External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-08-27 11:01:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

nwfilter: Fix support for trusted DHCP servers

Browse Source 
Fix the support for trusted DHCP server in the ebtables code's
hard-coded function applying DHCP only filtering rules:
Rather than using a char * use the more flexible
virNWFilterVarValuePtr that contains the trusted DHCP server(s)
IP address. Process all entries.

Since all callers so far provided NULL as parameter, no changes
are necessary in any other code.
This commit is contained in:
Stefan Berger 2012-04-19 10:21:43 -04:00 committed by Stefan Berger
parent 71bc80b60e
commit 7c26343bc3
2 changed files with 44 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/conf/nwfilter_conf.h
View File

@ -625,7 +625,7 @@ typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname, typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
const unsigned char *macaddr, const unsigned char *macaddr,
const char *dhcpserver, virNWFilterVarValuePtr dhcpsrvs,
bool leaveTemporary); bool leaveTemporary);
typedef int (*virNWFilterRemoveBasicRules)(const char *ifname); typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);

46
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -3195,7 +3195,7 @@ tear_down_tmpebchains:
* @ifname: name of the backend-interface to which to apply the rules * @ifname: name of the backend-interface to which to apply the rules
* @macaddr: MAC address the VM is using in packets sent through the * @macaddr: MAC address the VM is using in packets sent through the
* interface * interface
* @dhcpserver: The DHCP server from which the VM may receive traffic * @dhcpsrvrs: The DHCP server(s) from which the VM may receive traffic
* from; may be NULL * from; may be NULL
* @leaveTemporary: Whether to leave the table names with their temporary * @leaveTemporary: Whether to leave the table names with their temporary
* names (true) or also perform the renaming to their final names as * names (true) or also perform the renaming to their final names as
@ -3209,14 +3209,15 @@ tear_down_tmpebchains:
static int static int
ebtablesApplyDHCPOnlyRules(const char *ifname, ebtablesApplyDHCPOnlyRules(const char *ifname,
const unsigned char *macaddr, const unsigned char *macaddr,
const char *dhcpserver, virNWFilterVarValuePtr dhcpsrvrs,
bool leaveTemporary) bool leaveTemporary)
{ {
virBuffer buf = VIR_BUFFER_INITIALIZER; virBuffer buf = VIR_BUFFER_INITIALIZER;
char chain_in [MAX_CHAINNAME_LENGTH], char chain_in [MAX_CHAINNAME_LENGTH],
chain_out[MAX_CHAINNAME_LENGTH]; chain_out[MAX_CHAINNAME_LENGTH];
char macaddr_str[VIR_MAC_STRING_BUFLEN]; char macaddr_str[VIR_MAC_STRING_BUFLEN];
char *srcIPParam = NULL; unsigned int idx = 0;
unsigned int num_dhcpsrvrs;
if (!ebtables_cmd_path) { if (!ebtables_cmd_path) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s", virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@ -3225,15 +3226,6 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
return -1; return -1;
} }
if (dhcpserver) {
virBufferAsprintf(&buf, " --ip-src %s", dhcpserver);
if (virBufferError(&buf)) {
virBufferFreeAndReset(&buf);
return -1;
}
srcIPParam = virBufferContentAndReset(&buf);
}
virMacAddrFormat(macaddr, macaddr_str); virMacAddrFormat(macaddr, macaddr_str);
ebiptablesAllTeardown(ifname); ebiptablesAllTeardown(ifname);
@ -3267,6 +3259,24 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
chain_in, chain_in,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
num_dhcpsrvrs = (dhcpsrvrs != NULL)
? virNWFilterVarValueGetCardinality(dhcpsrvrs)
: 0;
while (true) {
char *srcIPParam = NULL;
if (idx < num_dhcpsrvrs) {
const char *dhcpserver;
dhcpserver = virNWFilterVarValueGetNthValue(dhcpsrvrs, idx);
if (virAsprintf(&srcIPParam, "--ip-src %s", dhcpserver) < 0) {
virReportOOMError();
goto tear_down_tmpebchains;
}
}
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("$EBT -t nat -A %s" CMD_DEF("$EBT -t nat -A %s"
" -d %s" " -d %s"
@ -3282,6 +3292,14 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
srcIPParam != NULL ? srcIPParam : "", srcIPParam != NULL ? srcIPParam : "",
CMD_STOPONERR(1)); CMD_STOPONERR(1));
VIR_FREE(srcIPParam);
if (idx == num_dhcpsrvrs)
break;
idx++;
}
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
@ -3301,8 +3319,6 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
if (ebiptablesExecCLI(&buf, NULL, NULL) < 0) if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
goto tear_down_tmpebchains; goto tear_down_tmpebchains;
VIR_FREE(srcIPParam);
return 0; return 0;
tear_down_tmpebchains: tear_down_tmpebchains:
@ -3312,8 +3328,6 @@ tear_down_tmpebchains:
"%s", "%s",
_("Some rules could not be created.")); _("Some rules could not be created."));
VIR_FREE(srcIPParam);
return -1; return -1;
} }