External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-23 13:05:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

nwfilter: use shell variable to invoke 'ebtables' command

Browse Source 
Introduce a shell variable 'EBT' to invoke the ebtables command.
Hard-code the used ebtables table to '-t nat'.

Tested with libvirt-tck.
This commit is contained in:
Stefan Berger 2011-11-22 15:12:04 -05:00 committed by Stefan Berger
parent fa69eb5f52
commit 970b417abb
1 changed files with 97 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -47,7 +47,6 @@
#define VIR_FROM_THIS VIR_FROM_NWFILTER #define VIR_FROM_THIS VIR_FROM_NWFILTER
#define EBTABLES_DEFAULT_TABLE "nat"
#define EBTABLES_CHAIN_INCOMING "PREROUTING" #define EBTABLES_CHAIN_INCOMING "PREROUTING"
#define EBTABLES_CHAIN_OUTGOING "POSTROUTING" #define EBTABLES_CHAIN_OUTGOING "POSTROUTING"
@ -87,7 +86,6 @@ static char *ip6tables_cmd_path;
static char *grep_cmd_path; static char *grep_cmd_path;
static char *gawk_cmd_path; static char *gawk_cmd_path;
#define PRINT_ROOT_CHAIN(buf, prefix, ifname) \ #define PRINT_ROOT_CHAIN(buf, prefix, ifname) \
snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname) snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname)
#define PRINT_CHAIN(buf, prefix, ifname, suffix) \ #define PRINT_CHAIN(buf, prefix, ifname, suffix) \
@ -111,7 +109,7 @@ static const char ebtables_script_func_collect_chains[] =
"collect_chains()\n" "collect_chains()\n"
"{\n" "{\n"
" for tmp2 in $*; do\n" " for tmp2 in $*; do\n"
" for tmp in $(%s -t %s -L $tmp2 | \\\n" " for tmp in $($EBT -t nat -L $tmp2 | \\\n"
" sed -n \"/Bridge chain/,\\$ s/.*-j \\\\([%s]-.*\\\\)/\\\\1/p\");\n" " sed -n \"/Bridge chain/,\\$ s/.*-j \\\\([%s]-.*\\\\)/\\\\1/p\");\n"
" do\n" " do\n"
" echo $tmp\n" " echo $tmp\n"
@ -123,8 +121,8 @@ static const char ebtables_script_func_collect_chains[] =
static const char ebiptables_script_func_rm_chains[] = static const char ebiptables_script_func_rm_chains[] =
"rm_chains()\n" "rm_chains()\n"
"{\n" "{\n"
" for tmp in $*; do %s -t %s -F $tmp; done\n" " for tmp in $*; do $EBT -t nat -F $tmp; done\n"
" for tmp in $*; do %s -t %s -X $tmp; done\n" " for tmp in $*; do $EBT -t nat -X $tmp; done\n"
"}\n"; "}\n";
static const char ebiptables_script_func_rename_chains[] = static const char ebiptables_script_func_rename_chains[] =
@ -132,8 +130,8 @@ static const char ebiptables_script_func_rename_chains[] =
"{\n" "{\n"
" for tmp in $*; do\n" " for tmp in $*; do\n"
" case $tmp in\n" " case $tmp in\n"
" %c*) %s -t %s -E $tmp %c${tmp#?} ;;\n" " %c*) $EBT -t nat -E $tmp %c${tmp#?} ;;\n"
" %c*) %s -t %s -E $tmp %c${tmp#?} ;;\n" " %c*) $EBT -t nat -E $tmp %c${tmp#?} ;;\n"
" esac\n" " esac\n"
" done\n" " done\n"
"}\n"; "}\n";
@ -147,6 +145,9 @@ static const char ebiptables_script_set_ifs[] =
#define NWFILTER_FUNC_RENAME_CHAINS ebiptables_script_func_rename_chains #define NWFILTER_FUNC_RENAME_CHAINS ebiptables_script_func_rename_chains
#define NWFILTER_FUNC_SET_IFS ebiptables_script_set_ifs #define NWFILTER_FUNC_SET_IFS ebiptables_script_set_ifs
#define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path);
#define VIRT_IN_CHAIN "libvirt-in" #define VIRT_IN_CHAIN "libvirt-in"
#define VIRT_OUT_CHAIN "libvirt-out" #define VIRT_OUT_CHAIN "libvirt-out"
#define VIRT_IN_POST_CHAIN "libvirt-in-post" #define VIRT_IN_POST_CHAIN "libvirt-in-post"
@ -1995,9 +1996,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_MAC: case VIR_NWFILTER_RULE_PROTOCOL_MAC:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
vars, vars,
@ -2020,8 +2020,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_VLAN: case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
@ -2087,8 +2087,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
} }
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
@ -2125,8 +2125,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_RARP: case VIR_NWFILTER_RULE_PROTOCOL_RARP:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
