External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-05 22:05:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Push virNWFilterRuleInstPtr out of (eb|ip)tablesCreateRuleInstance

Browse Source 
Later refactoring will change use of the virNWFilterRuleInstPtr struct.
Prepare for this by pushing use of the virNWFilterRuleInstPtr parameter
out of the ebtablesCreateRuleInstance and iptablesCreateRuleInstance
methods. Instead they simply string(s) with the constructed rule data.
The ebiptablesCreateRuleInstance method will make use of the
virNWFilterRuleInstPtr struct instead.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2014-03-25 10:32:55 +00:00
parent 23b1d0c07d
commit 4dd7eaa36f
1 changed files with 125 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

209
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -1277,17 +1277,17 @@ iptablesEnforceDirection(bool directionIn,
/* /*
* _iptablesCreateRuleInstance: * _iptablesCreateRuleInstance:
* @chainPrefix : The prefix to put in front of the name of the chain * @chainPrefix : The prefix to put in front of the name of the chain
* @nwfilter : The filter
* @rule: The rule of the filter to convert * @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to * @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve * @vars : A map containing the variables to resolve
* @res : The data structure to store the result(s) into
* @match : optional string for state match * @match : optional string for state match
* @accept_target : where to jump to on accepted traffic, i.e., "RETURN" * @accept_target : where to jump to on accepted traffic, i.e., "RETURN"
* "ACCEPT" * "ACCEPT"
* @isIPv6 : Whether this is an IPv6 rule * @isIPv6 : Whether this is an IPv6 rule
* @maySkipICMP : whether this rule may under certain circumstances skip * @maySkipICMP : whether this rule may under certain circumstances skip
* the ICMP rule from being created * the ICMP rule from being created
* @templates: pointer to array to store rule template
* @ntemplates: pointer to storage rule template count
* *
* Convert a single rule into its representation for later instantiation * Convert a single rule into its representation for later instantiation
* *
@ -1297,15 +1297,15 @@ iptablesEnforceDirection(bool directionIn,
static int static int
_iptablesCreateRuleInstance(bool directionIn, _iptablesCreateRuleInstance(bool directionIn,
const char *chainPrefix, const char *chainPrefix,
virNWFilterDefPtr nwfilter,
virNWFilterRuleDefPtr rule, virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res,
const char *match, bool defMatch, const char *match, bool defMatch,
const char *accept_target, const char *accept_target,
bool isIPv6, bool isIPv6,
bool maySkipICMP) bool maySkipICMP,
char ***templates,
size_t *ntemplates)
{ {
char chain[MAX_CHAINNAME_LENGTH]; char chain[MAX_CHAINNAME_LENGTH];
char number[MAX(INT_BUFSIZE_BOUND(uint32_t), char number[MAX(INT_BUFSIZE_BOUND(uint32_t),
@ -1322,6 +1322,7 @@ _iptablesCreateRuleInstance(bool directionIn,
bool skipRule = false; bool skipRule = false;
bool skipMatch = false; bool skipMatch = false;
bool hasICMPType = false; bool hasICMPType = false;
char *template;
if (!iptables_cmd) { if (!iptables_cmd) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
@ -1732,14 +1733,13 @@ _iptablesCreateRuleInstance(bool directionIn,
final = &buf; final = &buf;
return ebiptablesAddRuleInst(res, template = virBufferContentAndReset(final);
virBufferContentAndReset(final), if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
nwfilter->chainsuffix, VIR_FREE(template);
nwfilter->chainPriority, return -1;
'\0', }
rule->priority,
(isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
return 0;
err_exit: err_exit:
virBufferFreeAndReset(&buf); virBufferFreeAndReset(&buf);
@ -1775,12 +1775,12 @@ printStateMatchFlags(int32_t flags, char **bufptr)
} }
static int static int
iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter, iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res, bool isIPv6,
bool isIPv6) char ***templates,
size_t *ntemplates)
{ {
int rc; int rc;
bool directionIn = false; bool directionIn = false;
@ -1816,15 +1816,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
if (create) { if (create) {
