External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 13:45:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: add new "tc" layer for virFirewallCmd objects

Browse Source 
If the layer of a virFirewallCmd is "tc", then the "tc" utility will
be executed using the arguments that had been added to the
virFirewallCmd

tc layer doesn't support auto-rollback command creation (any rollback
needs to be added manually with virFirewallAddRollbackCmd()), and also
tc layer isn't supported by the iptables backend (it would have been
straightforward to add, but the iptables backend doesn't need it, and
I didn't want to take the chance of causing a regression in that
code for no good reason).

Signed-off-by: Laine Stump <laine@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Laine Stump 2024-11-25 22:24:48 -05:00 committed by Michal Privoznik
parent f1d94bbfa6
commit 6412c2cb51
4 changed files with 44 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/network/network_nftables.c
View File

@ -73,6 +73,7 @@ VIR_ENUM_IMPL(nftablesLayer,
"", "",
"ip", "ip",
"ip6", "ip6",
"",
); );

16
src/util/virfirewall.c
View File

@ -47,6 +47,7 @@ VIR_ENUM_IMPL(virFirewallLayer,
"ethernet", "ethernet",
"ipv4", "ipv4",
"ipv6", "ipv6",
"tc",
); );
typedef struct _virFirewallGroup virFirewallGroup; typedef struct _virFirewallGroup virFirewallGroup;
@ -57,6 +58,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand,
EBTABLES, EBTABLES,
IPTABLES, IPTABLES,
IP6TABLES, IP6TABLES,
TC,
); );
struct _virFirewallCmd { struct _virFirewallCmd {
@ -591,6 +593,7 @@ virFirewallCmdIptablesApply(virFirewall *firewall,
case VIR_FIREWALL_LAYER_IPV6: case VIR_FIREWALL_LAYER_IPV6:
virCommandAddArg(cmd, "-w"); virCommandAddArg(cmd, "-w");
break; break;
case VIR_FIREWALL_LAYER_TC:
case VIR_FIREWALL_LAYER_LAST: case VIR_FIREWALL_LAYER_LAST:
break; break;
} }
@ -672,6 +675,17 @@ virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED,
size_t i; size_t i;
int status; int status;
if (fwCmd->layer == VIR_FIREWALL_LAYER_TC) {
/* for VIR_FIREWALL_LAYER_TC, we run the 'tc' (traffic control) command with
* the supplied args.
*/
cmd = virCommandNew(TC);
/* NB: RAW commands don't support auto-rollback command creation */
} else {
cmd = virCommandNew(NFT); cmd = virCommandNew(NFT);
if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) && if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) &&
@ -707,6 +721,8 @@ virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED,
} }
} }
}
for (i = 0; i < fwCmd->argsLen; i++) for (i = 0; i < fwCmd->argsLen; i++)
virCommandAddArg(cmd, fwCmd->args[i]); virCommandAddArg(cmd, fwCmd->args[i]);

1
src/util/virfirewall.h
View File

@ -39,6 +39,7 @@ typedef enum {
VIR_FIREWALL_LAYER_ETHERNET, VIR_FIREWALL_LAYER_ETHERNET,
VIR_FIREWALL_LAYER_IPV4, VIR_FIREWALL_LAYER_IPV4,
VIR_FIREWALL_LAYER_IPV6, VIR_FIREWALL_LAYER_IPV6,
VIR_FIREWALL_LAYER_TC,
VIR_FIREWALL_LAYER_LAST, VIR_FIREWALL_LAYER_LAST,
} virFirewallLayer; } virFirewallLayer;

1
src/util/virfirewalld.c
View File

@ -43,6 +43,7 @@ VIR_LOG_INIT("util.firewalld");
VIR_ENUM_DECL(virFirewallLayerFirewallD); VIR_ENUM_DECL(virFirewallLayerFirewallD);
VIR_ENUM_IMPL(virFirewallLayerFirewallD, VIR_ENUM_IMPL(virFirewallLayerFirewallD,
VIR_FIREWALL_LAYER_LAST, VIR_FIREWALL_LAYER_LAST,
"",
"eb", "eb",
"ipv4", "ipv4",
"ipv6", "ipv6",