External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 03:12:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: change name of virFirewallRule to virFirewallCmd

Browse Source 
These objects aren't rules, they are commands that are executed that
may create a firewall rule, delete a firewall rule, or simply list the
existing firewall rules. It's confusing for the objects to be called
"Rule" (especially in the case of the function
virFirewallRemoveRule(), which doesn't remove a rule from the
firewall, it takes one of the objects out of the list of commands to
execute! In order to remove a rule from the host's firewall, you have
to Add a "rule" (now "cmd" aka command) to the list that will, when
applied/run, remove a rule from the host firewall.)

Changing the name to virFirewallCmd makes it all much less confusing.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Laine Stump 2024-04-19 22:19:42 -04:00
parent 5ac0dc4cef
commit 0817344ba7
7 changed files with 999 additions and 1002 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/libvirt_private.syms
View File

@ -2404,17 +2404,17 @@ virFileCacheSetPriv;
# util/virfirewall.h # util/virfirewall.h
virFirewallAddRuleFull; virFirewallAddCmdFull;
virFirewallApply; virFirewallApply;
virFirewallCmdAddArg;
virFirewallCmdAddArgFormat;
virFirewallCmdAddArgList;
virFirewallCmdAddArgSet;
virFirewallCmdGetArgCount;
virFirewallCmdToString;
virFirewallFree; virFirewallFree;
virFirewallNew; virFirewallNew;
virFirewallRemoveRule; virFirewallRemoveCmd;
virFirewallRuleAddArg;
virFirewallRuleAddArgFormat;
virFirewallRuleAddArgList;
virFirewallRuleAddArgSet;
virFirewallRuleGetArgCount;
virFirewallRuleToString;
virFirewallStartRollback; virFirewallStartRollback;
virFirewallStartTransaction; virFirewallStartTransaction;

