT",
"--to-source", natRangeStr, NULL);
virFirewallCmdAddArgList(fw, fwCmd,
"--jump", "SNAT",
"--to-source", natRangeStr, NULL);
} else {
virFirewallRuleAddArgList(fw, rule,
"--jump", "MASQUERADE", NULL);
virFirewallCmdAddArgList(fw, fwCmd,
"--jump", "MASQUERADE", NULL);
if (portRangeStr && portRangeStr[0])
virFirewallRuleAddArgList(fw, rule,
"--to-ports", &portRangeStr[1], NULL);
virFirewallCmdAddArgList(fw, fwCmd,
"--to-ports", &portRangeStr[1], NULL);
}
return 0;
@ -950,24 +950,24 @@ iptablesForwardDontMasquerade(virFirewall *fw,
return -1;
if (physdev && physdev[0])
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
NULL);
else
virFirewallAddRule(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
NULL);
virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr,
"--destination", destaddr,
"--jump", "RETURN",
NULL);
return 0;
}
@ -1032,15 +1032,15 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
{
g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
"--jump", "CHECKSUM", "--checksum-fill",
NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface,
"--protocol", "udp",
"--destination-port", portstr,
"--jump", "CHECKSUM", "--checksum-fill",
NULL);
}
/**

988
src/nwfilter/nwfilter_ebiptables_driver.c
View File

File diff suppressed because it is too large Load Diff

32
src/util/virebtables.c
View File

@ -81,17 +81,17 @@ ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
g_autoptr(virFirewall) fw = virFirewallNew();
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
"--new-chain", ctx->chain,
NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
"--insert", "FORWARD",
"--jump", ctx->chain, NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
"--new-chain", ctx->chain,
NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
"--insert", "FORWARD",
"--jump", ctx->chain, NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
"-P", ctx->chain, "DROP",
NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
"-P", ctx->chain, "DROP",
NULL);
return virFirewallApply(fw);
}
@ -109,13 +109,13 @@ ebtablesForwardAllowIn(ebtablesContext *ctx,
g_autoptr(virFirewall) fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
action == ADD ? "--insert" : "--delete",
ctx->chain,
"--in-interface", iface,
"--source", macaddr,
"--jump", "ACCEPT",
NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
action == ADD ? "--insert" : "--delete",
ctx->chain,
"--in-interface", iface,
"--source", macaddr,
"--jump", "ACCEPT",
NULL);
return virFirewallApply(fw);
}

