mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
Convert nwfilter ebiptablesTearOldRules to virFirewall
Convert the nwfilter ebiptablesTearOldRules method to use the virFirewall object APIs instead of creating shell scripts using virBuffer APIs. This provides a performance improvement through allowing direct use of firewalld dbus APIs and will facilitate automated testing. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
8d55986427
commit
3010fae592
@ -694,16 +694,6 @@ _iptablesRemoveRootChainFW(virFirewallPtr fw,
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesRemoveRootChain(virBufferPtr buf,
|
||||
char prefix,
|
||||
bool incoming,
|
||||
const char *ifname)
|
||||
{
|
||||
_iptablesRemoveRootChain(buf, prefix, incoming, ifname, false);
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesRemoveRootChainFW(virFirewallPtr fw,
|
||||
virFirewallLayer layer,
|
||||
@ -736,16 +726,6 @@ iptablesRemoveTmpRootChains(virBufferPtr buf,
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesRemoveRootChains(virBufferPtr buf,
|
||||
const char *ifname)
|
||||
{
|
||||
iptablesRemoveRootChain(buf, 'F', false, ifname);
|
||||
iptablesRemoveRootChain(buf, 'F', true, ifname);
|
||||
iptablesRemoveRootChain(buf, 'H', true, ifname);
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesRemoveRootChainsFW(virFirewallPtr fw,
|
||||
virFirewallLayer layer,
|
||||
@ -924,16 +904,6 @@ _iptablesUnlinkRootChainFW(virFirewallPtr fw,
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesUnlinkRootChain(virBufferPtr buf,
|
||||
const char *basechain,
|
||||
char prefix,
|
||||
bool incoming, const char *ifname)
|
||||
{
|
||||
_iptablesUnlinkRootChain(buf,
|
||||
basechain, prefix, incoming, ifname, false);
|
||||
}
|
||||
|
||||
static void
|
||||
iptablesUnlinkRootChainFW(virFirewallPtr fw,
|
||||
virFirewallLayer layer,
|
||||
@ -957,16 +927,6 @@ iptablesUnlinkTmpRootChain(virBufferPtr buf,
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesUnlinkRootChains(virBufferPtr buf,
|
||||
const char *ifname)
|
||||
{
|
||||
iptablesUnlinkRootChain(buf, VIRT_OUT_CHAIN, 'F', false, ifname);
|
||||
iptablesUnlinkRootChain(buf, VIRT_IN_CHAIN, 'F', true, ifname);
|
||||
iptablesUnlinkRootChain(buf, HOST_IN_CHAIN, 'H', true, ifname);
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesUnlinkRootChainsFW(virFirewallPtr fw,
|
||||
virFirewallLayer layer,
|
||||
@ -989,10 +949,11 @@ iptablesUnlinkTmpRootChains(virBufferPtr buf,
|
||||
|
||||
|
||||
static void
|
||||
iptablesRenameTmpRootChain(virBufferPtr buf,
|
||||
char prefix,
|
||||
bool incoming,
|
||||
const char *ifname)
|
||||
iptablesRenameTmpRootChainFW(virFirewallPtr fw,
|
||||
virFirewallLayer layer,
|
||||
char prefix,
|
||||
bool incoming,
|
||||
const char *ifname)
|
||||
{
|
||||
char tmpchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
|
||||
char tmpChainPrefix[2] = {
|
||||
@ -1009,20 +970,19 @@ iptablesRenameTmpRootChain(virBufferPtr buf,
|
||||
PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
|
||||
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
|
||||
|
||||
virBufferAsprintf(buf,
|
||||
"$IPT -E %s %s" CMD_SEPARATOR,
|
||||
tmpchain,
|
||||
chain);
|
||||
virFirewallAddRule(fw, layer,
|
||||
"-E", tmpchain, chain, NULL);
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
iptablesRenameTmpRootChains(virBufferPtr buf,
|
||||
const char *ifname)
|
||||