286
src/network/network_iptables.c
View File

@ -98,18 +98,18 @@ iptablesPrivateChainCreate(virFirewall *fw,
for (i = 0; i < data->nchains; i++) { for (i = 0; i < data->nchains; i++) {
const char *from; const char *from;
if (!virHashLookup(chains, data->chains[i].child)) { if (!virHashLookup(chains, data->chains[i].child)) {
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", data->table, "--table", data->table,
"--new-chain", data->chains[i].child, NULL); "--new-chain", data->chains[i].child, NULL);
*data->changed = true; *data->changed = true;
} }
from = virHashLookup(links, data->chains[i].child); from = virHashLookup(links, data->chains[i].child);
if (!from || STRNEQ(from, data->chains[i].parent)) if (!from || STRNEQ(from, data->chains[i].parent))
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", data->table, "--table", data->table,
"--insert", data->chains[i].parent, "--insert", data->chains[i].parent,
"--jump", data->chains[i].child, NULL); "--jump", data->chains[i].child, NULL);
} }
return 0; return 0;
@ -151,10 +151,10 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
for (i = 0; i < G_N_ELEMENTS(data); i++) for (i = 0; i < G_N_ELEMENTS(data); i++)
virFirewallAddRuleFull(fw, data[i].layer, virFirewallAddCmdFull(fw, data[i].layer,
false, iptablesPrivateChainCreate, false, iptablesPrivateChainCreate,
&(data[i]), "--table", data[i].table, &(data[i]), "--table", data[i].table,
"--list-rules", NULL); "--list-rules", NULL);
if (virFirewallApply(fw) < 0) if (virFirewallApply(fw) < 0)
return -1; return -1;
@ -173,15 +173,15 @@ iptablesInput(virFirewall *fw,
{ {
g_autofree char *portstr = g_strdup_printf("%d", port); g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_INPUT_CHAIN, VIR_IPTABLES_INPUT_CHAIN,
"--in-interface", iface, "--in-interface", iface,
"--protocol", tcp ? "tcp" : "udp", "--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr, "--destination-port", portstr,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
} }
static void static void
@ -194,15 +194,15 @@ iptablesOutput(virFirewall *fw,
{ {
g_autofree char *portstr = g_strdup_printf("%d", port); g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_OUTPUT_CHAIN, VIR_IPTABLES_OUTPUT_CHAIN,
"--out-interface", iface, "--out-interface", iface,
"--protocol", tcp ? "tcp" : "udp", "--protocol", tcp ? "tcp" : "udp",
"--destination-port", portstr, "--destination-port", portstr,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
} }
/** /**
@ -369,24 +369,24 @@ iptablesForwardAllowOut(virFirewall *fw,
return -1; return -1;
if (physdev && physdev[0]) if (physdev && physdev[0])
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN, VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr, "--source", networkstr,
"--in-interface", iface, "--in-interface", iface,
"--out-interface", physdev, "--out-interface", physdev,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
else else
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN, VIR_IPTABLES_FWD_OUT_CHAIN,
"--source", networkstr, "--source", networkstr,
"--in-interface", iface, "--in-interface", iface,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
return 0; return 0;
} }
@ -459,28 +459,28 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
return -1; return -1;
if (physdev && physdev[0]) if (physdev && physdev[0])
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN, VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr, "--destination", networkstr,
"--in-interface", physdev, "--in-interface", physdev,
"--out-interface", iface, "--out-interface", iface,
"--match", "conntrack", "--match", "conntrack",
"--ctstate", "ESTABLISHED,RELATED", "--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
else else
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN, VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr, "--destination", networkstr,
"--out-interface", iface, "--out-interface", iface,
"--match", "conntrack", "--match", "conntrack",
"--ctstate", "ESTABLISHED,RELATED", "--ctstate", "ESTABLISHED,RELATED",
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
return 0; return 0;
} }
@ -551,24 +551,24 @@ iptablesForwardAllowIn(virFirewall *fw,
return -1; return -1;
if (physdev && physdev[0]) if (physdev && physdev[0])
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN, VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr, "--destination", networkstr,
"--in-interface", physdev, "--in-interface", physdev,
"--out-interface", iface, "--out-interface", iface,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
else else
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN, VIR_IPTABLES_FWD_IN_CHAIN,
"--destination", networkstr, "--destination", networkstr,
"--out-interface", iface, "--out-interface", iface,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
return 0; return 0;
} }
@ -626,14 +626,14 @@ iptablesForwardAllowCross(virFirewall *fw,
const char *iface, const char *iface,
int action) int action)
{ {
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_X_CHAIN, VIR_IPTABLES_FWD_X_CHAIN,
"--in-interface", iface, "--in-interface", iface,
"--out-interface", iface, "--out-interface", iface,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
} }
/** /**
@ -680,13 +680,13 @@ iptablesForwardRejectOut(virFirewall *fw,
const char *iface, const char *iface,
int action) int action)
{ {
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_OUT_CHAIN, VIR_IPTABLES_FWD_OUT_CHAIN,
"--in-interface", iface, "--in-interface", iface,
"--jump", "REJECT", "--jump", "REJECT",
NULL); NULL);
} }
/** /**
@ -732,13 +732,13 @@ iptablesForwardRejectIn(virFirewall *fw,
const char *iface, const char *iface,
int action) int action)
{ {
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "filter", "--table", "filter",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_FWD_IN_CHAIN, VIR_IPTABLES_FWD_IN_CHAIN,
"--out-interface", iface, "--out-interface", iface,
"--jump", "REJECT", "--jump", "REJECT",
NULL); NULL);
} }
/** /**
@ -796,7 +796,7 @@ iptablesForwardMasquerade(virFirewall *fw,
g_autofree char *addrEndStr = NULL; g_autofree char *addrEndStr = NULL;
g_autofree char *portRangeStr = NULL; g_autofree char *portRangeStr = NULL;
g_autofree char *natRangeStr = NULL; g_autofree char *natRangeStr = NULL;
virFirewallRule *rule; virFirewallCmd *fwCmd;
int af = VIR_SOCKET_ADDR_FAMILY(netaddr); int af = VIR_SOCKET_ADDR_FAMILY(netaddr);
virFirewallLayer layer = af == AF_INET ? virFirewallLayer layer = af == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@ -814,7 +814,7 @@ iptablesForwardMasquerade(virFirewall *fw,
} }
if (protocol && protocol[0]) { if (protocol && protocol[0]) {
rule = virFirewallAddRule(fw, layer, fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat", "--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN, VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@ -823,7 +823,7 @@ iptablesForwardMasquerade(virFirewall *fw,
"!", "--destination", networkstr, "!", "--destination", networkstr,
NULL); NULL);
} else { } else {
rule = virFirewallAddRule(fw, layer, fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat", "--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN, VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@ -833,7 +833,7 @@ iptablesForwardMasquerade(virFirewall *fw,
} }
if (physdev && physdev[0]) if (physdev && physdev[0])
virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL); virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NULL);
if (protocol && protocol[0]) { if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) { if (port->start == 0 && port->end == 0) {
@ -861,16 +861,16 @@ iptablesForwardMasquerade(virFirewall *fw,
portRangeStr ? portRangeStr : ""); portRangeStr ? portRangeStr : "");
} }
virFirewallRuleAddArgList(fw, rule, virFirewallCmdAddArgList(fw, fwCmd,
"--jump", "SNAT", "--jump", "SNAT",
"--to-source", natRangeStr, NULL); "--to-source", natRangeStr, NULL);
} else { } else {
virFirewallRuleAddArgList(fw, rule, virFirewallCmdAddArgList(fw, fwCmd,
"--jump", "MASQUERADE", NULL); "--jump", "MASQUERADE", NULL);
if (portRangeStr && portRangeStr[0]) if (portRangeStr && portRangeStr[0])
virFirewallRuleAddArgList(fw, rule, virFirewallCmdAddArgList(fw, fwCmd,
"--to-ports", &portRangeStr[1], NULL); "--to-ports", &portRangeStr[1], NULL);
} }
return 0; return 0;
@ -950,24 +950,24 @@ iptablesForwardDontMasquerade(virFirewall *fw,
return -1; return -1;
if (physdev && physdev[0]) if (physdev && physdev[0])
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "nat", "--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN, VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", physdev, "--out-interface", physdev,
"--source", networkstr, "--source", networkstr,
"--destination", destaddr, "--destination", destaddr,
"--jump", "RETURN", "--jump", "RETURN",
NULL); NULL);
else else
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"--table", "nat", "--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN, VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--source", networkstr, "--source", networkstr,
"--destination", destaddr, "--destination", destaddr,
"--jump", "RETURN", "--jump", "RETURN",
NULL); NULL);
return 0; return 0;
} }
@ -1032,15 +1032,15 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
{ {
g_autofree char *portstr = g_strdup_printf("%d", port); g_autofree char *portstr = g_strdup_printf("%d", port);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"--table", "mangle", "--table", "mangle",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete", action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN, VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"--out-interface", iface, "--out-interface", iface,
"--protocol", "udp", "--protocol", "udp",
"--destination-port", portstr, "--destination-port", portstr,
"--jump", "CHECKSUM", "--checksum-fill", "--jump", "CHECKSUM", "--checksum-fill",
NULL); NULL);
} }
/** /**