223
src/util/virfirewall.c
View File

@ -45,7 +45,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand,
IP6TABLES,
);
struct _virFirewallRule {
struct _virFirewallCmd {
virFirewallLayer layer;
virFirewallQueryCallback queryCB;
@ -62,10 +62,10 @@ struct _virFirewallGroup {
unsigned int rollbackFlags;
size_t naction;
virFirewallRule **action;
virFirewallCmd **action;
size_t nrollback;
virFirewallRule **rollback;
virFirewallCmd **rollback;
bool addingRollback;
};
@ -79,7 +79,7 @@ struct _virFirewall {
size_t currentGroup;
};
static virMutex ruleLock = VIR_MUTEX_INITIALIZER;
static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER;
static virFirewallGroup *
virFirewallGroupNew(void)
@ -107,17 +107,17 @@ virFirewall *virFirewallNew(void)
static void
virFirewallRuleFree(virFirewallRule *rule)
virFirewallCmdFree(virFirewallCmd *fwCmd)
{
size_t i;
if (!rule)
if (!fwCmd)
return;
for (i = 0; i < rule->argsLen; i++)
g_free(rule->args[i]);
g_free(rule->args);
g_free(rule);
for (i = 0; i < fwCmd->argsLen; i++)
g_free(fwCmd->args[i]);
g_free(fwCmd->args);
g_free(fwCmd);
}
@ -130,11 +130,11 @@ virFirewallGroupFree(virFirewallGroup *group)
return;
for (i = 0; i < group->naction; i++)
virFirewallRuleFree(group->action[i]);
virFirewallCmdFree(group->action[i]);
g_free(group->action);
for (i = 0; i < group->nrollback; i++)
virFirewallRuleFree(group->rollback[i]);
virFirewallCmdFree(group->rollback[i]);
g_free(group->rollback);
g_free(group);
@ -167,9 +167,9 @@ void virFirewallFree(virFirewall *firewall)
return; \
} while (0)
#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule)\
#define VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd)\
do { \
if (!firewall || firewall->err || !rule) \
if (!firewall || firewall->err || !fwCmd) \
return; \
} while (0)
@ -179,22 +179,22 @@ void virFirewallFree(virFirewall *firewall)
return NULL; \
} while (0)
#define ADD_ARG(rule, str) \
#define ADD_ARG(fwCmd, str) \
do { \
VIR_RESIZE_N(rule->args, rule->argsAlloc, rule->argsLen, 1); \
rule->args[rule->argsLen++] = g_strdup(str); \
VIR_RESIZE_N(fwCmd->args, fwCmd->argsAlloc, fwCmd->argsLen, 1); \
fwCmd->args[fwCmd->argsLen++] = g_strdup(str); \
} while (0)
static virFirewallRule *
virFirewallAddRuleFullV(virFirewall *firewall,
virFirewallLayer layer,
bool ignoreErrors,
virFirewallQueryCallback cb,
void *opaque,
va_list args)
static virFirewallCmd *
virFirewallAddCmdFullV(virFirewall *firewall,
virFirewallLayer layer,
bool ignoreErrors,
virFirewallQueryCallback cb,
void *opaque,
va_list args)
{
virFirewallGroup *group;
virFirewallRule *rule;
virFirewallCmd *fwCmd;
char *str;
VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
@ -206,43 +206,43 @@ virFirewallAddRuleFullV(virFirewall *firewall,
group = firewall->groups[firewall->currentGroup];
rule = g_new0(virFirewallRule, 1);
fwCmd = g_new0(virFirewallCmd, 1);
rule->layer = layer;
rule->queryCB = cb;
rule->queryOpaque = opaque;
rule->ignoreErrors = ignoreErrors;
fwCmd->layer = layer;
fwCmd->queryCB = cb;
fwCmd->queryOpaque = opaque;
fwCmd->ignoreErrors = ignoreErrors;
switch (rule->layer) {
switch (fwCmd->layer) {
case VIR_FIREWALL_LAYER_ETHERNET:
ADD_ARG(rule, "--concurrent");
ADD_ARG(fwCmd, "--concurrent");
break;
case VIR_FIREWALL_LAYER_IPV4:
ADD_ARG(rule, "-w");
ADD_ARG(fwCmd, "-w");
break;
case VIR_FIREWALL_LAYER_IPV6:
ADD_ARG(rule, "-w");
ADD_ARG(fwCmd, "-w");
break;
case VIR_FIREWALL_LAYER_LAST:
break;
}
while ((str = va_arg(args, char *)) != NULL)
ADD_ARG(rule, str);
ADD_ARG(fwCmd, str);
if (group->addingRollback) {
VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule);
VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd);
} else {
VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule);
VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd);
}
return rule;
return fwCmd;
}
/**
* virFirewallAddRuleFull:
* virFirewallAddCmdFull:
* @firewall: firewall ruleset to add to
* @layer: the firewall layer to change
* @ignoreErrors: true to ignore failure of the command
@ -253,7 +253,7 @@ virFirewallAddRuleFullV(virFirewall *firewall,
