mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-05 22:05:47 +00:00
Introduce an internal priority for chains
For better handling of the sorting of chains introduce an internally used priority. Use a lookup table to store the priorities. For now their actual values do not matter just that the values cause the chains to be properly sorted through changes in the following patches. However, the values are chosen as negative so that once they are sorted along with filtering rules (whose priority may only be positive for now) they will always be instantiated before them (lower values cause instantiation before higher values). This is done to maintain backwards compatibility. Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
This commit is contained in:
parent
e9640b99ef
commit
4df34ec394
@ -124,6 +124,14 @@ struct int_map {
|
|||||||
#define INTMAP_ENTRY(ATT, VAL) { .attr = ATT, .val = VAL }
|
#define INTMAP_ENTRY(ATT, VAL) { .attr = ATT, .val = VAL }
|
||||||
#define INTMAP_ENTRY_LAST { .val = NULL }
|
#define INTMAP_ENTRY_LAST { .val = NULL }
|
||||||
|
|
||||||
|
static const struct int_map chain_priorities[] = {
|
||||||
|
INTMAP_ENTRY(NWFILTER_ROOT_FILTER_PRI, "root"),
|
||||||
|
INTMAP_ENTRY(NWFILTER_IPV4_FILTER_PRI, "ipv4"),
|
||||||
|
INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, "ipv6"),
|
||||||
|
INTMAP_ENTRY(NWFILTER_ARP_FILTER_PRI , "arp" ),
|
||||||
|
INTMAP_ENTRY(NWFILTER_RARP_FILTER_PRI, "rarp"),
|
||||||
|
INTMAP_ENTRY_LAST,
|
||||||
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* only one filter update allowed
|
* only one filter update allowed
|
||||||
@ -2028,6 +2036,12 @@ virNWFilterDefParseXML(xmlXPathContextPtr ctxt) {
|
|||||||
_("unknown chain suffix '%s'"), chain);
|
_("unknown chain suffix '%s'"), chain);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
/* assign an implicit priority -- support XML attribute later */
|
||||||
|
if (!intMapGetByString(chain_priorities, chain, 0,
|
||||||
|
&ret->chainPriority)) {
|
||||||
|
ret->chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
|
||||||
|
NWFILTER_MIN_FILTER_PRIORITY) / 2;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
uuid = virXPathString("string(./uuid)", ctxt);
|
uuid = virXPathString("string(./uuid)", ctxt);
|
||||||
|
@ -357,8 +357,18 @@ enum virNWFilterEbtablesTableType {
|
|||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
# define MIN_RULE_PRIORITY 0
|
||||||
# define MAX_RULE_PRIORITY 1000
|
# define MAX_RULE_PRIORITY 1000
|
||||||
|
|
||||||
|
# define NWFILTER_MIN_FILTER_PRIORITY -1000
|
||||||
|
# define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY
|
||||||
|
|
||||||
|
# define NWFILTER_ROOT_FILTER_PRI 0
|
||||||
|
# define NWFILTER_IPV4_FILTER_PRI -700
|
||||||
|
# define NWFILTER_IPV6_FILTER_PRI -600
|
||||||
|
# define NWFILTER_ARP_FILTER_PRI -500
|
||||||
|
# define NWFILTER_RARP_FILTER_PRI -400
|
||||||
|
|
||||||
enum virNWFilterRuleFlags {
|
enum virNWFilterRuleFlags {
|
||||||
RULE_FLAG_NO_STATEMATCH = (1 << 0),
|
RULE_FLAG_NO_STATEMATCH = (1 << 0),
|
||||||
RULE_FLAG_STATE_NEW = (1 << 1),
|
RULE_FLAG_STATE_NEW = (1 << 1),
|
||||||
@ -436,6 +446,7 @@ enum virNWFilterChainSuffixType {
|
|||||||
VIR_NWFILTER_CHAINSUFFIX_LAST,
|
VIR_NWFILTER_CHAINSUFFIX_LAST,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
typedef int32_t virNWFilterChainPriority;