iptablesRenameTmpRootChainsFW(virFirewallPtr fw,
|
||||
virFirewallLayer layer,
|
||||
const char *ifname)
|
||||
{
|
||||
iptablesRenameTmpRootChain(buf, 'F', false, ifname);
|
||||
iptablesRenameTmpRootChain(buf, 'F', true, ifname);
|
||||
iptablesRenameTmpRootChain(buf, 'H', true, ifname);
|
||||
iptablesRenameTmpRootChainFW(fw, layer, 'F', false, ifname);
|
||||
iptablesRenameTmpRootChainFW(fw, layer, 'F', true, ifname);
|
||||
iptablesRenameTmpRootChainFW(fw, layer, 'H', true, ifname);
|
||||
}
|
||||
|
||||
|
||||
@ -3282,6 +3242,30 @@ ebtablesRenameTmpSubChain(virBufferPtr buf,
|
||||
tmpchain, chain);
|
||||
}
|
||||
|
||||
static void
|
||||
ebtablesRenameTmpSubChainFW(virFirewallPtr fw,
|
||||
int incoming,
|
||||
const char *ifname,
|
||||
const char *protocol)
|
||||
{
|
||||
char tmpchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
|
||||
char tmpChainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
|
||||
: CHAINPREFIX_HOST_OUT_TEMP;
|
||||
char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN
|
||||
: CHAINPREFIX_HOST_OUT;
|
||||
|
||||
if (protocol) {
|
||||
PRINT_CHAIN(tmpchain, tmpChainPrefix, ifname, protocol);
|
||||
PRINT_CHAIN(chain, chainPrefix, ifname, protocol);
|
||||
} else {
|
||||
PRINT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
|
||||
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
|
||||
}
|
||||
|
||||
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
|
||||
"-t", "nat", "-E", tmpchain, chain, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
ebtablesRenameTmpRootChain(virBufferPtr buf,
|
||||
bool incoming,
|
||||
@ -3291,38 +3275,79 @@ ebtablesRenameTmpRootChain(virBufferPtr buf,
|
||||
}
|
||||
|
||||
static void
|
||||
ebtablesRenameTmpSubAndRootChains(virBufferPtr buf,
|
||||
const char *ifname)
|
||||
ebtablesRenameTmpRootChainFW(virFirewallPtr fw,
|
||||
bool incoming,
|
||||
const char *ifname)
|
||||
{
|
||||
ebtablesRenameTmpSubChainFW(fw, incoming, ifname, NULL);
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw,
|
||||
const char *const *lines,
|
||||
void *opaque ATTRIBUTE_UNUSED)
|
||||
{
|
||||
size_t i;
|
||||
char newchain[MAX_CHAINNAME_LENGTH];
|
||||
|
||||
for (i = 0; lines[i] != NULL; i++) {
|
||||
VIR_DEBUG("Considering '%s'", lines[i]);
|
||||
char *tmp = strstr(lines[i], "-j ");
|
||||
if (!tmp)
|
||||
continue;
|
||||
tmp = tmp + 3;
|
||||
if (tmp[0] != CHAINPREFIX_HOST_IN_TEMP &&
|
||||
tmp[0] != CHAINPREFIX_HOST_OUT_TEMP)
|
||||
continue;
|
||||
if (tmp[1] != '-')
|
||||
continue;
|
||||
|
||||
ignore_value(virStrcpyStatic(newchain, tmp));
|
||||
if (newchain[0] == CHAINPREFIX_HOST_IN_TEMP)
|
||||
newchain[0] = CHAINPREFIX_HOST_IN;
|
||||
else
|
||||
newchain[0] = CHAINPREFIX_HOST_OUT;
|
||||
VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain);
|
||||
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
|
||||
false, ebtablesRenameTmpSubAndRootChainsQuery,
|
||||
NULL,
|
||||
"-t", "nat", "-L", tmp, NULL);
|
||||
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
|
||||
true, NULL, NULL,
|
||||
"-t", "nat", "-F", newchain, NULL);
|
||||
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
|
||||
true, NULL, NULL,
|
||||
"-t", "nat", "-X", newchain, NULL);
|
||||
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
|
||||
"-t", "nat", "-E", tmp, newchain, NULL);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
ebtablesRenameTmpSubAndRootChainsFW(virFirewallPtr fw,