988
src/nwfilter/nwfilter_ebiptables_driver.c
View File

File diff suppressed because it is too large Load Diff

32
src/util/virebtables.c
View File

@ -81,17 +81,17 @@ ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
g_autoptr(virFirewall) fw = virFirewallNew(); g_autoptr(virFirewall) fw = virFirewallNew();
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
"--new-chain", ctx->chain, "--new-chain", ctx->chain,
NULL); NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
"--insert", "FORWARD", "--insert", "FORWARD",
"--jump", ctx->chain, NULL); "--jump", ctx->chain, NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
"-P", ctx->chain, "DROP", "-P", ctx->chain, "DROP",
NULL); NULL);
return virFirewallApply(fw); return virFirewallApply(fw);
} }
@ -109,13 +109,13 @@ ebtablesForwardAllowIn(ebtablesContext *ctx,
g_autoptr(virFirewall) fw = virFirewallNew(); g_autoptr(virFirewall) fw = virFirewallNew();
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
action == ADD ? "--insert" : "--delete", action == ADD ? "--insert" : "--delete",
ctx->chain, ctx->chain,
"--in-interface", iface, "--in-interface", iface,
"--source", macaddr, "--source", macaddr,
"--jump", "ACCEPT", "--jump", "ACCEPT",
NULL); NULL);
return virFirewallApply(fw); return virFirewallApply(fw);
} }