|
||||||
|
|
||||||
typedef struct _virNWFilterDef virNWFilterDef;
|
typedef struct _virNWFilterDef virNWFilterDef;
|
||||||
typedef virNWFilterDef *virNWFilterDefPtr;
|
typedef virNWFilterDef *virNWFilterDefPtr;
|
||||||
@ -445,6 +456,7 @@ struct _virNWFilterDef {
|
|||||||
unsigned char uuid[VIR_UUID_BUFLEN];
|
unsigned char uuid[VIR_UUID_BUFLEN];
|
||||||
|
|
||||||
int chainsuffix; /*enum virNWFilterChainSuffixType */
|
int chainsuffix; /*enum virNWFilterChainSuffixType */
|
||||||
|
virNWFilterChainPriority chainPriority;
|
||||||
|
|
||||||
int nentries;
|
int nentries;
|
||||||
virNWFilterEntryPtr *filterEntries;
|
virNWFilterEntryPtr *filterEntries;
|
||||||
|
@ -328,6 +328,7 @@ static int
|
|||||||
ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
|
ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
|
||||||
char *commandTemplate,
|
char *commandTemplate,
|
||||||
enum virNWFilterChainSuffixType neededChain,
|
enum virNWFilterChainSuffixType neededChain,
|
||||||
|
virNWFilterChainPriority chainPriority,
|
||||||
char chainprefix,
|
char chainprefix,
|
||||||
unsigned int priority,
|
unsigned int priority,
|
||||||
enum RuleType ruleType)
|
enum RuleType ruleType)
|
||||||
@ -341,6 +342,7 @@ ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
|
|||||||
|
|
||||||
inst->commandTemplate = commandTemplate;
|
inst->commandTemplate = commandTemplate;
|
||||||
inst->neededProtocolChain = neededChain;
|
inst->neededProtocolChain = neededChain;
|
||||||
|
inst->chainPriority = chainPriority;
|
||||||
inst->chainprefix = chainprefix;
|
inst->chainprefix = chainprefix;
|
||||||
inst->priority = priority;
|
inst->priority = priority;
|
||||||
inst->ruleType = ruleType;
|
inst->ruleType = ruleType;
|
||||||
@ -1589,6 +1591,7 @@ _iptablesCreateRuleInstance(int directionIn,
|
|||||||
return ebiptablesAddRuleInst(res,
|
return ebiptablesAddRuleInst(res,
|
||||||
virBufferContentAndReset(final),
|
virBufferContentAndReset(final),
|
||||||
nwfilter->chainsuffix,
|
nwfilter->chainsuffix,
|
||||||
|
nwfilter->chainPriority,
|
||||||
'\0',
|
'\0',
|
||||||
rule->priority,
|
rule->priority,
|
||||||
(isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
|
(isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
|
||||||
@ -2338,6 +2341,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
|
|||||||
return ebiptablesAddRuleInst(res,
|
return ebiptablesAddRuleInst(res,
|
||||||
virBufferContentAndReset(&buf),
|
virBufferContentAndReset(&buf),
|
||||||
nwfilter->chainsuffix,
|
nwfilter->chainsuffix,
|
||||||
|
nwfilter->chainPriority,
|
||||||
chainPrefix,
|
chainPrefix,
|
||||||
rule->priority,
|
rule->priority,
|
||||||
RT_EBTABLES);
|
RT_EBTABLES);
|
||||||
|
@ -36,6 +36,7 @@ typedef ebiptablesRuleInst *ebiptablesRuleInstPtr;
|
|||||||
struct _ebiptablesRuleInst {
|
struct _ebiptablesRuleInst {
|
||||||
char *commandTemplate;
|
char *commandTemplate;
|
||||||
enum virNWFilterChainSuffixType neededProtocolChain;
|
enum virNWFilterChainSuffixType neededProtocolChain;
|
||||||
|
virNWFilterChainPriority chainPriority;
|
||||||
char chainprefix; /* I for incoming, O for outgoing */
|
char chainprefix; /* I for incoming, O for outgoing */
|
||||||
unsigned int priority;
|
unsigned int priority;
|
||||||
enum RuleType ruleType;
|
enum RuleType ruleType;
|
||||||
|
Loading…
Reference in New Issue
Block a user