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, false, matchState, false,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
VIR_FREE(matchState); VIR_FREE(matchState);
if (rc < 0) if (rc < 0)
@ -1848,15 +1848,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
if (create) { if (create) {
rc = _iptablesCreateRuleInstance(!directionIn, rc = _iptablesCreateRuleInstance(!directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, false, matchState, false,
"ACCEPT", "ACCEPT",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
VIR_FREE(matchState); VIR_FREE(matchState);
@ -1883,15 +1883,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, false, matchState, false,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
VIR_FREE(matchState); VIR_FREE(matchState);
} }
@ -1900,12 +1900,12 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
static int static int
iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res, bool isIPv6,
bool isIPv6) char ***templates,
size_t *ntemplates)
{ {
int rc; int rc;
bool directionIn = false; bool directionIn = false;
@ -1916,12 +1916,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
if (!(rule->flags & RULE_FLAG_NO_STATEMATCH) && if (!(rule->flags & RULE_FLAG_NO_STATEMATCH) &&
(rule->flags & IPTABLES_STATE_FLAGS)) { (rule->flags & IPTABLES_STATE_FLAGS)) {
return iptablesCreateRuleInstanceStateCtrl(nwfilter, return iptablesCreateRuleInstanceStateCtrl(rule,
rule,
ifname, ifname,
vars, vars,
res, isIPv6,
isIPv6); templates,
ntemplates);
} }
if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) || if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
@ -1947,15 +1947,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, true, matchState, true,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
if (rc < 0) if (rc < 0)
return rc; return rc;
@ -1969,15 +1969,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
rc = _iptablesCreateRuleInstance(!directionIn, rc = _iptablesCreateRuleInstance(!directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, true, matchState, true,
"ACCEPT", "ACCEPT",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
if (rc < 0) if (rc < 0)
return rc; return rc;
@ -1991,15 +1991,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, true, matchState, true,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
return rc; return rc;
} }
@ -2010,12 +2010,13 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
/* /*
* ebtablesCreateRuleInstance: * ebtablesCreateRuleInstance:
* @chainPrefix : The prefix to put in front of the name of the chain * @chainPrefix : The prefix to put in front of the name of the chain
* @nwfilter : The filter * @chainSuffix: The suffix to put on the end of the name of the chain
* @rule: The rule of the filter to convert * @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to * @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve * @vars : A map containing the variables to resolve
* @res : The data structure to store the result(s) into
* @reverse : Whether to reverse src and dst attributes * @reverse : Whether to reverse src and dst attributes
* @templates: pointer to array to store rule template
* @ntemplates: pointer to storage rule template count
* *
* Convert a single rule into its representation for later instantiation * Convert a single rule into its representation for later instantiation
* *
@ -2024,12 +2025,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
*/ */
static int static int
ebtablesCreateRuleInstance(char chainPrefix, ebtablesCreateRuleInstance(char chainPrefix,
virNWFilterDefPtr nwfilter, const char *chainSuffix,
virNWFilterRuleDefPtr rule, virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res, bool reverse,
bool reverse) char **template)
{ {
char macaddr[VIR_MAC_STRING_BUFLEN], char macaddr[VIR_MAC_STRING_BUFLEN],
ipaddr[INET_ADDRSTRLEN], ipaddr[INET_ADDRSTRLEN],
@ -2043,6 +2044,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
const char *target; const char *target;
bool hasMask = false; bool hasMask = false;
*template = NULL;
if (!ebtables_cmd_path) { if (!ebtables_cmd_path) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("cannot create rule since ebtables tool is " _("cannot create rule since ebtables tool is "
@ -2050,13 +2053,13 @@ ebtablesCreateRuleInstance(char chainPrefix,
goto err_exit; goto err_exit;
} }