223
src/util/virfirewall.c
View File

@ -45,7 +45,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand,
IP6TABLES, IP6TABLES,
); );
struct _virFirewallRule { struct _virFirewallCmd {
virFirewallLayer layer; virFirewallLayer layer;
virFirewallQueryCallback queryCB; virFirewallQueryCallback queryCB;
@ -62,10 +62,10 @@ struct _virFirewallGroup {
unsigned int rollbackFlags; unsigned int rollbackFlags;
size_t naction; size_t naction;
virFirewallRule **action; virFirewallCmd **action;
size_t nrollback; size_t nrollback;
virFirewallRule **rollback; virFirewallCmd **rollback;
bool addingRollback; bool addingRollback;
}; };
@ -79,7 +79,7 @@ struct _virFirewall {
size_t currentGroup; size_t currentGroup;
}; };
static virMutex ruleLock = VIR_MUTEX_INITIALIZER; static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER;
static virFirewallGroup * static virFirewallGroup *
virFirewallGroupNew(void) virFirewallGroupNew(void)
@ -107,17 +107,17 @@ virFirewall *virFirewallNew(void)
static void static void
virFirewallRuleFree(virFirewallRule *rule) virFirewallCmdFree(virFirewallCmd *fwCmd)
{ {
size_t i; size_t i;
if (!rule) if (!fwCmd)
return; return;
for (i = 0; i < rule->argsLen; i++) for (i = 0; i < fwCmd->argsLen; i++)
g_free(rule->args[i]); g_free(fwCmd->args[i]);
g_free(rule->args); g_free(fwCmd->args);
g_free(rule); g_free(fwCmd);
} }
@ -130,11 +130,11 @@ virFirewallGroupFree(virFirewallGroup *group)
return; return;
for (i = 0; i < group->naction; i++) for (i = 0; i < group->naction; i++)
virFirewallRuleFree(group->action[i]); virFirewallCmdFree(group->action[i]);
g_free(group->action); g_free(group->action);
for (i = 0; i < group->nrollback; i++) for (i = 0; i < group->nrollback; i++)
virFirewallRuleFree(group->rollback[i]); virFirewallCmdFree(group->rollback[i]);
g_free(group->rollback); g_free(group->rollback);
g_free(group); g_free(group);
@ -167,9 +167,9 @@ void virFirewallFree(virFirewall *firewall)
return; \ return; \
} while (0) } while (0)
#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule)\ #define VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd)\
do { \ do { \
if (!firewall || firewall->err || !rule) \ if (!firewall || firewall->err || !fwCmd) \
return; \ return; \
} while (0) } while (0)
@ -179,22 +179,22 @@ void virFirewallFree(virFirewall *firewall)
return NULL; \ return NULL; \
} while (0) } while (0)
#define ADD_ARG(rule, str) \ #define ADD_ARG(fwCmd, str) \
do { \ do { \
VIR_RESIZE_N(rule->args, rule->argsAlloc, rule->argsLen, 1); \ VIR_RESIZE_N(fwCmd->args, fwCmd->argsAlloc, fwCmd->argsLen, 1); \
rule->args[rule->argsLen++] = g_strdup(str); \ fwCmd->args[fwCmd->argsLen++] = g_strdup(str); \
} while (0) } while (0)
static virFirewallRule * static virFirewallCmd *
virFirewallAddRuleFullV(virFirewall *firewall, virFirewallAddCmdFullV(virFirewall *firewall,
virFirewallLayer layer, virFirewallLayer layer,
bool ignoreErrors, bool ignoreErrors,
virFirewallQueryCallback cb, virFirewallQueryCallback cb,
void *opaque, void *opaque,
va_list args) va_list args)
{ {
virFirewallGroup *group; virFirewallGroup *group;
virFirewallRule *rule; virFirewallCmd *fwCmd;
char *str; char *str;
VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall); VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
@ -206,43 +206,43 @@ virFirewallAddRuleFullV(virFirewall *firewall,
group = firewall->groups[firewall->currentGroup]; group = firewall->groups[firewall->currentGroup];
rule = g_new0(virFirewallRule, 1); fwCmd = g_new0(virFirewallCmd, 1);
rule->layer = layer; fwCmd->layer = layer;
rule->queryCB = cb; fwCmd->queryCB = cb;
rule->queryOpaque = opaque; fwCmd->queryOpaque = opaque;
rule->ignoreErrors = ignoreErrors; fwCmd->ignoreErrors = ignoreErrors;
switch (rule->layer) { switch (fwCmd->layer) {
case VIR_FIREWALL_LAYER_ETHERNET: case VIR_FIREWALL_LAYER_ETHERNET:
ADD_ARG(rule, "--concurrent"); ADD_ARG(fwCmd, "--concurrent");
break; break;
case VIR_FIREWALL_LAYER_IPV4: case VIR_FIREWALL_LAYER_IPV4:
ADD_ARG(rule, "-w"); ADD_ARG(fwCmd, "-w");
break; break;
case VIR_FIREWALL_LAYER_IPV6: case VIR_FIREWALL_LAYER_IPV6:
ADD_ARG(rule, "-w"); ADD_ARG(fwCmd, "-w");
break; break;
case VIR_FIREWALL_LAYER_LAST: case VIR_FIREWALL_LAYER_LAST:
break; break;
} }
while ((str = va_arg(args, char *)) != NULL) while ((str = va_arg(args, char *)) != NULL)
ADD_ARG(rule, str); ADD_ARG(fwCmd, str);
if (group->addingRollback) { if (group->addingRollback) {
VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd);
} else { } else {
VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd);
} }
return rule; return fwCmd;
} }
/** /**
* virFirewallAddRuleFull: * virFirewallAddCmdFull:
* @firewall: firewall ruleset to add to * @firewall: firewall ruleset to add to
* @layer: the firewall layer to change * @layer: the firewall layer to change
* @ignoreErrors: true to ignore failure of the command * @ignoreErrors: true to ignore failure of the command
@ -253,7 +253,7 @@ virFirewallAddRuleFullV(virFirewall *firewall,
* Add any type of rule to the firewall ruleset. Any output * Add any type of rule to the firewall ruleset. Any output
