diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 533071d08c..6cb3003499 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2406,6 +2406,8 @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddCmdFull; virFirewallApply; +virFirewallBackendTypeFromString; +virFirewallBackendTypeToString; virFirewallCmdAddArg; virFirewallCmdAddArgFormat; virFirewallCmdAddArgList; @@ -2413,6 +2415,7 @@ virFirewallCmdAddArgSet; virFirewallCmdGetArgCount; virFirewallCmdToString; virFirewallFree; +virFirewallGetBackend; virFirewallNew; virFirewallRemoveCmd; virFirewallStartRollback; diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index d7e749adf0..db35a4c5a0 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -131,7 +131,7 @@ iptablesPrivateChainCreate(virFirewall *fw, int iptablesSetupPrivateChains(virFirewallLayer layer) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); iptablesGlobalChain filter_chains[] = { {"INPUT", VIR_IPTABLES_INPUT_CHAIN}, {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN}, @@ -1597,7 +1597,7 @@ iptablesAddFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, 0); @@ -1632,7 +1632,7 @@ iptablesRemoveFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); iptablesRemoveChecksumFirewallRules(fw, def); diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 3ef1bb576e..5082b62577 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2820,7 +2820,7 @@ static int ebtablesApplyBasicRules(const char *ifname, const virMacAddr *macaddr) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); char chain[MAX_CHAINNAME_LENGTH]; char chainPrefix = CHAINPREFIX_HOST_IN_TEMP; char macaddr_str[VIR_MAC_STRING_BUFLEN]; @@ -2893,7 +2893,7 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, char macaddr_str[VIR_MAC_STRING_BUFLEN]; unsigned int idx = 0; unsigned int num_dhcpsrvrs; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virMacAddrFormat(macaddr, macaddr_str); @@ -2995,7 +2995,7 @@ ebtablesApplyDropAllRules(const char *ifname) { char chain_in [MAX_CHAINNAME_LENGTH], chain_out[MAX_CHAINNAME_LENGTH]; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); if (ebiptablesAllTeardown(ifname) < 0) return -1; @@ -3042,7 +3042,7 @@ ebtablesRemoveBasicRules(const char *ifname) static int ebtablesCleanAll(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -3302,7 +3302,7 @@ ebiptablesApplyNewRules(const char *ifname, size_t nrules) { size_t i, j; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); g_autoptr(GHashTable) chains_in_set = virHashNew(NULL); g_autoptr(GHashTable) chains_out_set = virHashNew(NULL); bool haveEbtables = false; @@ -3527,7 +3527,7 @@ ebiptablesTearNewRulesFW(virFirewall *fw, const char *ifname) static int ebiptablesTearNewRules(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -3539,7 +3539,7 @@ ebiptablesTearNewRules(const char *ifname) static int ebiptablesTearOldRules(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); @@ -3574,7 +3574,7 @@ ebiptablesTearOldRules(const char *ifname) static int ebiptablesAllTeardown(const char *ifname) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); diff --git a/src/util/virebtables.c b/src/util/virebtables.c index cabcbb3e81..8a361a2dbb 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -78,7 +78,7 @@ ebtablesContextFree(ebtablesContext *ctx) int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, @@ -106,7 +106,7 @@ ebtablesForwardAllowIn(ebtablesContext *ctx, const char *macaddr, int action) { - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); virFirewallStartTransaction(fw, 0); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 56d43bfdde..77de34533d 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -35,6 +35,10 @@ VIR_LOG_INIT("util.firewall"); +VIR_ENUM_IMPL(virFirewallBackend, + VIR_FIREWALL_BACKEND_LAST, + "iptables"); + typedef struct _virFirewallGroup virFirewallGroup; VIR_ENUM_DECL(virFirewallLayerCommand); @@ -77,6 +81,7 @@ struct _virFirewall { size_t ngroups; virFirewallGroup **groups; size_t currentGroup; + virFirewallBackend backend; }; static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER; @@ -98,14 +103,22 @@ virFirewallGroupNew(void) * * Returns the new firewall ruleset */ -virFirewall *virFirewallNew(void) +virFirewall *virFirewallNew(virFirewallBackend backend) { virFirewall *firewall = g_new0(virFirewall, 1); + firewall->backend = backend; return firewall; } +virFirewallBackend +virFirewallGetBackend(virFirewall *firewall) +{ + return firewall->backend; +} + + static void virFirewallCmdFree(virFirewallCmd *fwCmd) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 956bf0e2bf..1ca1cce10a 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -21,6 +21,7 @@ #pragma once #include "internal.h" +#include "virenum.h" typedef struct _virFirewall virFirewall; @@ -34,9 +35,17 @@ typedef enum { VIR_FIREWALL_LAYER_LAST, } virFirewallLayer; -virFirewall *virFirewallNew(void); +typedef enum { + VIR_FIREWALL_BACKEND_IPTABLES, + VIR_FIREWALL_BACKEND_LAST, +} virFirewallBackend; + +VIR_ENUM_DECL(virFirewallBackend); + +virFirewall *virFirewallNew(virFirewallBackend backend); void virFirewallFree(virFirewall *firewall); +virFirewallBackend virFirewallGetBackend(virFirewall *firewall); /** * virFirewallAddCmd: diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index 45bb67cb21..38726dcc7a 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -62,7 +62,7 @@ static int testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -102,7 +102,7 @@ static int testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -148,7 +148,7 @@ static int testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -222,7 +222,7 @@ static int testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -275,7 +275,7 @@ static int testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -327,7 +327,7 @@ static int testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -372,7 +372,7 @@ static int testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -437,7 +437,7 @@ static int testFirewallManyRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -505,7 +505,7 @@ static int testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -682,7 +682,7 @@ static int testFirewallQuery(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw = virFirewallNew(); + g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES); const char *actual = NULL; const char *expected = IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"