diff --git a/configure.in b/configure.in index 8d21207d40..fe9834d64e 100644 --- a/configure.in +++ b/configure.in @@ -269,27 +269,6 @@ if test x"$with_rhel5_api" = x"yes"; then AC_DEFINE([WITH_RHEL5_API], [1], [whether building for the RHEL-5 API]) fi -dnl -dnl ensure that Fedora's system-config-firewall knows -dnl about libvirt's iptables rules -dnl -AC_ARG_ENABLE([iptables-lokkit], - [AC_HELP_STRING([--enable-iptables-lokkit=no/yes/check], - [enable registering libvirt's iptables rules with Fedora's lokkit])], - [],[enable_iptables_lokkit=check]) -if test x"$enable_iptables_lokkit" != x"no"; then - AC_PATH_PROG([LOKKIT_PATH],[lokkit], [], [/usr/sbin:$PATH]) -fi - -if test x"$enable_iptables_lokkit" = x"yes" -a x"$LOKKIT_PATH" = x; then - AC_MSG_ERROR([Cannot find lokkit and --enable-iptables-lokkit specified]) -fi - -if test x"$LOKKIT_PATH" != x; then - AC_DEFINE([ENABLE_IPTABLES_LOKKIT], [], [whether support for Fedora's lokkit is enabled]) - AC_DEFINE_UNQUOTED([LOKKIT_PATH], "$LOKKIT_PATH", [path to lokkit binary]) -fi - AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH]) AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary]) diff --git a/libvirt.spec.in b/libvirt.spec.in index 408ad058f1..dd067ad7c1 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -710,9 +710,6 @@ fi %if %{with_network} %dir %{_localstatedir}/run/libvirt/network/ %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/network/ -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/ -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/filter/ -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/iptables/nat/ %endif %if %{with_qemu} diff --git a/src/Makefile.am b/src/Makefile.am index e5d89334c4..b639915dbb 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -883,8 +883,6 @@ if WITH_UML $(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/uml" endif if WITH_NETWORK - $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter" - $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat" $(MKDIR_P) "$(DESTDIR)$(localstatedir)/lib/libvirt/network" $(MKDIR_P) "$(DESTDIR)$(localstatedir)/run/libvirt/network" $(MKDIR_P) "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart" @@ -921,8 +919,6 @@ if WITH_NETWORK rm -f $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/default.xml rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart" || : rmdir "$(DESTDIR)$(sysconfdir)/libvirt/qemu/networks" || : - rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/filter" ||: - rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/iptables/nat" ||: rmdir "$(DESTDIR)$(localstatedir)/lib/libvirt/network" ||: rmdir "$(DESTDIR)$(localstatedir)/run/libvirt/network" ||: endif diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 58f99fb966..8d64b15d0f 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -247,7 +247,6 @@ iptablesRemoveForwardRejectIn; iptablesRemoveForwardRejectOut; iptablesRemoveTcpInput; iptablesRemoveUdpInput; -iptablesSaveRules; # libvirt_internal.h diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index d5cab71b8c..abee78cbbf 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -752,8 +752,6 @@ networkAddIptablesRules(virConnectPtr conn, !networkAddRoutingIptablesRules(conn, driver, network)) goto err8; - iptablesSaveRules(driver->iptables); - return 1; err8: @@ -807,7 +805,6 @@ networkRemoveIptablesRules(struct network_driver *driver, iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53); iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67); iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67); - iptablesSaveRules(driver->iptables); } static void diff --git a/src/util/iptables.c b/src/util/iptables.c index 36d65e4318..8ac7786d68 100644 --- a/src/util/iptables.c +++ b/src/util/iptables.c @@ -66,14 +66,6 @@ typedef struct int nrules; iptRule *rules; - -#ifdef ENABLE_IPTABLES_LOKKIT - - char dir[PATH_MAX]; - char path[PATH_MAX]; - -#endif /* ENABLE_IPTABLES_LOKKIT */ - } iptRules; struct _iptablesContext @@ -83,186 +75,6 @@ struct _iptablesContext iptRules *nat_postrouting; }; -#ifdef ENABLE_IPTABLES_LOKKIT -static void -notifyRulesUpdated(const char *table, - const char *path) -{ - char arg[PATH_MAX]; - const char *argv[4]; - - snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); - - argv[0] = (char *) LOKKIT_PATH; - argv[1] = (char *) "--nostart"; - argv[2] = arg; - argv[3] = NULL; - - char ebuf[1024]; - if (virRun(NULL, argv, NULL) < 0) - VIR_WARN(_("Failed to run '%s %s': %s"), - LOKKIT_PATH, arg, virStrerror(errno, ebuf, sizeof