|
||||
const char *ifname)
|
||||
{
|
||||
char rootchain[MAX_CHAINNAME_LENGTH];
|
||||
size_t i;
|
||||
char chains[3] = {
|
||||
CHAINPREFIX_HOST_IN_TEMP,
|
||||
CHAINPREFIX_HOST_OUT_TEMP,
|
||||
0};
|
||||
|
||||
NWFILTER_SET_EBTABLES_SHELLVAR(buf);
|
||||
|
||||
virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS,
|
||||
chains);
|
||||
virBufferAsprintf(buf, NWFILTER_FUNC_RENAME_CHAINS,
|
||||
CHAINPREFIX_HOST_IN_TEMP,
|
||||
CHAINPREFIX_HOST_IN,
|
||||
CHAINPREFIX_HOST_OUT_TEMP,
|
||||
CHAINPREFIX_HOST_OUT);
|
||||
|
||||
virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS);
|
||||
virBufferAddLit(buf, "chains=\"$(collect_chains");
|
||||
0
|
||||
};
|
||||
for (i = 0; chains[i] != 0; i++) {
|
||||
PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
|
||||
virBufferAsprintf(buf, " %s", rootchain);
|
||||
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
|
||||
false, ebtablesRenameTmpSubAndRootChainsQuery,
|
||||
NULL,
|
||||
"-t", "nat", "-L", rootchain, NULL);
|
||||
}
|
||||
virBufferAddLit(buf, ")\"\n");
|
||||
|
||||
virBufferAddLit(buf, "rename_chains $chains\n");
|
||||
|
||||
ebtablesRenameTmpRootChain(buf, true, ifname);
|
||||
ebtablesRenameTmpRootChain(buf, false, ifname);
|
||||
ebtablesRenameTmpRootChainFW(fw, true, ifname);
|
||||
ebtablesRenameTmpRootChainFW(fw, false, ifname);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -4261,46 +4286,31 @@ ebiptablesTearNewRules(const char *ifname)
|
||||
static int
|
||||
ebiptablesTearOldRules(const char *ifname)
|
||||
{
|
||||
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
||||
virFirewallPtr fw = virFirewallNew();
|
||||
int ret = -1;
|
||||
|
||||
/* switch to new iptables user defined chains */
|
||||
if (iptables_cmd_path) {
|
||||
NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
|
||||
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
|
||||
|
||||
iptablesUnlinkRootChains(&buf, ifname);
|
||||
iptablesRemoveRootChains(&buf, ifname);
|
||||
iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
|
||||
iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
|
||||
iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
|
||||
|
||||
iptablesRenameTmpRootChains(&buf, ifname);
|
||||
ebiptablesExecCLI(&buf, true, NULL);
|
||||
}
|
||||
iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
|
||||
iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
|
||||
iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
|
||||
|
||||
if (ip6tables_cmd_path) {
|
||||
NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
|
||||
ebtablesUnlinkRootChainFW(fw, true, ifname);
|
||||
ebtablesUnlinkRootChainFW(fw, false, ifname);
|
||||
ebtablesRemoveSubChainsFW(fw, ifname);
|
||||
ebtablesRemoveRootChainFW(fw, true, ifname);
|
||||
ebtablesRemoveRootChainFW(fw, false, ifname);
|
||||
ebtablesRenameTmpSubAndRootChainsFW(fw, ifname);
|
||||
|
||||
iptablesUnlinkRootChains(&buf, ifname);
|
||||
iptablesRemoveRootChains(&buf, ifname);
|
||||
|
||||
iptablesRenameTmpRootChains(&buf, ifname);
|
||||
ebiptablesExecCLI(&buf, true, NULL);
|
||||
}
|
||||
|
||||
if (ebtables_cmd_path) {
|
||||
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
|
||||
|
||||
ebtablesUnlinkRootChain(&buf, true, ifname);
|
||||
ebtablesUnlinkRootChain(&buf, false, ifname);
|
||||
|
||||
ebtablesRemoveSubChains(&buf, ifname);
|
||||
|
||||
ebtablesRemoveRootChain(&buf, true, ifname);
|
||||
