mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-13 11:15:08 +00:00
Wed Mar 30 17:25:33 IST 2007 Mark McLoughlin <markmc@redhat.com>
* qemud/iptables.c: As suggested by danpb, make libvirt_qemud handle SIGHUP by re-loading the iptables rules.
This commit is contained in:
parent
812b34fdd8
commit
8ba930c380
@ -1,3 +1,8 @@
|
|||||||
|
Wed Mar 30 17:25:33 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
||||||
|
|
||||||
|
* qemud/iptables.c: As suggested by danpb, make libvirt_qemud
|
||||||
|
handle SIGHUP by re-loading the iptables rules.
|
||||||
|
|
||||||
Wed Mar 30 17:24:48 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
Wed Mar 30 17:24:48 IST 2007 Mark McLoughlin <markmc@redhat.com>
|
||||||
|
|
||||||
* qemud/iptables.c: Re-factor things a little so that we
|
* qemud/iptables.c: Re-factor things a little so that we
|
||||||
|
119
qemud/iptables.c
119
qemud/iptables.c
@ -36,6 +36,8 @@
|
|||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
#include <sys/wait.h>
|
#include <sys/wait.h>
|
||||||
|
|
||||||
|
#include "internal.h"
|
||||||
|
|
||||||
enum {
|
enum {
|
||||||
ADD = 0,
|
ADD = 0,
|
||||||
REMOVE
|
REMOVE
|
||||||
@ -46,13 +48,20 @@ enum {
|
|||||||
NO_ERRORS
|
NO_ERRORS
|
||||||
};
|
};
|
||||||
|
|
||||||
|
typedef struct
|
||||||
|
{
|
||||||
|
char *rule;
|
||||||
|
char **argv;
|
||||||
|
int flipflop;
|
||||||
|
} iptRule;
|
||||||
|
|
||||||
typedef struct
|
typedef struct
|
||||||
{
|
{
|
||||||
char *table;
|
char *table;
|
||||||
char *chain;
|
char *chain;
|
||||||
|
|
||||||
int nrules;
|
int nrules;
|
||||||
char **rules;
|
iptRule *rules;
|
||||||
|
|
||||||
#ifdef IPTABLES_DIR
|
#ifdef IPTABLES_DIR
|
||||||
|
|
||||||
@ -73,7 +82,7 @@ struct _iptablesContext
|
|||||||
#ifdef IPTABLES_DIR
|
#ifdef IPTABLES_DIR
|
||||||
static int
|
static int
|
||||||
writeRules(const char *path,
|
writeRules(const char *path,
|
||||||
char * const *rules,
|
const iptRules *rules,
|
||||||
int nrules)
|
int nrules)
|
||||||
{
|
{
|
||||||
char tmp[PATH_MAX];
|
char tmp[PATH_MAX];
|
||||||
@ -96,7 +105,7 @@ writeRules(const char *path,
|
|||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < nrules; i++) {
|
for (i = 0; i < nrules; i++) {
|
||||||
if (fputs(rules[i], f) == EOF ||
|
if (fputs(rules[i].rule, f) == EOF ||
|
||||||
fputc('\n', f) == EOF) {
|
fputc('\n', f) == EOF) {
|
||||||
fclose(f);
|
fclose(f);
|
||||||
if (istmp)
|
if (istmp)
|
||||||
@ -173,19 +182,43 @@ buildPath(const char *table,
|
|||||||
}
|
}
|
||||||
#endif /* IPTABLES_DIR */
|
#endif /* IPTABLES_DIR */
|
||||||
|
|
||||||
|
static void
|
||||||
|
iptRuleFree(iptRule *rule)
|
||||||
|
{
|
||||||
|
if (rule->rule)
|
||||||
|
free(rule->rule);
|
||||||
|
rule->rule = NULL;
|
||||||
|
|
||||||
|
if (rule->argv) {
|
||||||
|
int i = 0;
|
||||||
|
while (rule->argv[i])
|
||||||
|
free(rule->argv[i++]);
|
||||||
|
free(rule->argv);
|
||||||
|
rule->argv = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
iptRulesAppend(iptRules *rules,
|
iptRulesAppend(iptRules *rules,
|
||||||
const char *rule)
|
char *rule,
|
||||||
|
char **argv,
|
||||||
|
int flipflop)
|
||||||
{
|
{
|
||||||
char **r;
|
iptRule *r;
|
||||||
|
|
||||||
if (!(r = (char **)realloc(rules->rules, sizeof(char *) * (rules->nrules+1))))
|
