From 2deb74f1fecb5121483900b8ddea5ff6239489d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 31 Oct 2018 18:51:34 +0000 Subject: [PATCH] util: refactor iptables APIs to share more code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Most of the iptables APIs share code for the add/delete paths, but a couple were separated. Merge the remaining APIs to facilitate future changes. Reviewed-by: Laine Stump Signed-off-by: Daniel P. Berrangé --- src/util/viriptables.c | 73 ++++++++++++++++++++++++------------------ 1 file changed, 42 insertions(+), 31 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 5dbea8cf57..f379844d28 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); } +static void +iptablesForwardAllowCross(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) +{ + virFirewallAddRule(fw, layer, + "--table", "filter", + action == ADD ? "--insert" : "--delete", "FORWARD", + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); +} + /** * iptablesAddForwardAllowCross: * @ctx: pointer to the IP table context @@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + iptablesForwardAllowCross(fw, layer, iface, ADD); } /** @@ -535,13 +544,21 @@ void iptablesRemoveForwardAllowCross(virFirewallPtr fw, virFirewallLayer layer, const char *iface) +{ + iptablesForwardAllowCross(fw, layer, iface, REMOVE); +} + +static void +iptablesForwardRejectOut(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) { virFirewallAddRule(fw, layer, "--table", "filter", - "--delete", "FORWARD", + action == ADD ? "--insert" : "delete", "FORWARD", "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", + "--jump", "REJECT", NULL); } @@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--in-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectOut(fw, layer, iface, ADD); } /** @@ -582,16 +594,25 @@ void iptablesRemoveForwardRejectOut(virFirewallPtr fw, virFirewallLayer layer, const char *iface) +{ + iptablesForwardRejectOut(fw, layer, iface, REMOVE); +} + + +static void +iptablesForwardRejectIn(virFirewallPtr fw, + virFirewallLayer layer, + const char *iface, + int action) { virFirewallAddRule(fw, layer, "--table", "filter", - "--delete", "FORWARD", - "--in-interface", iface, + action == ADD ? "--insert" : "--delete", "FORWARD", + "--out-interface", iface, "--jump", "REJECT", NULL); } - /** * iptablesAddForwardRejectIn: * @ctx: pointer to the IP table context @@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--insert", "FORWARD", - "--out-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectIn(fw, layer, iface, ADD); } /** @@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, virFirewallLayer layer, const char *iface) { - virFirewallAddRule(fw, layer, - "--table", "filter", - "--delete", "FORWARD", - "--out-interface", iface, - "--jump", "REJECT", - NULL); + iptablesForwardRejectIn(fw, layer, iface, REMOVE); }