if (STREQ(nwfilter->chainsuffix, if (STREQ(chainSuffix,
virNWFilterChainSuffixTypeToString( virNWFilterChainSuffixTypeToString(
VIR_NWFILTER_CHAINSUFFIX_ROOT))) VIR_NWFILTER_CHAINSUFFIX_ROOT)))
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
else else
PRINT_CHAIN(chain, chainPrefix, ifname, PRINT_CHAIN(chain, chainPrefix, ifname,
nwfilter->chainsuffix); chainSuffix);
switch (rule->prtclType) { switch (rule->prtclType) {
@ -2620,13 +2623,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
return -1; return -1;
} }
return ebiptablesAddRuleInst(res, *template = virBufferContentAndReset(&buf);
virBufferContentAndReset(&buf), return 0;
nwfilter->chainsuffix,
nwfilter->chainPriority,
chainPrefix,
rule->priority,
RT_EBTABLES);
err_exit: err_exit:
virBufferFreeAndReset(&buf); virBufferFreeAndReset(&buf);
@ -2637,7 +2635,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
/* /*
* ebiptablesCreateRuleInstance: * ebiptablesCreateRuleInstance:
* @nwfilter : The filter * @chainPriority : The priority of the chain
* @chainSuffix: The suffix to put on the end of the name of the chain
* @rule: The rule of the filter to convert * @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to * @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve * @vars : A map containing the variables to resolve
@ -2649,40 +2648,66 @@ ebtablesCreateRuleInstance(char chainPrefix,
* pointed to by res, -1 otherwise * pointed to by res, -1 otherwise
*/ */
static int static int
ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ebiptablesCreateRuleInstance(virNWFilterChainPriority chainPriority,
const char *chainSuffix,
virNWFilterRuleDefPtr rule, virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res) virNWFilterRuleInstPtr res)
{ {
int rc = 0;
if (virNWFilterRuleIsProtocolEthernet(rule)) { if (virNWFilterRuleIsProtocolEthernet(rule)) {
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT || if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) { rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
rc = ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP, char *template;
nwfilter, if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP,
rule, chainSuffix,
ifname, rule,
vars, ifname,
res, vars,
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT); rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT,
if (rc < 0) &template) < 0)
return rc; return -1;
if (ebiptablesAddRuleInst(res,
template,
chainSuffix,
chainPriority,
CHAINPREFIX_HOST_IN_TEMP,
rule->priority,
RT_EBTABLES) < 0) {
VIR_FREE(template);
return -1;
}
} }
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN || if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) { rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
rc = ebtablesCreateRuleInstance(CHAINPREFIX_HOST_OUT_TEMP, char *template;
nwfilter, if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_OUT_TEMP,
rule, chainSuffix,
ifname, rule,
vars, ifname,
res, vars,
false); false,
&template) < 0)
return -1;
if (ebiptablesAddRuleInst(res,
template,
chainSuffix,
chainPriority,
CHAINPREFIX_HOST_OUT_TEMP,
rule->priority,
RT_EBTABLES) < 0) {
VIR_FREE(template);
return -1;
}
} }
} else { } else {
bool isIPv6; bool isIPv6;
char **templates = NULL;
size_t ntemplates = 0;
size_t i, j;
if (virNWFilterRuleIsProtocolIPv6(rule)) { if (virNWFilterRuleIsProtocolIPv6(rule)) {
isIPv6 = true; isIPv6 = true;
} else if (virNWFilterRuleIsProtocolIPv4(rule)) { } else if (virNWFilterRuleIsProtocolIPv4(rule)) {
@ -2693,15 +2718,30 @@ ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
return -1; return -1;
} }
rc = iptablesCreateRuleInstance(nwfilter, if (iptablesCreateRuleInstance(rule,
rule, ifname,
ifname, vars,
vars, isIPv6,
res, &templates,
isIPv6); &ntemplates) < 0)
return -1;
for (i = 0; i < ntemplates; i++) {
if (ebiptablesAddRuleInst(res,
templates[i],
chainSuffix,
chainPriority,
'\0',
rule->priority,
(isIPv6) ? RT_IP6TABLES : RT_IPTABLES) < 0) {
for (j = i; j < ntemplates; j++)
VIR_FREE(templates[j]);
return -1;
}
}
} }
return rc; return 0;
} }
static int static int
@ -2724,7 +2764,8 @@ ebiptablesCreateRuleInstanceIterate(virNWFilterDefPtr nwfilter,
return -1; return -1;
do { do {
rc = ebiptablesCreateRuleInstance(nwfilter, rc = ebiptablesCreateRuleInstance(nwfilter->chainPriority,
nwfilter->chainsuffix,
rule, rule,
ifname, ifname,
tmp, tmp,