nwfilter: reorder match extensions relative to state match

This patch reorders the connlimit and comment match extensions relative to the state match (-m state); connlimit being most useful if found after a -m state --state NEW and not before it.
This commit is contained in:
Stefan Berger 2011-02-14 14:10:24 -05:00
parent f7bec64913
commit 13e9ba7c2b

View File

@ -862,6 +862,7 @@ err_exit:
static int static int
iptablesHandleIpHdr(virBufferPtr buf, iptablesHandleIpHdr(virBufferPtr buf,
virBufferPtr afterStateMatch,
virNWFilterHashTablePtr vars, virNWFilterHashTablePtr vars,
ipHdrDataDefPtr ipHdr, ipHdrDataDefPtr ipHdr,
int directionIn, int directionIn,
@ -1005,7 +1006,9 @@ iptablesHandleIpHdr(virBufferPtr buf,
&ipHdr->dataConnlimitAbove)) &ipHdr->dataConnlimitAbove))
goto err_exit; goto err_exit;
virBufferVSprintf(buf, /* place connlimit after potential -m state --state ...
since this is the most useful order */
virBufferVSprintf(afterStateMatch,
" -m connlimit %s --connlimit-above %s", " -m connlimit %s --connlimit-above %s",
ENTRY_GET_NEG_SIGN(&ipHdr->dataConnlimitAbove), ENTRY_GET_NEG_SIGN(&ipHdr->dataConnlimitAbove),
number); number);
@ -1016,7 +1019,9 @@ iptablesHandleIpHdr(virBufferPtr buf,
if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) { if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
printCommentVar(prefix, ipHdr->dataComment.u.string); printCommentVar(prefix, ipHdr->dataComment.u.string);
virBufferAddLit(buf, /* keep comments behind everything else -- they are packet eval.
no-ops */
virBufferAddLit(afterStateMatch,
" -m comment --comment \"$" COMMENT_VARNAME "\""); " -m comment --comment \"$" COMMENT_VARNAME "\"");
} }
@ -1024,6 +1029,7 @@ iptablesHandleIpHdr(virBufferPtr buf,
err_exit: err_exit:
virBufferFreeAndReset(buf); virBufferFreeAndReset(buf);
virBufferFreeAndReset(afterStateMatch);
return 1; return 1;
} }
@ -1148,6 +1154,7 @@ _iptablesCreateRuleInstance(int directionIn,
char number[20]; char number[20];
virBuffer prefix = VIR_BUFFER_INITIALIZER; virBuffer prefix = VIR_BUFFER_INITIALIZER;
virBuffer buf = VIR_BUFFER_INITIALIZER; virBuffer buf = VIR_BUFFER_INITIALIZER;
virBuffer afterStateMatch = VIR_BUFFER_INITIALIZER;
virBufferPtr final = NULL; virBufferPtr final = NULL;
const char *target; const char *target;
const char *iptables_cmd = (isIPv6) ? ip6tables_cmd_path const char *iptables_cmd = (isIPv6) ? ip6tables_cmd_path
@ -1188,6 +1195,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.tcpHdrFilter.ipHdr, &rule->p.tcpHdrFilter.ipHdr,
directionIn, directionIn,
@ -1234,6 +1242,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.udpHdrFilter.ipHdr, &rule->p.udpHdrFilter.ipHdr,
directionIn, directionIn,
@ -1267,6 +1276,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.udpliteHdrFilter.ipHdr, &rule->p.udpliteHdrFilter.ipHdr,
directionIn, directionIn,
@ -1295,6 +1305,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.espHdrFilter.ipHdr, &rule->p.espHdrFilter.ipHdr,
directionIn, directionIn,
@ -1323,6 +1334,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.ahHdrFilter.ipHdr, &rule->p.ahHdrFilter.ipHdr,
directionIn, directionIn,
@ -1351,6 +1363,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.sctpHdrFilter.ipHdr, &rule->p.sctpHdrFilter.ipHdr,
directionIn, directionIn,
@ -1387,6 +1400,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.icmpHdrFilter.ipHdr, &rule->p.icmpHdrFilter.ipHdr,
directionIn, directionIn,
@ -1449,6 +1463,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.igmpHdrFilter.ipHdr, &rule->p.igmpHdrFilter.ipHdr,
directionIn, directionIn,
@ -1477,6 +1492,7 @@ _iptablesCreateRuleInstance(int directionIn,
goto err_exit; goto err_exit;
if (iptablesHandleIpHdr(&buf, if (iptablesHandleIpHdr(&buf,
&afterStateMatch,
vars, vars,
&rule->p.allHdrFilter.ipHdr, &rule->p.allHdrFilter.ipHdr,
directionIn, directionIn,
@ -1512,6 +1528,22 @@ _iptablesCreateRuleInstance(int directionIn,
rule, rule,
&buf); &buf);
if (virBufferError(&afterStateMatch)) {
virBufferFreeAndReset(&buf);
virBufferFreeAndReset(&prefix);
virBufferFreeAndReset(&afterStateMatch);
virReportOOMError();
return -1;
}
if (virBufferUse(&afterStateMatch)) {
char *s = virBufferContentAndReset(&afterStateMatch);
virBufferAdd(&buf, s, -1);
VIR_FREE(s);
}
virBufferVSprintf(&buf, virBufferVSprintf(&buf,
" -j %s" CMD_DEF_POST CMD_SEPARATOR " -j %s" CMD_DEF_POST CMD_SEPARATOR
CMD_EXEC, CMD_EXEC,
@ -1553,12 +1585,14 @@ _iptablesCreateRuleInstance(int directionIn,
err_exit: err_exit:
virBufferFreeAndReset(&buf); virBufferFreeAndReset(&buf);
virBufferFreeAndReset(&prefix); virBufferFreeAndReset(&prefix);
virBufferFreeAndReset(&afterStateMatch);
return -1; return -1;
exit_no_error: exit_no_error:
virBufferFreeAndReset(&buf); virBufferFreeAndReset(&buf);
virBufferFreeAndReset(&prefix); virBufferFreeAndReset(&prefix);
virBufferFreeAndReset(&afterStateMatch);
return 0; return 0;
} }