External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-07 18:35:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Extend fwall-drv interface and call functions via interface

Browse Source 
I am moving some of the eb/iptables related functions into the interface
of the firewall driver and am making them only accessible via the driver's
interface. Otherwise exsiting code is adapted where needed. I am adding one
new function to the interface that checks whether the 'basic' rules can be
applied,  which will then be used by a subsequent patch.
This commit is contained in:
Stefan Berger 2010-04-20 17:07:15 -04:00
parent 8f342c6f9a
commit c8f4dcca6a
6 changed files with 56 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/conf/nwfilter_conf.h
View File

@ -487,6 +487,17 @@ typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn,
void *_inst);
typedef int (*virNWFilterCanApplyBasicRules)(void);
typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
const unsigned char *macaddr);
typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
const unsigned char *macaddr,
const char *dhcpserver);
typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
enum techDrvFlags {
TECHDRV_FLAG_INITIALIZED = (1 << 0),
};
@ -506,6 +517,11 @@ struct _virNWFilterTechDriver {
virNWFilterRuleAllTeardown allTeardown;
virNWFilterRuleFreeInstanceData freeRuleInstance;
virNWFilterRuleDisplayInstanceData displayRuleInstance;
virNWFilterCanApplyBasicRules canApplyBasicRules;
virNWFilterApplyBasicRules applyBasicRules;
virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
virNWFilterRemoveBasicRules removeBasicRules;
};

24
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -98,6 +98,7 @@ static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
#define MATCH_PHYSDEV_OUT m_physdev_out_str
static int ebtablesRemoveBasicRules(const char *ifname);
static int ebiptablesDriverInit(void);
static void ebiptablesDriverShutdown(void);
@ -2577,6 +2578,18 @@ ebiptablesInstCommand(virBufferPtr buf,
}
/**
* ebiptablesCanApplyBasicRules
*
* Determine whether this driver can apply the basic rules, meaning
* run ebtablesApplyBasicRules and ebtablesApplyDHCPOnlyRules.
* In case of this driver we need the ebtables tool available.
*/
static int
ebiptablesCanApplyBasicRules(void) {
return (ebtables_cmd_path != NULL);
}
/**
* ebtablesApplyBasicRules
*
@ -2591,7 +2604,7 @@ ebiptablesInstCommand(virBufferPtr buf,
* - filtering for MAC address spoofing
* - allowing IPv4 & ARP traffic
*/
int
static int
ebtablesApplyBasicRules(const char *ifname,
const unsigned char *macaddr)
{
@ -2685,7 +2698,7 @@ tear_down_tmpebchains:
* Apply filtering rules so that the VM can only send and receive
* DHCP traffic and nothing else.
*/
int
static int
ebtablesApplyDHCPOnlyRules(const char *ifname,
const unsigned char *macaddr,
const char *dhcpserver)
@ -2794,7 +2807,7 @@ tear_down_tmpebchains:
}
int
static int
ebtablesRemoveBasicRules(const char *ifname)
{
virBuffer buf = VIR_BUFFER_INITIALIZER;
@ -3188,6 +3201,11 @@ virNWFilterTechDriver ebiptables_driver = {
.removeRules = ebiptablesRemoveRules,
.freeRuleInstance = ebiptablesFreeRuleInstance,
.displayRuleInstance = ebiptablesDisplayRuleInstance,
.canApplyBasicRules = ebiptablesCanApplyBasicRules,
.applyBasicRules = ebtablesApplyBasicRules,
.applyDHCPOnlyRules = ebtablesApplyDHCPOnlyRules,
.removeBasicRules = ebtablesRemoveBasicRules,
};

8
src/nwfilter/nwfilter_ebiptables_driver.h
View File

@ -45,12 +45,4 @@ extern virNWFilterTechDriver ebiptables_driver;
# define EBIPTABLES_DRIVER_ID "ebiptables"
int ebtablesApplyBasicRules(const char *ifname,
const unsigned char *macaddr);
int ebtablesApplyDHCPOnlyRules(const char *ifname,
const unsigned char *macaddr,
const char *dhcpServer);
int ebtablesRemoveBasicRules(const char *ifname);
#endif