if (!(r = (iptRule *)realloc(rules->rules, sizeof(iptRule) * (rules->nrules+1)))) {
|
||||||
|
int i = 0;
|
||||||
|
while (argv[i])
|
||||||
|
free(argv[i++]);
|
||||||
|
free(argv);
|
||||||
return ENOMEM;
|
return ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
rules->rules = r;
|
rules->rules = r;
|
||||||
|
|
||||||
if (!(rules->rules[rules->nrules] = strdup(rule)))
|
rules->rules[rules->nrules].rule = rule;
|
||||||
return ENOMEM;
|
rules->rules[rules->nrules].argv = argv;
|
||||||
|
rules->rules[rules->nrules].flipflop = flipflop;
|
||||||
|
|
||||||
rules->nrules++;
|
rules->nrules++;
|
||||||
|
|
||||||
@ -211,17 +244,17 @@ iptRulesRemove(iptRules *rules,
|
|||||||
int i;
|
int i;
|
||||||
|
|
||||||
for (i = 0; i < rules->nrules; i++)
|
for (i = 0; i < rules->nrules; i++)
|
||||||
if (!strcmp(rules->rules[i], strdup(rule)))
|
if (!strcmp(rules->rules[i].rule, strdup(rule)))
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if (i >= rules->nrules)
|
if (i >= rules->nrules)
|
||||||
return EINVAL;
|
return EINVAL;
|
||||||
|
|
||||||
free(rules->rules[i]);
|
iptRuleFree(&rules->rules[i]);
|
||||||
|
|
||||||
memmove(&rules->rules[i],
|
memmove(&rules->rules[i],
|
||||||
&rules->rules[i+1],
|
&rules->rules[i+1],
|
||||||
(rules->nrules - i - 1) * sizeof (char *));
|
(rules->nrules - i - 1) * sizeof (iptRule));
|
||||||
|
|
||||||
rules->nrules--;
|
rules->nrules--;
|
||||||
|
|
||||||
@ -253,16 +286,14 @@ iptRulesFree(iptRules *rules)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
for (i = 0; i < rules->nrules; i++) {
|
|
||||||
free(rules->rules[i]);
|
|
||||||
rules->rules[i] = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
rules->nrules = 0;
|
|
||||||
|
|
||||||
if (rules->rules) {
|
if (rules->rules) {
|
||||||
|
for (i = 0; i < rules->nrules; i++)
|
||||||
|
iptRuleFree(&rules->rules[i]);
|
||||||
|
|
||||||
free(rules->rules);
|
free(rules->rules);
|
||||||
rules->rules = NULL;
|
rules->rules = NULL;
|
||||||
|
|
||||||
|
rules->nrules = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef IPTABLES_DIR
|
#ifdef IPTABLES_DIR
|
||||||
@ -401,7 +432,7 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
|
|||||||
char **argv;
|
char **argv;
|
||||||
char *rule = NULL, *p;
|
char *rule = NULL, *p;
|
||||||
const char *s;
|
const char *s;
|
||||||
int n, rulelen;
|
int n, rulelen, flipflop;
|
||||||
|
|
||||||
n = 1 + /* /sbin/iptables */
|
n = 1 + /* /sbin/iptables */
|
||||||
2 + /* --table foo */
|
2 + /* --table foo */
|
||||||
@ -435,6 +466,8 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
|
|||||||
if (!(argv[n++] = strdup(rules->table)))
|
if (!(argv[n++] = strdup(rules->table)))
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
flipflop = n;
|
||||||
|
|
||||||
if (!(argv[n++] = strdup(action == ADD ? "--insert" : "--delete")))
|
if (!(argv[n++] = strdup(action == ADD ? "--insert" : "--delete")))
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
@ -473,10 +506,13 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
|
|||||||
(retval = iptablesAddRemoveChain(rules, action)))
|
(retval = iptablesAddRemoveChain(rules, action)))
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
if (action == ADD)
|
if (action == ADD) {
|
||||||
retval = iptRulesAppend(rules, rule);