* generated by the addition will be fed into the query * generated by the addition will be fed into the query
* callback @cb. This callback is permitted to create new * callback @cb. This callback is permitted to create new
* rules by invoking the virFirewallAddRule method, but * rules by invoking the virFirewallAddCmd method, but
* is not permitted to start new transactions. * is not permitted to start new transactions.
* *
* If @ignoreErrors is set to TRUE, then any failure of * If @ignoreErrors is set to TRUE, then any failure of
@ -263,31 +263,31 @@ virFirewallAddRuleFullV(virFirewall *firewall,
* *
* Returns the new rule * Returns the new rule
*/ */
virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
virFirewallLayer layer, virFirewallLayer layer,
bool ignoreErrors, bool ignoreErrors,
virFirewallQueryCallback cb, virFirewallQueryCallback cb,
void *opaque, void *opaque,
...) ...)
{ {
virFirewallRule *rule; virFirewallCmd *fwCmd;
va_list args; va_list args;
va_start(args, opaque); va_start(args, opaque);
rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args); fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, opaque, args);
va_end(args); va_end(args);
return rule; return fwCmd;
} }
/** /**
* virFirewallRemoveRule: * virFirewallRemoveCmd:
* @firewall: firewall ruleset to remove from * @firewall: firewall ruleset to remove from
* @rule: the rule to remove * @rule: the rule to remove
* *
* Remove a rule from the current transaction * Remove a rule from the current transaction
*/ */
void virFirewallRemoveRule(virFirewall *firewall, void virFirewallRemoveCmd(virFirewall *firewall,
virFirewallRule *rule) virFirewallCmd *fwCmd)
{ {
size_t i; size_t i;
virFirewallGroup *group; virFirewallGroup *group;
@ -306,21 +306,21 @@ void virFirewallRemoveRule(virFirewall *firewall,
if (group->addingRollback) { if (group->addingRollback) {
for (i = 0; i < group->nrollback; i++) { for (i = 0; i < group->nrollback; i++) {
if (group->rollback[i] == rule) { if (group->rollback[i] == fwCmd) {
VIR_DELETE_ELEMENT(group->rollback, VIR_DELETE_ELEMENT(group->rollback,
i, i,
group->nrollback); group->nrollback);
virFirewallRuleFree(rule); virFirewallCmdFree(fwCmd);
break; break;
} }
} }
} else { } else {
for (i = 0; i < group->naction; i++) { for (i = 0; i < group->naction; i++) {
if (group->action[i] == rule) { if (group->action[i] == fwCmd) {
VIR_DELETE_ELEMENT(group->action, VIR_DELETE_ELEMENT(group->action,
i, i,
group->naction); group->naction);
virFirewallRuleFree(rule); virFirewallCmdFree(fwCmd);
return; return;
} }
} }
@ -328,45 +328,45 @@ void virFirewallRemoveRule(virFirewall *firewall,
} }
void virFirewallRuleAddArg(virFirewall *firewall, void virFirewallCmdAddArg(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *fwCmd,
const char *arg) const char *arg)
{ {
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
ADD_ARG(rule, arg); ADD_ARG(fwCmd, arg);
return; return;
} }
void virFirewallRuleAddArgFormat(virFirewall *firewall, void virFirewallCmdAddArgFormat(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *fwCmd,
const char *fmt, ...) const char *fmt, ...)
{ {
g_autofree char *arg = NULL; g_autofree char *arg = NULL;
va_list list; va_list list;
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
va_start(list, fmt); va_start(list, fmt);
arg = g_strdup_vprintf(fmt, list); arg = g_strdup_vprintf(fmt, list);
va_end(list); va_end(list);
ADD_ARG(rule, arg); ADD_ARG(fwCmd, arg);
return; return;
} }
void virFirewallRuleAddArgSet(virFirewall *firewall, void virFirewallCmdAddArgSet(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *fwCmd,
const char *const *args) const char *const *args)
{ {
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
while (*args) { while (*args) {
ADD_ARG(rule, *args); ADD_ARG(fwCmd, *args);
args++; args++;
} }
@ -374,19 +374,19 @@ void virFirewallRuleAddArgSet(virFirewall *firewall,
} }
void virFirewallRuleAddArgList(virFirewall *firewall, void virFirewallCmdAddArgList(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *fwCmd,
...) ...)
{ {
va_list list; va_list list;
const char *str; const char *str;
VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
va_start(list, rule); va_start(list, fwCmd);
while ((str = va_arg(list, char *)) != NULL) while ((str = va_arg(list, char *)) != NULL)
ADD_ARG(rule, str); ADD_ARG(fwCmd, str);
va_end(list); va_end(list);
@ -394,11 +394,11 @@ void virFirewallRuleAddArgList(virFirewall *firewall,
} }
size_t virFirewallRuleGetArgCount(virFirewallRule *rule) size_t virFirewallCmdGetArgCount(virFirewallCmd *fwCmd)
{ {
if (!rule) if (!fwCmd)
return 0; return 0;
return rule->argsLen; return fwCmd->argsLen;
} }
@ -462,16 +462,16 @@ void virFirewallStartRollback(virFirewall *firewall,
char * char *
virFirewallRuleToString(const char *cmd, virFirewallCmdToString(const char *cmd,
virFirewallRule *rule) virFirewallCmd *fwCmd)
{ {
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
size_t i; size_t i;
virBufferAdd(&buf, cmd, -1); virBufferAdd(&buf, cmd, -1);