vars, vars,
@ -2234,8 +2234,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_IP: case VIR_NWFILTER_RULE_PROTOCOL_IP:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
vars, vars,
@ -2370,8 +2370,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_IPV6: case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
vars, vars,
@ -2494,8 +2494,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_NONE: case VIR_NWFILTER_RULE_PROTOCOL_NONE:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "%s -t %s -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
break; break;
default: default:
@ -2768,10 +2768,10 @@ ebtablesCreateTmpRootChain(virBufferPtr buf,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
CMD_STOPONERR(stopOnError)); CMD_STOPONERR(stopOnError));
return 0; return 0;
@ -2791,10 +2791,9 @@ ebtablesLinkTmpRootChain(virBufferPtr buf,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
CMD_DEF("%s -t %s -A %s -%c %s -j %s") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -%c %s -j %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
(incoming) ? EBTABLES_CHAIN_INCOMING (incoming) ? EBTABLES_CHAIN_INCOMING
: EBTABLES_CHAIN_OUTGOING, : EBTABLES_CHAIN_OUTGOING,
iodev, ifname, chain, iodev, ifname, chain,
@ -2822,10 +2821,10 @@ _ebtablesRemoveRootChain(virBufferPtr buf,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -t %s -F %s" CMD_SEPARATOR "$EBT -t nat -F %s" CMD_SEPARATOR
"%s -t %s -X %s" CMD_SEPARATOR, "$EBT -t nat -X %s" CMD_SEPARATOR,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); chain);
return 0; return 0;
} }
@ -2867,8 +2866,7 @@ _ebtablesUnlinkRootChain(virBufferPtr buf,
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -t %s -D %s -%c %s -j %s" CMD_SEPARATOR, "$EBT -t nat -D %s -%c %s -j %s" CMD_SEPARATOR,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
(incoming) ? EBTABLES_CHAIN_INCOMING (incoming) ? EBTABLES_CHAIN_INCOMING
: EBTABLES_CHAIN_OUTGOING, : EBTABLES_CHAIN_OUTGOING,
iodev, ifname, chain); iodev, ifname, chain);
@ -2933,25 +2931,24 @@ ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
} }
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -F %s") CMD_SEPARATOR CMD_DEF("$EBT -t nat -F %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
CMD_DEF("%s -t %s -X %s") CMD_SEPARATOR CMD_DEF("$EBT -t nat -X %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s" "%s"
CMD_DEF("%s -t %s -%%c %s %%s %s-j %s") CMD_DEF("$EBT -t nat -%%c %s %%s %s-j %s")
CMD_SEPARATOR CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
CMD_STOPONERR(stopOnError), CMD_STOPONERR(stopOnError),
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
rootchain, protostr, chain, rootchain, protostr, chain,
CMD_STOPONERR(stopOnError)); CMD_STOPONERR(stopOnError));
@ -2985,11 +2982,11 @@ _ebtablesRemoveSubChains(virBufferPtr buf,
char rootchain[MAX_CHAINNAME_LENGTH]; char rootchain[MAX_CHAINNAME_LENGTH];
unsigned i; unsigned i;
NWFILTER_SET_EBTABLES_SHELLVAR(buf);
virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS, virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chains); chains);
virBufferAsprintf(buf, NWFILTER_FUNC_RM_CHAINS, virBufferAdd(buf, NWFILTER_FUNC_RM_CHAINS, -1);
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE);
virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS); virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS);
virBufferAddLit(buf, "chains=\"$(collect_chains"); virBufferAddLit(buf, "chains=\"$(collect_chains");
@ -3002,8 +2999,7 @@ _ebtablesRemoveSubChains(virBufferPtr buf,
for (i = 0; chains[i] != 0; i++) { for (i = 0; chains[i] != 0; i++) {
PRINT_ROOT_CHAIN(rootchain, chains[i], ifname); PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -t %s -F %s\n", "$EBT -t nat -F %s\n",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
rootchain); rootchain);
} }
virBufferAddLit(buf, "rm_chains $chains\n"); virBufferAddLit(buf, "rm_chains $chains\n");
