External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-08-27 11:01:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove two-stage construction of commands in nwfilter

Browse Source 
The nwfilter ebiptables driver will build up commands to run in
two phases. The first phase contains all of the command, except
for the '-A' part. Instead it has a '%c' placeholder, along with
a '%s' placeholder for a position arg. The second phase than
substitutes these placeholders. The only values ever used for
these substitutions though is '-A' and '', so it is entirely
pointless. Remove the second phase entirely, since it will make
it harder to convert to the new firewall APIs

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2014-03-25 16:10:56 +00:00
parent 3f74b2eb2c
commit b1c1df05bf
1 changed files with 47 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -898,12 +898,9 @@ iptablesRenameTmpRootChains(virBufferPtr buf,
static void static void
iptablesInstCommand(virBufferPtr buf, iptablesInstCommand(virBufferPtr buf,
const char *templ, char cmd, int pos) const char *cmdstr)
{ {
char position[10] = { 0 }; virBufferAdd(buf, cmdstr, -1);
if (pos >= 0)
snprintf(position, sizeof(position), "%d", pos);
virBufferAsprintf(buf, templ, cmd, position);
virBufferAsprintf(buf, CMD_SEPARATOR "%s", virBufferAsprintf(buf, CMD_SEPARATOR "%s",
CMD_STOPONERR(true)); CMD_STOPONERR(true));
} }
@ -1298,7 +1295,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p tcp"); virBufferAddLit(&buf, " -p tcp");
@ -1353,7 +1350,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_UDP: case VIR_NWFILTER_RULE_PROTOCOL_UDP:
case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p udp"); virBufferAddLit(&buf, " -p udp");
@ -1386,7 +1383,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p udplite"); virBufferAddLit(&buf, " -p udplite");
@ -1414,7 +1411,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ESP: case VIR_NWFILTER_RULE_PROTOCOL_ESP:
case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p esp"); virBufferAddLit(&buf, " -p esp");
@ -1442,7 +1439,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p ah"); virBufferAddLit(&buf, " -p ah");
@ -1470,7 +1467,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p sctp"); virBufferAddLit(&buf, " -p sctp");
@ -1503,7 +1500,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP) if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
@ -1568,7 +1565,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_IGMP: case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p igmp"); virBufferAddLit(&buf, " -p igmp");
@ -1596,7 +1593,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ALL: case VIR_NWFILTER_RULE_PROTOCOL_ALL:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$IPT -%%c %s %%s", CMD_DEF_PRE "$IPT -A %s",
chain); chain);
virBufferAddLit(&buf, " -p all"); virBufferAddLit(&buf, " -p all");
@ -2026,7 +2023,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_MAC: case VIR_NWFILTER_RULE_PROTOCOL_MAC:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -A %s",
chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
@ -2050,7 +2047,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_VLAN: case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -A %s",
chain); chain);
@ -2117,7 +2114,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
} }
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -A %s",
chain); chain);
@ -2155,7 +2152,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_RARP: case VIR_NWFILTER_RULE_PROTOCOL_RARP:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -A %s",
chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
@ -2282,7 +2279,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_IP: case VIR_NWFILTER_RULE_PROTOCOL_IP:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -A %s",
chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
@ -2424,7 +2421,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_IPV6: case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -A %s",
chain); chain);
if (ebtablesHandleEthHdr(&buf, if (ebtablesHandleEthHdr(&buf,
@ -2554,7 +2551,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_NONE: case VIR_NWFILTER_RULE_PROTOCOL_NONE:
virBufferAsprintf(&buf, virBufferAsprintf(&buf,
CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", CMD_DEF_PRE "$EBT -t nat -A %s",
chain); chain);
break; break;
@ -2908,7 +2905,7 @@ ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s" "%s"
CMD_DEF("$EBT -t nat -%%c %s %%s %s-j %s") CMD_DEF("$EBT -t nat -A %s %s-j %s")
CMD_SEPARATOR CMD_SEPARATOR
CMD_EXEC CMD_EXEC
"%s", "%s",
@ -3071,15 +3068,11 @@ ebtablesRenameTmpSubAndRootChains(virBufferPtr buf,
static void static void
ebiptablesInstCommand(virBufferPtr buf, ebiptablesInstCommand(virBufferPtr buf,
