mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-29 17:33:09 +00:00
nwfilter: reorder match extensions relative to state match
This patch reorders the connlimit and comment match extensions relative to the state match (-m state); connlimit being most useful if found after a -m state --state NEW and not before it.
This commit is contained in:
parent
f7bec64913
commit
13e9ba7c2b
@ -862,6 +862,7 @@ err_exit:
|
|||||||
|
|
||||||
static int
|
static int
|
||||||
iptablesHandleIpHdr(virBufferPtr buf,
|
iptablesHandleIpHdr(virBufferPtr buf,
|
||||||
|
virBufferPtr afterStateMatch,
|
||||||
virNWFilterHashTablePtr vars,
|
virNWFilterHashTablePtr vars,
|
||||||
ipHdrDataDefPtr ipHdr,
|
ipHdrDataDefPtr ipHdr,
|
||||||
int directionIn,
|
int directionIn,
|
||||||
@ -1005,7 +1006,9 @@ iptablesHandleIpHdr(virBufferPtr buf,
|
|||||||
&ipHdr->dataConnlimitAbove))
|
&ipHdr->dataConnlimitAbove))
|
||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
virBufferVSprintf(buf,
|
/* place connlimit after potential -m state --state ...
|
||||||
|
since this is the most useful order */
|
||||||
|
virBufferVSprintf(afterStateMatch,
|
||||||
" -m connlimit %s --connlimit-above %s",
|
" -m connlimit %s --connlimit-above %s",
|
||||||
ENTRY_GET_NEG_SIGN(&ipHdr->dataConnlimitAbove),
|
ENTRY_GET_NEG_SIGN(&ipHdr->dataConnlimitAbove),
|
||||||
number);
|
number);
|
||||||
@ -1016,7 +1019,9 @@ iptablesHandleIpHdr(virBufferPtr buf,
|
|||||||
if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
|
if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
|
||||||
printCommentVar(prefix, ipHdr->dataComment.u.string);
|
printCommentVar(prefix, ipHdr->dataComment.u.string);
|
||||||
|
|
||||||
virBufferAddLit(buf,
|
/* keep comments behind everything else -- they are packet eval.
|
||||||
|
no-ops */
|
||||||
|
virBufferAddLit(afterStateMatch,
|
||||||
" -m comment --comment \"$" COMMENT_VARNAME "\"");
|
" -m comment --comment \"$" COMMENT_VARNAME "\"");
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1024,6 +1029,7 @@ iptablesHandleIpHdr(virBufferPtr buf,
|
|||||||
|
|
||||||
err_exit:
|
err_exit:
|
||||||
virBufferFreeAndReset(buf);
|
virBufferFreeAndReset(buf);
|
||||||
|
virBufferFreeAndReset(afterStateMatch);
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@ -1148,6 +1154,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
char number[20];
|
char number[20];
|
||||||
virBuffer prefix = VIR_BUFFER_INITIALIZER;
|
virBuffer prefix = VIR_BUFFER_INITIALIZER;
|
||||||
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
||||||
|
virBuffer afterStateMatch = VIR_BUFFER_INITIALIZER;
|
||||||
virBufferPtr final = NULL;
|
virBufferPtr final = NULL;
|
||||||
const char *target;
|
const char *target;
|
||||||
const char *iptables_cmd = (isIPv6) ? ip6tables_cmd_path
|
const char *iptables_cmd = (isIPv6) ? ip6tables_cmd_path
|
||||||
@ -1188,6 +1195,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.tcpHdrFilter.ipHdr,
|
&rule->p.tcpHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1234,6 +1242,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.udpHdrFilter.ipHdr,
|
&rule->p.udpHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1267,6 +1276,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.udpliteHdrFilter.ipHdr,
|
&rule->p.udpliteHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1295,6 +1305,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.espHdrFilter.ipHdr,
|
&rule->p.espHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1323,6 +1334,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.ahHdrFilter.ipHdr,
|
&rule->p.ahHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1351,6 +1363,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.sctpHdrFilter.ipHdr,
|
&rule->p.sctpHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1387,6 +1400,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.icmpHdrFilter.ipHdr,
|
&rule->p.icmpHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1449,6 +1463,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.igmpHdrFilter.ipHdr,
|
&rule->p.igmpHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1477,6 +1492,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
goto err_exit;
|
goto err_exit;
|
||||||
|
|
||||||
if (iptablesHandleIpHdr(&buf,
|
if (iptablesHandleIpHdr(&buf,
|
||||||
|
&afterStateMatch,
|
||||||
vars,
|
vars,
|
||||||
&rule->p.allHdrFilter.ipHdr,
|
&rule->p.allHdrFilter.ipHdr,
|
||||||
directionIn,
|
directionIn,
|
||||||
@ -1512,6 +1528,22 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
rule,
|
rule,
|
||||||
&buf);
|
&buf);
|
||||||
|
|
||||||
|
if (virBufferError(&afterStateMatch)) {
|
||||||
|
virBufferFreeAndReset(&buf);
|
||||||
|
virBufferFreeAndReset(&prefix);
|
||||||
|
virBufferFreeAndReset(&afterStateMatch);
|
||||||
|
virReportOOMError();
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (virBufferUse(&afterStateMatch)) {
|
||||||
|
char *s = virBufferContentAndReset(&afterStateMatch);
|
||||||
|
|
||||||
|
virBufferAdd(&buf, s, -1);
|
||||||
|
|
||||||
|
VIR_FREE(s);
|
||||||
|
}
|
||||||
|
|
||||||
virBufferVSprintf(&buf,
|
virBufferVSprintf(&buf,
|
||||||
" -j %s" CMD_DEF_POST CMD_SEPARATOR
|
" -j %s" CMD_DEF_POST CMD_SEPARATOR
|
||||||
CMD_EXEC,
|
CMD_EXEC,
|
||||||
@ -1553,12 +1585,14 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
err_exit:
|
err_exit:
|
||||||
virBufferFreeAndReset(&buf);
|
virBufferFreeAndReset(&buf);
|
||||||
virBufferFreeAndReset(&prefix);
|
virBufferFreeAndReset(&prefix);
|
||||||
|
virBufferFreeAndReset(&afterStateMatch);
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
exit_no_error:
|
exit_no_error:
|
||||||
virBufferFreeAndReset(&buf);
|
virBufferFreeAndReset(&buf);
|
||||||
virBufferFreeAndReset(&prefix);
|
virBufferFreeAndReset(&prefix);
|
||||||
|
virBufferFreeAndReset(&afterStateMatch);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user