@ -3058,8 +3054,8 @@ ebtablesRenameTmpSubChain(virBufferPtr buf,
} }
virBufferAsprintf(buf, virBufferAsprintf(buf,
"%s -t %s -E %s %s" CMD_SEPARATOR, "$EBT -t nat -E %s %s" CMD_SEPARATOR,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, tmpchain, chain); tmpchain, chain);
return 0; return 0;
} }
@ -3082,14 +3078,14 @@ ebtablesRenameTmpSubAndRootChains(virBufferPtr buf,
CHAINPREFIX_HOST_OUT_TEMP, CHAINPREFIX_HOST_OUT_TEMP,
0}; 0};
NWFILTER_SET_EBTABLES_SHELLVAR(buf);
virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS, virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chains); chains);
virBufferAsprintf(buf, NWFILTER_FUNC_RENAME_CHAINS, virBufferAsprintf(buf, NWFILTER_FUNC_RENAME_CHAINS,
CHAINPREFIX_HOST_IN_TEMP, CHAINPREFIX_HOST_IN_TEMP,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
CHAINPREFIX_HOST_IN, CHAINPREFIX_HOST_IN,
CHAINPREFIX_HOST_OUT_TEMP, CHAINPREFIX_HOST_OUT_TEMP,
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
CHAINPREFIX_HOST_OUT); CHAINPREFIX_HOST_OUT);
virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS); virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS);
@ -3168,40 +3164,41 @@ ebtablesApplyBasicRules(const char *ifname,
ebiptablesAllTeardown(ifname); ebiptablesAllTeardown(ifname);
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -s ! %s -j DROP") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
chain, macaddr_str, chain, macaddr_str,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -p ARP -j ACCEPT") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -p ARP -j ACCEPT") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, chain,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1);
@ -3266,6 +3263,8 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
ebiptablesAllTeardown(ifname); ebiptablesAllTeardown(ifname);
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); ebtablesCreateTmpRootChain(&buf, 0, ifname, 1);
@ -3273,7 +3272,7 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s" CMD_DEF("$EBT -t nat -A %s"
" -s %s -d Broadcast " " -s %s -d Broadcast "
" -p ipv4 --ip-protocol udp" " -p ipv4 --ip-protocol udp"
" --ip-src 0.0.0.0 --ip-dst 255.255.255.255" " --ip-src 0.0.0.0 --ip-dst 255.255.255.255"
@ -3282,20 +3281,20 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, chain_in,
macaddr_str, macaddr_str,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, chain_in,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s" CMD_DEF("$EBT -t nat -A %s"
" -d %s" " -d %s"
" -p ipv4 --ip-protocol udp" " -p ipv4 --ip-protocol udp"
" %s" " %s"
@ -3304,17 +3303,17 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, chain_out,
macaddr_str, macaddr_str,
srcIPParam != NULL ? srcIPParam : "", srcIPParam != NULL ? srcIPParam : "",
CMD_STOPONERR(1)); CMD_STOPONERR(1));
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, chain_out,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1);
@ -3367,6 +3366,8 @@ ebtablesApplyDropAllRules(const char *ifname)
ebiptablesAllTeardown(ifname); ebiptablesAllTeardown(ifname);
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); ebtablesCreateTmpRootChain(&buf, 0, ifname, 1);
@ -3374,19 +3375,19 @@ ebtablesApplyDropAllRules(const char *ifname)
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, chain_in,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, chain_out,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1);
@ -3425,6 +3426,8 @@ static int ebtablesCleanAll(const char *ifname)
if (!ebtables_cmd_path) if (!ebtables_cmd_path)
return 0; return 0;
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 1, ifname);
ebtablesUnlinkRootChain(&buf, 0, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname);
ebtablesRemoveSubChains(&buf, ifname); ebtablesRemoveSubChains(&buf, ifname);
@ -3626,8 +3629,11 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
} }
/* cleanup whatever may exist */ /* cleanup whatever may exist */
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 1, ifname);