for (i = 0; i < rule->argsLen; i++) { for (i = 0; i < fwCmd->argsLen; i++) {
virBufferAddLit(&buf, " "); virBufferAddLit(&buf, " ");
virBufferAdd(&buf, rule->args[i], -1); virBufferAdd(&buf, fwCmd->args[i], -1);
} }
return virBufferContentAndReset(&buf); return virBufferContentAndReset(&buf);
@ -479,12 +479,12 @@ virFirewallRuleToString(const char *cmd,
static int static int
virFirewallApplyRuleDirect(virFirewallRule *rule, virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
bool ignoreErrors, bool ignoreErrors,
char **output) char **output)
{ {
size_t i; size_t i;
const char *bin = virFirewallLayerCommandTypeToString(rule->layer); const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer);
g_autoptr(virCommand) cmd = NULL; g_autoptr(virCommand) cmd = NULL;
g_autofree char *cmdStr = NULL; g_autofree char *cmdStr = NULL;
int status; int status;
@ -493,17 +493,17 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
if (!bin) { if (!bin) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
_("Unknown firewall layer %1$d"), _("Unknown firewall layer %1$d"),
rule->layer); fwCmd->layer);
return -1; return -1;
} }
cmd = virCommandNewArgList(bin, NULL); cmd = virCommandNewArgList(bin, NULL);
for (i = 0; i < rule->argsLen; i++) for (i = 0; i < fwCmd->argsLen; i++)
virCommandAddArg(cmd, rule->args[i]); virCommandAddArg(cmd, fwCmd->args[i]);
cmdStr = virCommandToString(cmd, false); cmdStr = virCommandToString(cmd, false);
VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr));
virCommandSetOutputBuffer(cmd, output); virCommandSetOutputBuffer(cmd, output);
virCommandSetErrorBuffer(cmd, &error); virCommandSetErrorBuffer(cmd, &error);
@ -516,7 +516,7 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
VIR_DEBUG("Ignoring error running command"); VIR_DEBUG("Ignoring error running command");
} else { } else {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
_("Failed to apply firewall rules %1$s: %2$s"), _("Failed to run firewall command %1$s: %2$s"),
NULLSTR(cmdStr), NULLSTR(error)); NULLSTR(cmdStr), NULLSTR(error));
VIR_FREE(*output); VIR_FREE(*output);
return -1; return -1;
@ -528,30 +528,30 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
static int static int
virFirewallApplyRule(virFirewall *firewall, virFirewallApplyCmd(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *fwCmd,
bool ignoreErrors) bool ignoreErrors)
{ {
g_autofree char *output = NULL; g_autofree char *output = NULL;
g_auto(GStrv) lines = NULL; g_auto(GStrv) lines = NULL;
if (rule->ignoreErrors) if (fwCmd->ignoreErrors)
ignoreErrors = rule->ignoreErrors; ignoreErrors = fwCmd->ignoreErrors;
if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0)
return -1; return -1;
if (rule->queryCB && output) { if (fwCmd->queryCB && output) {
if (!(lines = g_strsplit(output, "\n", -1))) if (!(lines = g_strsplit(output, "\n", -1)))
return -1; return -1;
VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output); VIR_DEBUG("Invoking query %p with '%s'", fwCmd->queryCB, output);
if (rule->queryCB(firewall, rule->layer, (const char *const *)lines, rule->queryOpaque) < 0) if (fwCmd->queryCB(firewall, fwCmd->layer, (const char *const *)lines, fwCmd->queryOpaque) < 0)
return -1; return -1;
if (firewall->err) { if (firewall->err) {
virReportSystemError(firewall->err, "%s", virReportSystemError(firewall->err, "%s",
_("Unable to create rule")); _("Unable to create firewall command"));
return -1; return -1;
} }
@ -573,9 +573,9 @@ virFirewallApplyGroup(virFirewall *firewall,
firewall->currentGroup = idx; firewall->currentGroup = idx;
group->addingRollback = false; group->addingRollback = false;
for (i = 0; i < group->naction; i++) { for (i = 0; i < group->naction; i++) {
if (virFirewallApplyRule(firewall, if (virFirewallApplyCmd(firewall,
group->action[i], group->action[i],
ignoreErrors) < 0) ignoreErrors) < 0)
return -1; return -1;
} }
return 0; return 0;
@ -592,11 +592,8 @@ virFirewallRollbackGroup(virFirewall *firewall,
VIR_INFO("Starting rollback for group %p", group); VIR_INFO("Starting rollback for group %p", group);
firewall->currentGroup = idx; firewall->currentGroup = idx;
group->addingRollback = true; group->addingRollback = true;
for (i = 0; i < group->nrollback; i++) { for (i = 0; i < group->nrollback; i++)
ignore_value(virFirewallApplyRule(firewall, ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], true));
group->rollback[i],
true));
}
} }
@ -604,7 +601,7 @@ int
virFirewallApply(virFirewall *firewall) virFirewallApply(virFirewall *firewall)
{ {
size_t i, j; size_t i, j;
VIR_LOCK_GUARD lock = virLockGuardLock(&ruleLock); VIR_LOCK_GUARD lock = virLockGuardLock(&fwCmdLock);
if (!firewall || firewall->err) { if (!firewall || firewall->err) {
int err = EINVAL; int err = EINVAL;
@ -612,7 +609,7 @@ virFirewallApply(virFirewall *firewall)
if (firewall) if (firewall)
err = firewall->err; err = firewall->err;
virReportSystemError(err, "%s", _("Unable to create rule")); virReportSystemError(err, "%s", _("Unable to create firewall command"));
return -1; return -1;
} }