* Add any type of rule to the firewall ruleset. Any output
* generated by the addition will be fed into the query
* callback @cb. This callback is permitted to create new
* rules by invoking the virFirewallAddRule method, but
* rules by invoking the virFirewallAddCmd method, but
* is not permitted to start new transactions.
*
* If @ignoreErrors is set to TRUE, then any failure of
@ -263,31 +263,31 @@ virFirewallAddRuleFullV(virFirewall *firewall,
*
* Returns the new rule
*/
virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall,
virFirewallLayer layer,
bool ignoreErrors,
virFirewallQueryCallback cb,
void *opaque,
...)
virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
virFirewallLayer layer,
bool ignoreErrors,
virFirewallQueryCallback cb,
void *opaque,
...)
{
virFirewallRule *rule;
virFirewallCmd *fwCmd;
va_list args;
va_start(args, opaque);
rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args);
fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, opaque, args);
va_end(args);
return rule;
return fwCmd;
}
/**
* virFirewallRemoveRule:
* virFirewallRemoveCmd:
* @firewall: firewall ruleset to remove from
* @rule: the rule to remove
*
* Remove a rule from the current transaction
*/
void virFirewallRemoveRule(virFirewall *firewall,
virFirewallRule *rule)
void virFirewallRemoveCmd(virFirewall *firewall,
virFirewallCmd *fwCmd)
{
size_t i;
virFirewallGroup *group;
@ -306,21 +306,21 @@ void virFirewallRemoveRule(virFirewall *firewall,
if (group->addingRollback) {
for (i = 0; i < group->nrollback; i++) {
if (group->rollback[i] == rule) {
if (group->rollback[i] == fwCmd) {
VIR_DELETE_ELEMENT(group->rollback,
i,
group->nrollback);
virFirewallRuleFree(rule);
virFirewallCmdFree(fwCmd);
break;
}
}
} else {
for (i = 0; i < group->naction; i++) {
if (group->action[i] == rule) {
if (group->action[i] == fwCmd) {
VIR_DELETE_ELEMENT(group->action,
i,
group->naction);
virFirewallRuleFree(rule);
virFirewallCmdFree(fwCmd);
return;
}
}
@ -328,45 +328,45 @@ void virFirewallRemoveRule(virFirewall *firewall,
}
void virFirewallRuleAddArg(virFirewall *firewall,
virFirewallRule *rule,
const char *arg)
void virFirewallCmdAddArg(virFirewall *firewall,
virFirewallCmd *fwCmd,
const char *arg)
{
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
ADD_ARG(rule, arg);
ADD_ARG(fwCmd, arg);
return;
}
void virFirewallRuleAddArgFormat(virFirewall *firewall,
virFirewallRule *rule,
const char *fmt, ...)
void virFirewallCmdAddArgFormat(virFirewall *firewall,
virFirewallCmd *fwCmd,
const char *fmt, ...)
{
g_autofree char *arg = NULL;
va_list list;
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
va_start(list, fmt);
arg = g_strdup_vprintf(fmt, list);
va_end(list);
ADD_ARG(rule, arg);
ADD_ARG(fwCmd, arg);
return;
}
void virFirewallRuleAddArgSet(virFirewall *firewall,
virFirewallRule *rule,
const char *const *args)
void virFirewallCmdAddArgSet(virFirewall *firewall,
virFirewallCmd *fwCmd,
const char *const *args)
{
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
while (*args) {
ADD_ARG(rule, *args);
ADD_ARG(fwCmd, *args);
args++;
}
@ -374,19 +374,19 @@ void virFirewallRuleAddArgSet(virFirewall *firewall,
}
void virFirewallRuleAddArgList(virFirewall *firewall,
virFirewallRule *rule,
...)
void virFirewallCmdAddArgList(virFirewall *firewall,
virFirewallCmd *fwCmd,
...)
{
va_list list;
const char *str;
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
va_start(list, rule);
va_start(list, fwCmd);
while ((str = va_arg(list, char *)) != NULL)
ADD_ARG(rule, str);
ADD_ARG(fwCmd, str);
va_end(list);
@ -394,11 +394,11 @@ void virFirewallRuleAddArgList(virFirewall *firewall,
}
size_t virFirewallRuleGetArgCount(virFirewallRule *rule)
size_t virFirewallCmdGetArgCount(virFirewallCmd *fwCmd)
{
if (!rule)
if (!fwCmd)
return 0;
return rule->argsLen;
return fwCmd->argsLen;
}
@ -462,16 +462,16 @@ void virFirewallStartRollback(virFirewall *firewall,
char *
virFirewallRuleToString(const char *cmd,
virFirewallRule *rule)
virFirewallCmdToString(const char *cmd,