ebtablesUnlinkTmpRootChain(&buf, 0, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname);
ebtablesRemoveTmpSubChains(&buf, ifname); ebtablesRemoveTmpSubChains(&buf, ifname);
@ -3636,6 +3642,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
ebiptablesExecCLI(&buf, &cli_status, NULL); ebiptablesExecCLI(&buf, &cli_status, NULL);
} }
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
/* create needed chains */ /* create needed chains */
if (ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1, if (ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1,
&ebtChains, &nEbtChains) || &ebtChains, &nEbtChains) ||
@ -3651,6 +3659,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpebchains; goto tear_down_tmpebchains;
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
/* process ebtables commands; interleave commands from filters with /* process ebtables commands; interleave commands from filters with
commands for creating and connecting ebtables chains */ commands for creating and connecting ebtables chains */
j = 0; j = 0;
@ -3750,6 +3760,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
iptablesCheckBridgeNFCallEnabled(true); iptablesCheckBridgeNFCallEnabled(true);
} }
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
if (virHashSize(chains_in_set) != 0) if (virHashSize(chains_in_set) != 0)
ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1);
if (virHashSize(chains_out_set) != 0) if (virHashSize(chains_out_set) != 0)
@ -3771,6 +3783,8 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
tear_down_ebsubchains_and_unlink: tear_down_ebsubchains_and_unlink:
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 1, ifname);
ebtablesUnlinkTmpRootChain(&buf, 0, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname);
} }
@ -3789,6 +3803,8 @@ tear_down_tmpiptchains:
tear_down_tmpebchains: tear_down_tmpebchains:
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesRemoveTmpSubChains(&buf, ifname); ebtablesRemoveTmpSubChains(&buf, ifname);
ebtablesRemoveTmpRootChain(&buf, 1, ifname); ebtablesRemoveTmpRootChain(&buf, 1, ifname);
ebtablesRemoveTmpRootChain(&buf, 0, ifname); ebtablesRemoveTmpRootChain(&buf, 0, ifname);
@ -3835,6 +3851,8 @@ ebiptablesTearNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 1, ifname);
ebtablesUnlinkTmpRootChain(&buf, 0, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname);
@ -3874,6 +3892,8 @@ ebiptablesTearOldRules(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 1, ifname);
ebtablesUnlinkRootChain(&buf, 0, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname);
@ -3915,6 +3935,8 @@ ebiptablesRemoveRules(virConnectPtr conn ATTRIBUTE_UNUSED,
virBuffer buf = VIR_BUFFER_INITIALIZER; virBuffer buf = VIR_BUFFER_INITIALIZER;
ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst; ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst;
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
for (i = 0; i < nruleInstances; i++) for (i = 0; i < nruleInstances; i++)
ebiptablesInstCommand(&buf, ebiptablesInstCommand(&buf,
inst[i]->commandTemplate, inst[i]->commandTemplate,
@ -3964,6 +3986,8 @@ ebiptablesAllTeardown(const char *ifname)
} }
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 1, ifname);
ebtablesUnlinkRootChain(&buf, 0, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname);
@ -4018,12 +4042,12 @@ ebiptablesDriverInit(bool privileged)
ebtables_cmd_path = virFindFileInPath("ebtables"); ebtables_cmd_path = virFindFileInPath("ebtables");
if (ebtables_cmd_path) { if (ebtables_cmd_path) {
NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
/* basic probing */ /* basic probing */
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF("%s -t %s -L") CMD_SEPARATOR CMD_DEF("$EBT -t nat -L") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
CMD_STOPONERR(1)); CMD_STOPONERR(1));
if (ebiptablesExecCLI(&buf, NULL, NULL) < 0) if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)