54
src/util/virfirewall.h
View File

@ -24,7 +24,7 @@
typedef struct _virFirewall virFirewall; typedef struct _virFirewall virFirewall;
typedef struct _virFirewallRule virFirewallRule; typedef struct _virFirewallCmd virFirewallCmd;
typedef enum { typedef enum {
VIR_FIREWALL_LAYER_ETHERNET, VIR_FIREWALL_LAYER_ETHERNET,
@ -39,7 +39,7 @@ virFirewall *virFirewallNew(void);
void virFirewallFree(virFirewall *firewall); void virFirewallFree(virFirewall *firewall);
/** /**
* virFirewallAddRule: * virFirewallAddCmd:
* @firewall: firewall ruleset to add to * @firewall: firewall ruleset to add to
* @layer: the firewall layer to change * @layer: the firewall layer to change
* @...: NULL terminated list of strings for the rule * @...: NULL terminated list of strings for the rule
@ -48,49 +48,49 @@ void virFirewallFree(virFirewall *firewall);
* *
* Returns the new rule * Returns the new rule
*/ */
#define virFirewallAddRule(firewall, layer, ...) \ #define virFirewallAddCmd(firewall, layer, ...) \
virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_ARGS__) virFirewallAddCmdFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
typedef int (*virFirewallQueryCallback)(virFirewall *firewall, typedef int (*virFirewallQueryCallback)(virFirewall *firewall,
virFirewallLayer layer, virFirewallLayer layer,
const char *const *lines, const char *const *lines,
void *opaque); void *opaque);
virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
virFirewallLayer layer, virFirewallLayer layer,
bool ignoreErrors, bool ignoreErrors,
virFirewallQueryCallback cb, virFirewallQueryCallback cb,
void *opaque, void *opaque,
...) ...)
G_GNUC_NULL_TERMINATED; G_GNUC_NULL_TERMINATED;
void virFirewallRemoveRule(virFirewall *firewall, void virFirewallRemoveCmd(virFirewall *firewall,
virFirewallRule *rule); virFirewallCmd *rule);
void virFirewallRuleAddArg(virFirewall *firewall, void virFirewallCmdAddArg(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *rule,
const char *arg) const char *arg)
ATTRIBUTE_NONNULL(3); ATTRIBUTE_NONNULL(3);
void virFirewallRuleAddArgFormat(virFirewall *firewall, void virFirewallCmdAddArgFormat(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *rule,
const char *fmt, ...) const char *fmt, ...)
ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4); ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4);
void virFirewallRuleAddArgSet(virFirewall *firewall, void virFirewallCmdAddArgSet(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *rule,
const char *const *args) const char *const *args)
ATTRIBUTE_NONNULL(3); ATTRIBUTE_NONNULL(3);
void virFirewallRuleAddArgList(virFirewall *firewall, void virFirewallCmdAddArgList(virFirewall *firewall,
virFirewallRule *rule, virFirewallCmd *rule,
...) ...)
G_GNUC_NULL_TERMINATED; G_GNUC_NULL_TERMINATED;
size_t virFirewallRuleGetArgCount(virFirewallRule *rule); size_t virFirewallCmdGetArgCount(virFirewallCmd *rule);
char *virFirewallRuleToString(const char *cmd, char *virFirewallCmdToString(const char *cmd,
virFirewallRule *rule); virFirewallCmd *rule);
typedef enum { typedef enum {
/* Ignore all errors when applying rules, so no /* Ignore all errors when applying rules, so no