virFirewallCmd *fwCmd)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
size_t i;
virBufferAdd(&buf, cmd, -1);
for (i = 0; i < rule->argsLen; i++) {
for (i = 0; i < fwCmd->argsLen; i++) {
virBufferAddLit(&buf, " ");
virBufferAdd(&buf, rule->args[i], -1);
virBufferAdd(&buf, fwCmd->args[i], -1);
}
return virBufferContentAndReset(&buf);
@ -479,12 +479,12 @@ virFirewallRuleToString(const char *cmd,
static int
virFirewallApplyRuleDirect(virFirewallRule *rule,
bool ignoreErrors,
char **output)
virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
bool ignoreErrors,
char **output)
{
size_t i;
const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer);
g_autoptr(virCommand) cmd = NULL;
g_autofree char *cmdStr = NULL;
int status;
@ -493,17 +493,17 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
if (!bin) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Unknown firewall layer %1$d"),
rule->layer);
fwCmd->layer);
return -1;
}
cmd = virCommandNewArgList(bin, NULL);
for (i = 0; i < rule->argsLen; i++)
virCommandAddArg(cmd, rule->args[i]);
for (i = 0; i < fwCmd->argsLen; i++)
virCommandAddArg(cmd, fwCmd->args[i]);
cmdStr = virCommandToString(cmd, false);
VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr));
VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr));
virCommandSetOutputBuffer(cmd, output);
virCommandSetErrorBuffer(cmd, &error);
@ -516,7 +516,7 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
VIR_DEBUG("Ignoring error running command");
} else {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Failed to apply firewall rules %1$s: %2$s"),
_("Failed to run firewall command %1$s: %2$s"),
NULLSTR(cmdStr), NULLSTR(error));
VIR_FREE(*output);
return -1;
@ -528,30 +528,30 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
static int
virFirewallApplyRule(virFirewall *firewall,
virFirewallRule *rule,
bool ignoreErrors)
virFirewallApplyCmd(virFirewall *firewall,
virFirewallCmd *fwCmd,
bool ignoreErrors)
{
g_autofree char *output = NULL;
g_auto(GStrv) lines = NULL;
if (rule->ignoreErrors)
ignoreErrors = rule->ignoreErrors;
if (fwCmd->ignoreErrors)
ignoreErrors = fwCmd->ignoreErrors;
if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0)
if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0)
return -1;
if (rule->queryCB && output) {
if (fwCmd->queryCB && output) {
if (!(lines = g_strsplit(output, "\n", -1)))
return -1;
VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output);
if (rule->queryCB(firewall, rule->layer, (const char *const *)lines, rule->queryOpaque) < 0)
VIR_DEBUG("Invoking query %p with '%s'", fwCmd->queryCB, output);
if (fwCmd->queryCB(firewall, fwCmd->layer, (const char *const *)lines, fwCmd->queryOpaque) < 0)
return -1;
if (firewall->err) {
virReportSystemError(firewall->err, "%s",
_("Unable to create rule"));
_("Unable to create firewall command"));
return -1;
}
@ -573,9 +573,9 @@ virFirewallApplyGroup(virFirewall *firewall,
firewall->currentGroup = idx;
group->addingRollback = false;
for (i = 0; i < group->naction; i++) {
if (virFirewallApplyRule(firewall,
group->action[i],
ignoreErrors) < 0)
if (virFirewallApplyCmd(firewall,
group->action[i],
ignoreErrors) < 0)
return -1;
}
return 0;
@ -592,11 +592,8 @@ virFirewallRollbackGroup(virFirewall *firewall,
VIR_INFO("Starting rollback for group %p", group);
firewall->currentGroup = idx;
group->addingRollback = true;
for (i = 0; i < group->nrollback; i++) {
ignore_value(virFirewallApplyRule(firewall,
group->rollback[i],
true));
}
for (i = 0; i < group->nrollback; i++)
ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], true));
}
@ -604,7 +601,7 @@ int
virFirewallApply(virFirewall *firewall)
{
size_t i, j;
VIR_LOCK_GUARD lock = virLockGuardLock(&ruleLock);
VIR_LOCK_GUARD lock = virLockGuardLock(&fwCmdLock);
if (!firewall || firewall->err) {
int err = EINVAL;
@ -612,7 +609,7 @@ virFirewallApply(virFirewall *firewall)
if (firewall)
err = firewall->err;
virReportSystemError(err, "%s", _("Unable to create rule"));
virReportSystemError(err, "%s", _("Unable to create firewall command"));
return -1;
}