|
retval = iptRulesAppend(rules, rule, argv, flipflop);
|
||||||
else
|
rule = NULL;
|
||||||
|
argv = NULL;
|
||||||
|
} else {
|
||||||
retval = iptRulesRemove(rules, rule);
|
retval = iptRulesRemove(rules, rule);
|
||||||
|
}
|
||||||
|
|
||||||
error:
|
error:
|
||||||
if (rule)
|
if (rule)
|
||||||
@ -528,6 +564,45 @@ iptablesContextFree(iptablesContext *ctx)
|
|||||||
free(ctx);
|
free(ctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
iptRulesReload(iptRules *rules)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
for (i = 0; i < rules->nrules; i++) {
|
||||||
|
iptRule *rule = &rules->rules[i];
|
||||||
|
char *orig;
|
||||||
|
|
||||||
|
orig = rule->argv[rule->flipflop];
|
||||||
|
rule->argv[rule->flipflop] = (char *) "--delete";
|
||||||
|
|
||||||
|
if ((retval = iptablesSpawn(WITH_ERRORS, rule->argv)))
|
||||||
|
qemudLog(QEMUD_WARN, "Failed to remove iptables rule '%s' from chain '%s' in table '%s': %s",
|
||||||
|
rule->rule, rules->chain, rules->table, strerror(errno));
|
||||||
|
|
||||||
|
rule->argv[rule->flipflop] = orig;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((retval = iptablesAddRemoveChain(rules, REMOVE)) ||
|
||||||
|
(retval = iptablesAddRemoveChain(rules, ADD)))
|
||||||
|
qemudLog(QEMUD_WARN, "Failed to re-create chain '%s' in table '%s': %s",
|
||||||
|
rules->chain, rules->table, strerror(retval));
|
||||||
|
|
||||||
|
for (i = 0; i < rules->nrules; i++)
|
||||||
|
if ((retval = iptablesSpawn(WITH_ERRORS, rules->rules[i].argv)))
|
||||||
|
qemudLog(QEMUD_WARN, "Failed to add iptables rule '%s' to chain '%s' in table '%s': %s",
|
||||||
|
rules->rules[i].rule, rules->chain, rules->table, strerror(retval));
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
iptablesReloadRules(iptablesContext *ctx)
|
||||||
|
{
|
||||||
|
iptRulesReload(ctx->input_filter);
|
||||||
|
iptRulesReload(ctx->forward_filter);
|
||||||
|
iptRulesReload(ctx->nat_postrouting);
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
iptablesInput(iptablesContext *ctx,
|
iptablesInput(iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
|
@ -27,6 +27,8 @@ typedef struct _iptablesContext iptablesContext;
|
|||||||
iptablesContext *iptablesContextNew (void);
|
iptablesContext *iptablesContextNew (void);
|
||||||
void iptablesContextFree (iptablesContext *ctx);
|
void iptablesContextFree (iptablesContext *ctx);
|
||||||
|
|
||||||
|
void iptablesReloadRules (iptablesContext *ctx);
|
||||||
|
|
||||||
int iptablesAddTcpInput (iptablesContext *ctx,
|
int iptablesAddTcpInput (iptablesContext *ctx,
|
||||||
const char *iface,
|
const char *iface,
|
||||||
int port);
|
int port);
|
||||||
|
@ -96,6 +96,11 @@ static int qemudDispatchSignal(struct qemud_server *server)
|
|||||||
case SIGHUP:
|
case SIGHUP:
|
||||||
qemudLog(QEMUD_INFO, "Reloading configuration on SIGHUP");
|
qemudLog(QEMUD_INFO, "Reloading configuration on SIGHUP");
|
||||||
ret = qemudScanConfigs(server);
|
ret = qemudScanConfigs(server);
|
||||||
|
|
||||||
|
if (server->iptables) {
|
||||||
|
qemudLog(QEMUD_INFO, "Reloading iptables rules");
|
||||||
|
iptablesReloadRules(server->iptables);
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case SIGINT:
|
case SIGINT:
|
||||||
|
Loading…
Reference in New Issue
Block a user