ebtablesRemoveRootChain(&buf, false, ifname);
|
||||
|
||||
ebtablesRenameTmpSubAndRootChains(&buf, ifname);
|
||||
|
||||
ebiptablesExecCLI(&buf, true, NULL);
|
||||
}
|
||||
|
||||
return 0;
|
||||
virMutexLock(&execCLIMutex);
|
||||
ret = virFirewallApply(fw);
|
||||
virMutexUnlock(&execCLIMutex);
|
||||
virFirewallFree(fw);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
|
@ -96,6 +96,77 @@ testNWFilterEBIPTablesAllTeardown(const void *opaque ATTRIBUTE_UNUSED)
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
testNWFilterEBIPTablesTearOldRules(const void *opaque ATTRIBUTE_UNUSED)
|
||||
{
|
||||
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
||||
const char *expected =
|
||||
"iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
||||
"iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
||||
"iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
||||
"iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
||||
"iptables -F FO-vnet0\n"
|
||||
"iptables -X FO-vnet0\n"
|
||||
"iptables -F FI-vnet0\n"
|
||||
"iptables -X FI-vnet0\n"
|
||||
"iptables -F HI-vnet0\n"
|
||||
"iptables -X HI-vnet0\n"
|
||||
"iptables -E FP-vnet0 FO-vnet0\n"
|
||||
"iptables -E FJ-vnet0 FI-vnet0\n"
|
||||
"iptables -E HJ-vnet0 HI-vnet0\n"
|
||||
"ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
||||
"ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
||||
"ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
||||
"ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
||||
"ip6tables -F FO-vnet0\n"
|
||||
"ip6tables -X FO-vnet0\n"
|
||||
"ip6tables -F FI-vnet0\n"
|
||||
"ip6tables -X FI-vnet0\n"
|
||||
"ip6tables -F HI-vnet0\n"
|
||||
"ip6tables -X HI-vnet0\n"
|
||||
"ip6tables -E FP-vnet0 FO-vnet0\n"
|
||||
"ip6tables -E FJ-vnet0 FI-vnet0\n"
|
||||
"ip6tables -E HJ-vnet0 HI-vnet0\n"
|
||||
"ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
||||
"ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
||||
"ebtables -t nat -L libvirt-I-vnet0\n"
|
||||
"ebtables -t nat -L libvirt-O-vnet0\n"
|
||||
"ebtables -t nat -F libvirt-I-vnet0\n"
|
||||
"ebtables -t nat -X libvirt-I-vnet0\n"
|
||||
"ebtables -t nat -F libvirt-O-vnet0\n"
|
||||
"ebtables -t nat -X libvirt-O-vnet0\n"
|
||||
"ebtables -t nat -L libvirt-J-vnet0\n"
|
||||
"ebtables -t nat -L libvirt-P-vnet0\n"
|
||||
"ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
|
||||
"ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
|
||||
char *actual = NULL;
|
||||
int ret = -1;
|
||||
|
||||
virCommandSetDryRun(&buf, NULL, NULL);
|
||||
|
||||
if (ebiptables_driver.tearOldRules("vnet0") < 0)
|
||||
goto cleanup;
|
||||
|
||||
if (virBufferError(&buf))
|
||||
goto cleanup;
|
||||
|
||||
actual = virBufferContentAndReset(&buf);
|
||||
virtTestClearCommandPath(actual);
|
||||
|
||||
if (STRNEQ_NULLABLE(actual, expected)) {
|
||||
virtTestDifference(stderr, actual, expected);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
cleanup:
|
||||
virCommandSetDryRun(NULL, NULL, NULL);
|
||||
virBufferFreeAndReset(&buf);
|
||||
VIR_FREE(actual);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
mymain(void)
|
||||
{
|
||||
@ -111,6 +182,11 @@ mymain(void)
|
||||
NULL) < 0)
|
||||
ret = -1;
|
||||
|
||||
if (virtTestRun("ebiptablesTearOldRules",
|
||||
testNWFilterEBIPTablesTearOldRules,
|
||||
NULL) < 0)
|
||||
ret = -1;
|
||||
|
||||
cleanup:
|
||||
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user