const char *templ, char cmd, int pos, const char *cmdstr)
bool stopOnError)
{ {
char position[10] = { 0 }; virBufferAdd(buf, cmdstr, -1);
if (pos >= 0)
snprintf(position, sizeof(position), "%d", pos);
virBufferAsprintf(buf, templ, cmd, position);
virBufferAsprintf(buf, CMD_SEPARATOR "%s", virBufferAsprintf(buf, CMD_SEPARATOR "%s",
CMD_STOPONERR(stopOnError)); CMD_STOPONERR(true));
} }
@ -3606,12 +3599,11 @@ ebtablesCreateTmpRootAndSubChains(virBufferPtr buf,
static int static int
iptablesRuleInstCommand(virBufferPtr buf, iptablesRuleInstCommand(virBufferPtr buf,
const char *ifname, const char *ifname,
virNWFilterRuleInstPtr rule, virNWFilterRuleInstPtr rule)
char cmd, int pos)
{ {
virNWFilterVarCombIterPtr vciter, tmp; virNWFilterVarCombIterPtr vciter, tmp;
char **templates = NULL; char **cmds = NULL;
size_t ntemplates = 0; size_t ncmds = 0;
size_t i; size_t i;
int ret = -1; int ret = -1;
@ -3630,20 +3622,20 @@ iptablesRuleInstCommand(virBufferPtr buf,
rule->def, rule->def,
ifname, ifname,
tmp, tmp,
&templates, &cmds,
&ntemplates) < 0) &ncmds) < 0)
goto cleanup; goto cleanup;
tmp = virNWFilterVarCombIterNext(tmp); tmp = virNWFilterVarCombIterNext(tmp);
} while (tmp != NULL); } while (tmp != NULL);
for (i = 0; i < ntemplates; i++) for (i = 0; i < ncmds; i++)
iptablesInstCommand(buf, templates[i], cmd, pos); iptablesInstCommand(buf, cmds[i]);
ret = 0; ret = 0;
cleanup: cleanup:
for (i = 0; i < ntemplates; i++) for (i = 0; i < ncmds; i++)
VIR_FREE(templates[i]); VIR_FREE(cmds[i]);
VIR_FREE(templates); VIR_FREE(cmds);
virNWFilterVarCombIterFree(vciter); virNWFilterVarCombIterFree(vciter);
return ret; return ret;
} }
@ -3652,13 +3644,11 @@ iptablesRuleInstCommand(virBufferPtr buf,
static int static int
ebtablesRuleInstCommand(virBufferPtr buf, ebtablesRuleInstCommand(virBufferPtr buf,
const char *ifname, const char *ifname,
virNWFilterRuleInstPtr rule, virNWFilterRuleInstPtr rule)
char cmd, int pos,
bool stopOnError)
{ {
virNWFilterVarCombIterPtr vciter, tmp; virNWFilterVarCombIterPtr vciter, tmp;
char **templates = NULL; char **cmds = NULL;
size_t ntemplates = 0; size_t ncmds = 0;
size_t i; size_t i;
int ret = -1; int ret = -1;
@ -3677,20 +3667,20 @@ ebtablesRuleInstCommand(virBufferPtr buf,
rule->def, rule->def,
ifname, ifname,
tmp, tmp,
&templates, &cmds,
&ntemplates) < 0) &ncmds) < 0)
goto cleanup; goto cleanup;
tmp = virNWFilterVarCombIterNext(tmp); tmp = virNWFilterVarCombIterNext(tmp);
} while (tmp != NULL); } while (tmp != NULL);
for (i = 0; i < ntemplates; i++) for (i = 0; i < ncmds; i++)
ebiptablesInstCommand(buf, templates[i], cmd, pos, stopOnError); ebiptablesInstCommand(buf, cmds[i]);
ret = 0; ret = 0;
cleanup: cleanup:
for (i = 0; i < ntemplates; i++) for (i = 0; i < ncmds; i++)
VIR_FREE(templates[i]); VIR_FREE(cmds[i]);
VIR_FREE(templates); VIR_FREE(cmds);
virNWFilterVarCombIterFree(vciter); virNWFilterVarCombIterFree(vciter);
return ret; return ret;
} }
@ -3796,13 +3786,11 @@ ebiptablesApplyNewRules(const char *ifname,
while (j < nEbtChains && while (j < nEbtChains &&
ebtChains[j].priority <= rules[i]->priority) { ebtChains[j].priority <= rules[i]->priority) {
ebiptablesInstCommand(&buf, ebiptablesInstCommand(&buf,
ebtChains[j++].commandTemplate, ebtChains[j++].commandTemplate);
'A', -1, true);
} }
ebtablesRuleInstCommand(&buf, ebtablesRuleInstCommand(&buf,
ifname, ifname,
rules[i], rules[i]);
'A', -1, true);
} else { } else {
if (virNWFilterRuleIsProtocolIPv4(rules[i]->def)) if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
haveIptables = true; haveIptables = true;
@ -3813,8 +3801,7 @@ ebiptablesApplyNewRules(const char *ifname,
while (j < nEbtChains) while (j < nEbtChains)
ebiptablesInstCommand(&buf, ebiptablesInstCommand(&buf,
ebtChains[j++].commandTemplate, ebtChains[j++].commandTemplate);
'A', -1, true);
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0) if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
goto tear_down_tmpebchains; goto tear_down_tmpebchains;
@ -3850,8 +3837,7 @@ ebiptablesApplyNewRules(const char *ifname,
if (virNWFilterRuleIsProtocolIPv4(rules[i]->def)) if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
iptablesRuleInstCommand(&buf, iptablesRuleInstCommand(&buf,
ifname, ifname,
rules[i], rules[i]);
'A', -1);
} }
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0) if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
@ -3891,8 +3877,7 @@ ebiptablesApplyNewRules(const char *ifname,
if (virNWFilterRuleIsProtocolIPv6(rules[i]->def)) if (virNWFilterRuleIsProtocolIPv6(rules[i]->def))
iptablesRuleInstCommand(&buf, iptablesRuleInstCommand(&buf,
ifname, ifname,
rules[i], rules[i]);
'A', -1);
} }
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0) if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)