54
src/util/virfirewall.h
View File

@ -24,7 +24,7 @@
typedef struct _virFirewall virFirewall;
typedef struct _virFirewallRule virFirewallRule;
typedef struct _virFirewallCmd virFirewallCmd;
typedef enum {
VIR_FIREWALL_LAYER_ETHERNET,
@ -39,7 +39,7 @@ virFirewall *virFirewallNew(void);
void virFirewallFree(virFirewall *firewall);
/**
* virFirewallAddRule:
* virFirewallAddCmd:
* @firewall: firewall ruleset to add to
* @layer: the firewall layer to change
* @...: NULL terminated list of strings for the rule
@ -48,49 +48,49 @@ void virFirewallFree(virFirewall *firewall);
*
* Returns the new rule
*/
#define virFirewallAddRule(firewall, layer, ...) \
virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
#define virFirewallAddCmd(firewall, layer, ...) \
virFirewallAddCmdFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
typedef int (*virFirewallQueryCallback)(virFirewall *firewall,
virFirewallLayer layer,
const char *const *lines,
void *opaque);
virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall,
virFirewallLayer layer,
bool ignoreErrors,
virFirewallQueryCallback cb,
void *opaque,
...)
virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
virFirewallLayer layer,
bool ignoreErrors,
virFirewallQueryCallback cb,
void *opaque,
...)
G_GNUC_NULL_TERMINATED;
void virFirewallRemoveRule(virFirewall *firewall,
virFirewallRule *rule);
void virFirewallRemoveCmd(virFirewall *firewall,
virFirewallCmd *rule);
void virFirewallRuleAddArg(virFirewall *firewall,
virFirewallRule *rule,
const char *arg)
void virFirewallCmdAddArg(virFirewall *firewall,
virFirewallCmd *rule,
const char *arg)
ATTRIBUTE_NONNULL(3);
void virFirewallRuleAddArgFormat(virFirewall *firewall,
virFirewallRule *rule,
const char *fmt, ...)
void virFirewallCmdAddArgFormat(virFirewall *firewall,
virFirewallCmd *rule,
const char *fmt, ...)
ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4);
void virFirewallRuleAddArgSet(virFirewall *firewall,
virFirewallRule *rule,
const char *const *args)
void virFirewallCmdAddArgSet(virFirewall *firewall,
virFirewallCmd *rule,
const char *const *args)
ATTRIBUTE_NONNULL(3);
void virFirewallRuleAddArgList(virFirewall *firewall,
virFirewallRule *rule,
...)
void virFirewallCmdAddArgList(virFirewall *firewall,
virFirewallCmd *rule,
...)
G_GNUC_NULL_TERMINATED;
size_t virFirewallRuleGetArgCount(virFirewallRule *rule);
size_t virFirewallCmdGetArgCount(virFirewallCmd *rule);
char *virFirewallRuleToString(const char *cmd,
virFirewallRule *rule);
char *virFirewallCmdToString(const char *cmd,
virFirewallCmd *rule);
typedef enum {
/* Ignore all errors when applying rules, so no

402
tests/virfirewalltest.c
View File

@ -74,15 +74,15 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
@ -107,28 +107,28 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED)
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n";
virFirewallRule *fwrule;
virFirewallCmd *fwrule;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source");
virFirewallRemoveRule(fw, fwrule);
fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallCmdAddArg(fw, fwrule, "--source");
virFirewallRemoveCmd(fw, fwrule);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source");
virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallCmdAddArg(fw, fwrule, "--source");
virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
@ -161,26 +161,26 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
@ -235,26 +235,26 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
@ -288,25 +288,25 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
true, NULL, NULL,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
true, NULL, NULL,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
@ -338,20 +338,20 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -386,37 +386,37 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -450,41 +450,41 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -522,67 +522,67 @@ testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -656,10 +656,10 @@ testFirewallQueryCallback(virFirewall *fw,
void *opaque G_GNUC_UNUSED)
{
size_t i;
virFirewallAddRule(fw, layer,
"-A", "INPUT",
"--source", "!192.168.122.129",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, layer,
"-A", "INPUT",
"--source", "!192.168.122.129",
"--jump", "REJECT", NULL);
for (i = 0; lines[i] != NULL; i++) {
if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) {
@ -703,46 +703,46 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
"-L", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
"-L", NULL);
virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
"-t", "nat", "-L", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.130",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.130",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.128",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "192.168.122.128",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;