ebuf)); -} - -static int -stripLine(char *str, int len, const char *line) -{ - char *s, *p; - int changed; - - changed = 0; - s = str; - - while ((p = strchr(s, '\n'))) { - if (p == s || STRNEQLEN(s, line, p - s)) { - s = ++p; - continue; - } - - ++p; - memmove(s, p, len - (p - str) + 1); - len -= p - s; - changed = 1; - } - - if (STREQ(s, line)) { - *s = '\0'; - changed = 1; - } - - return changed; -} - -static void -notifyRulesRemoved(const char *table, - const char *path) -{ -/* 10 MB limit on config file size as a sanity check */ -#define MAX_FILE_LEN (1024*1024*10) - - char arg[PATH_MAX]; - char *content; - int len; - FILE *f = NULL; - - len = virFileReadAll(SYSCONF_DIR "/sysconfig/system-config-firewall", - MAX_FILE_LEN, &content); - if (len < 0) { - VIR_WARN("%s", _("Failed to read " SYSCONF_DIR - "/sysconfig/system-config-firewall")); - return; - } - - snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); - - if (!stripLine(content, len, arg)) { - VIR_FREE(content); - return; - } - - if (!(f = fopen(SYSCONF_DIR "/sysconfig/system-config-firewall", "w"))) - goto write_error; - - if (fputs(content, f) == EOF) - goto write_error; - - if (fclose(f) == EOF) { - f = NULL; - goto write_error; - } - - VIR_FREE(content); - - return; - - write_error:; - char ebuf[1024]; - VIR_WARN(_("Failed to write to " SYSCONF_DIR - "/sysconfig/system-config-firewall : %s"), - virStrerror(errno, ebuf, sizeof ebuf)); - if (f) - fclose(f); - VIR_FREE(content); - -#undef MAX_FILE_LEN -} - -static int -writeRules(const char *path, - const iptRule *rules, - int nrules) -{ - char tmp[PATH_MAX]; - FILE *f; - int istmp; - int i; - - if (nrules == 0 && unlink(path) == 0) - return 0; - - if (snprintf(tmp, PATH_MAX, "%s.new", path) >= PATH_MAX) - return EINVAL; - - istmp = 1; - - if (!(f = fopen(tmp, "w"))) { - istmp = 0; - if (!(f = fopen(path, "w"))) - return errno; - } - - for (i = 0; i < nrules; i++) { - if (fputs(rules[i].rule, f) == EOF || - fputc('\n', f) == EOF) { - fclose(f); - if (istmp) - unlink(tmp); - return errno; - } - } - - fclose(f); - - if (istmp && rename(tmp, path) < 0) { - unlink(tmp); - return errno; - } - - if (istmp) - unlink(tmp); - - return 0; -} -#endif /* ENABLE_IPTABLES_LOKKIT */ - -static void -iptRulesSave(iptRules *rules) -{ -#ifdef ENABLE_IPTABLES_LOKKIT - int err; - - char ebuf[1024]; - if ((err = virFileMakePath(rules->dir))) { - VIR_WARN(_("Failed to create directory %s : %s"), - rules->dir, virStrerror(err, ebuf, sizeof ebuf)); - return; - } - - if ((err = writeRules(rules->path, rules->rules, rules->nrules))) { - VIR_WARN(_("Failed to saves iptables rules to %s : %s"), - rules->path, virStrerror(err, ebuf, sizeof ebuf)); - return; - } - - if (rules->nrules > 0) - notifyRulesUpdated(rules->table, rules->path); - else - notifyRulesRemoved(rules->table, rules->path); -#else - (void) rules; -#endif /* ENABLE_IPTABLES_LOKKIT */ -} - static void iptRuleFree(iptRule *rule) { @@ -340,11 +152,6 @@ iptRulesFree(iptRules *rules) rules->nrules = 0; } -#ifdef ENABLE_IPTABLES_LOKKIT - rules->dir[0] = '\0'; - rules->path[0] = '\0'; -#endif /* ENABLE_IPTABLES_LOKKIT */ - VIR_FREE(rules); } @@ -366,15 +173,6 @@ iptRulesNew(const char *table, rules->rules = NULL; rules->nrules = 0; -#ifdef ENABLE_IPTABLES_LOKKIT - if (virFileBuildPath(LOCAL_STATE_DIR "/lib/libvirt/iptables", table, NULL, - rules->dir, sizeof(rules->dir)) < 0) - goto error; - - if (virFileBuildPath(rules->dir, chain, ".chain", rules->path, sizeof(rules->path)) < 0) - goto error; -#endif /* ENABLE_IPTABLES_LOKKIT */ - return rules; error: @@ -520,22 +318,6 @@ iptablesContextFree(iptablesContext *ctx) VIR_FREE(ctx); } -/** - * iptablesSaveRules: - * @ctx: pointer to the IP table context - * - * Saves all the IP table rules associated with a context - * to disk so that if iptables is restarted, the rules - * will automatically be reload. - */ -void -iptablesSaveRules(iptablesContext *ctx) -{ - iptRulesSave(ctx->input_filter); - iptRulesSave(ctx->forward_filter); - iptRulesSave(ctx->nat_postrouting); -} - static void iptRulesReload(iptRules *rules) { diff --git a/src/util/iptables.h b/src/util/iptables.h index fbe9b5d599..826f4f8f0b 100644 --- a/src/util/iptables.h +++ b/src/util/iptables.h @@ -27,7 +27,6 @@ typedef struct _iptablesContext iptablesContext; iptablesContext *iptablesContextNew (void); void iptablesContextFree (iptablesContext *ctx); -void iptablesSaveRules (iptablesContext *ctx); void iptablesReloadRules (iptablesContext *ctx); int iptablesAddTcpInput (iptablesContext *ctx,