3
src/nwfilter/nwfilter_gentech_driver.c
View File

@ -593,7 +593,8 @@ virNWFilterInstantiate(virConnectPtr conn,
if (virHashLookup(missing_vars->hashTable,
NWFILTER_STD_VAR_IP) != NULL) {
if (virNWFilterLookupLearnReq(ifname) == NULL) {
rc = virNWFilterLearnIPAddress(ifname,
rc = virNWFilterLearnIPAddress(techdriver,
ifname,
linkdev,
nettype, macaddr,
filter->name,

24
src/nwfilter/nwfilter_learnipaddr.c
View File

@ -293,6 +293,7 @@ learnIPAddressThread(void *arg)
char *filter= NULL;
uint16_t etherType;
enum howDetect howDetected = 0;
virNWFilterTechDriverPtr techdriver = req->techdriver;
req->status = 0;
@ -458,7 +459,7 @@ learnIPAddressThread(void *arg)
if (handle)
pcap_close(handle);
ebtablesRemoveBasicRules(req->ifname);
techdriver->removeBasicRules(req->ifname);
if (req->status == 0) {
int ret;
@ -493,7 +494,7 @@ learnIPAddressThread(void *arg)
/**
* virNWFilterLearnIPAddress
* @conn: pointer to virConnect object
* @techdriver : driver to build firewalls
* @ifname: the name of the interface
* @linkdev : the name of the link device; currently only used in case of a
* macvtap device
@ -513,7 +514,8 @@ learnIPAddressThread(void *arg)
* firewall rules on the interface.
*/
int
virNWFilterLearnIPAddress(const char *ifname,
virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
const char *ifname,
const char *linkdev,
enum virDomainNetType nettype,
const unsigned char *macaddr,
@ -569,6 +571,7 @@ virNWFilterLearnIPAddress(const char *ifname,
req->filterparams = ht;
ht = NULL;
req->howDetect = howDetect;
req->techdriver = techdriver;
rc = virNWFilterRegisterLearnReq(req);
@ -577,14 +580,14 @@ virNWFilterLearnIPAddress(const char *ifname,
switch (howDetect) {
case DETECT_DHCP:
if (ebtablesApplyDHCPOnlyRules(ifname,
macaddr,
NULL))
if (techdriver->applyDHCPOnlyRules(ifname,
macaddr,
NULL))
goto err_free_ht;
break;
default:
if (ebtablesApplyBasicRules(ifname,
macaddr))
if (techdriver->applyBasicRules(ifname,
macaddr))
goto err_free_ht;
}
@ -598,7 +601,7 @@ virNWFilterLearnIPAddress(const char *ifname,
return 0;
err_remove_rules:
ebtablesRemoveBasicRules(ifname);
techdriver->removeBasicRules(ifname);
err_free_ht:
virNWFilterHashTableFree(ht);
err_no_ht:
@ -610,7 +613,8 @@ err_no_req:
#else
int
virNWFilterLearnIPAddress(const char *ifname ATTRIBUTE_UNUSED,
virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
const char *ifname ATTRIBUTE_UNUSED,
const char *linkdev ATTRIBUTE_UNUSED,
enum virDomainNetType nettype ATTRIBUTE_UNUSED,
const unsigned char *macaddr ATTRIBUTE_UNUSED,

4
src/nwfilter/nwfilter_learnipaddr.h
View File

@ -33,6 +33,7 @@ enum howDetect {
typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
struct _virNWFilterIPAddrLearnReq {
virNWFilterTechDriverPtr techdriver;
char ifname[IF_NAMESIZE];
char linkdev[IF_NAMESIZE];
enum virDomainNetType nettype;
@ -46,7 +47,8 @@ struct _virNWFilterIPAddrLearnReq {
pthread_t thread;
};
int virNWFilterLearnIPAddress(const char *ifname,
int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
const char *ifname,
const char *linkdev,
enum virDomainNetType nettype,
const unsigned char *macaddr,