402
tests/virfirewalltest.c
View File

@ -74,15 +74,15 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0) if (virFirewallApply(fw) < 0)
return -1; return -1;
@ -107,28 +107,28 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED)
const char *expected = const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"; IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n";
virFirewallRule *fwrule; virFirewallCmd *fwrule;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew(); g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL); virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL); "-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source"); virFirewallCmdAddArg(fw, fwrule, "--source");
virFirewallRemoveRule(fw, fwrule); virFirewallRemoveCmd(fw, fwrule);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL); "-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source"); virFirewallCmdAddArg(fw, fwrule, "--source");
virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL); virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0) if (virFirewallApply(fw) < 0)
return -1; return -1;
@ -161,26 +161,26 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT", "-A", "OUTPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT", "-A", "OUTPUT",
"--jump", "DROP", NULL); "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0) if (virFirewallApply(fw) < 0)
@ -235,26 +235,26 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT", "-A", "OUTPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT", "-A", "OUTPUT",
"--jump", "DROP", NULL); "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0) if (virFirewallApply(fw) < 0)
@ -288,25 +288,25 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
true, NULL, NULL, true, NULL, NULL,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT", "-A", "OUTPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT", "-A", "OUTPUT",
"--jump", "DROP", NULL); "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0) if (virFirewallApply(fw) < 0)
@ -338,20 +338,20 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) { if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n"); fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -386,37 +386,37 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0); virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) { if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n"); fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -450,41 +450,41 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0); virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0); virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) { if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n"); fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -522,67 +522,67 @@ testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0); virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.127", "--source", "192.168.122.127",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0); virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "192.168.122.127", "--source", "192.168.122.127",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS); virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "192.168.122.255", "--source", "192.168.122.255",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT", "-D", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) { if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n"); fprintf(stderr, "Firewall apply unexpectedly worked\n");
@ -656,10 +656,10 @@ testFirewallQueryCallback(virFirewall *fw,
void *opaque G_GNUC_UNUSED) void *opaque G_GNUC_UNUSED)
{ {
size_t i; size_t i;
virFirewallAddRule(fw, layer, virFirewallAddCmd(fw, layer,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.129", "--source", "!192.168.122.129",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
for (i = 0; lines[i] != NULL; i++) { for (i = 0; lines[i] != NULL; i++) {
if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) { if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) {
@ -703,46 +703,46 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED)
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.1", "--source", "192.168.122.1",
"--jump", "ACCEPT", NULL); "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.127", "--source", "192.168.122.127",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
false, false,
testFirewallQueryCallback, testFirewallQueryCallback,
NULL, NULL,
"-L", NULL); "-L", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
false, false,
testFirewallQueryCallback, testFirewallQueryCallback,
NULL, NULL,
"-t", "nat", "-L", NULL); "-t", "nat", "-L", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.130", "--source", "192.168.122.130",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0); virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "192.168.122.128", "--source", "192.168.122.128",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", "-A", "INPUT",
"--source", "!192.168.122.1", "--source", "!192.168.122.1",
"--jump", "REJECT", NULL); "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0) if (virFirewallApply(fw) < 0)
return -1; return -1;