mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-25 15:15:25 +00:00
Extend fwall-drv interface and call functions via interface
I am moving some of the eb/iptables related functions into the interface of the firewall driver and am making them only accessible via the driver's interface. Otherwise exsiting code is adapted where needed. I am adding one new function to the interface that checks whether the 'basic' rules can be applied, which will then be used by a subsequent patch.
This commit is contained in:
parent
8f342c6f9a
commit
c8f4dcca6a
@ -487,6 +487,17 @@ typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
|
||||
typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn,
|
||||
void *_inst);
|
||||
|
||||
typedef int (*virNWFilterCanApplyBasicRules)(void);
|
||||
|
||||
typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
|
||||
const unsigned char *macaddr);
|
||||
|
||||
typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
|
||||
const unsigned char *macaddr,
|
||||
const char *dhcpserver);
|
||||
|
||||
typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
|
||||
|
||||
enum techDrvFlags {
|
||||
TECHDRV_FLAG_INITIALIZED = (1 << 0),
|
||||
};
|
||||
@ -506,6 +517,11 @@ struct _virNWFilterTechDriver {
|
||||
virNWFilterRuleAllTeardown allTeardown;
|
||||
virNWFilterRuleFreeInstanceData freeRuleInstance;
|
||||
virNWFilterRuleDisplayInstanceData displayRuleInstance;
|
||||
|
||||
virNWFilterCanApplyBasicRules canApplyBasicRules;
|
||||
virNWFilterApplyBasicRules applyBasicRules;
|
||||
virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
|
||||
virNWFilterRemoveBasicRules removeBasicRules;
|
||||
};
|
||||
|
||||
|
||||
|
@ -98,6 +98,7 @@ static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
|
||||
#define MATCH_PHYSDEV_OUT m_physdev_out_str
|
||||
|
||||
|
||||
static int ebtablesRemoveBasicRules(const char *ifname);
|
||||
static int ebiptablesDriverInit(void);
|
||||
static void ebiptablesDriverShutdown(void);
|
||||
|
||||
@ -2577,6 +2578,18 @@ ebiptablesInstCommand(virBufferPtr buf,
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* ebiptablesCanApplyBasicRules
|
||||
*
|
||||
* Determine whether this driver can apply the basic rules, meaning
|
||||
* run ebtablesApplyBasicRules and ebtablesApplyDHCPOnlyRules.
|
||||
* In case of this driver we need the ebtables tool available.
|
||||
*/
|
||||
static int
|
||||
ebiptablesCanApplyBasicRules(void) {
|
||||
return (ebtables_cmd_path != NULL);
|
||||
}
|
||||
|
||||
/**
|
||||
* ebtablesApplyBasicRules
|
||||
*
|
||||
@ -2591,7 +2604,7 @@ ebiptablesInstCommand(virBufferPtr buf,
|
||||
* - filtering for MAC address spoofing
|
||||
* - allowing IPv4 & ARP traffic
|
||||
*/
|
||||
int
|
||||
static int
|
||||
ebtablesApplyBasicRules(const char *ifname,
|
||||
const unsigned char *macaddr)
|
||||
{
|
||||
@ -2685,7 +2698,7 @@ tear_down_tmpebchains:
|
||||
* Apply filtering rules so that the VM can only send and receive
|
||||
* DHCP traffic and nothing else.
|
||||
*/
|
||||
int
|
||||
static int
|
||||
ebtablesApplyDHCPOnlyRules(const char *ifname,
|
||||
const unsigned char *macaddr,
|
||||
const char *dhcpserver)
|
||||
@ -2794,7 +2807,7 @@ tear_down_tmpebchains:
|
||||
}
|
||||
|
||||
|
||||
int
|
||||
static int
|
||||
ebtablesRemoveBasicRules(const char *ifname)
|
||||
{
|
||||
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
||||
@ -3188,6 +3201,11 @@ virNWFilterTechDriver ebiptables_driver = {
|
||||
.removeRules = ebiptablesRemoveRules,
|
||||
.freeRuleInstance = ebiptablesFreeRuleInstance,
|
||||
.displayRuleInstance = ebiptablesDisplayRuleInstance,
|
||||
|
||||
.canApplyBasicRules = ebiptablesCanApplyBasicRules,
|
||||
.applyBasicRules = ebtablesApplyBasicRules,
|
||||
.applyDHCPOnlyRules = ebtablesApplyDHCPOnlyRules,
|
||||
.removeBasicRules = ebtablesRemoveBasicRules,
|
||||
};
|
||||
|
||||
|
||||
|
@ -45,12 +45,4 @@ extern virNWFilterTechDriver ebiptables_driver;
|
||||
|
||||
# define EBIPTABLES_DRIVER_ID "ebiptables"
|
||||
|
||||
|
||||
int ebtablesApplyBasicRules(const char *ifname,
|
||||
const unsigned char *macaddr);
|
||||
int ebtablesApplyDHCPOnlyRules(const char *ifname,
|
||||
const unsigned char *macaddr,
|
||||
const char *dhcpServer);
|
||||
int ebtablesRemoveBasicRules(const char *ifname);
|
||||
|
||||
#endif
|
||||
|
@ -593,7 +593,8 @@ virNWFilterInstantiate(virConnectPtr conn,
|
||||
if (virHashLookup(missing_vars->hashTable,
|
||||
NWFILTER_STD_VAR_IP) != NULL) {
|
||||
if (virNWFilterLookupLearnReq(ifname) == NULL) {
|
||||
rc = virNWFilterLearnIPAddress(ifname,
|
||||
rc = virNWFilterLearnIPAddress(techdriver,
|
||||
ifname,
|
||||
linkdev,
|
||||
nettype, macaddr,
|
||||
filter->name,
|
||||
|
@ -293,6 +293,7 @@ learnIPAddressThread(void *arg)
|
||||
char *filter= NULL;
|
||||
uint16_t etherType;
|
||||
enum howDetect howDetected = 0;
|
||||
virNWFilterTechDriverPtr techdriver = req->techdriver;
|
||||
|
||||
req->status = 0;
|
||||
|
||||
@ -458,7 +459,7 @@ learnIPAddressThread(void *arg)
|
||||
if (handle)
|
||||
pcap_close(handle);
|
||||
|
||||
ebtablesRemoveBasicRules(req->ifname);
|
||||
techdriver->removeBasicRules(req->ifname);
|
||||
|
||||
if (req->status == 0) {
|
||||
int ret;
|
||||
@ -493,7 +494,7 @@ learnIPAddressThread(void *arg)
|
||||
|
||||
/**
|
||||
* virNWFilterLearnIPAddress
|
||||
* @conn: pointer to virConnect object
|
||||
* @techdriver : driver to build firewalls
|
||||
* @ifname: the name of the interface
|
||||
* @linkdev : the name of the link device; currently only used in case of a
|
||||
* macvtap device
|
||||
@ -513,7 +514,8 @@ learnIPAddressThread(void *arg)
|
||||
* firewall rules on the interface.
|
||||
*/
|
||||
int
|
||||
virNWFilterLearnIPAddress(const char *ifname,
|
||||
virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
|
||||
const char *ifname,
|
||||
const char *linkdev,
|
||||
enum virDomainNetType nettype,
|
||||
const unsigned char *macaddr,
|
||||
@ -569,6 +571,7 @@ virNWFilterLearnIPAddress(const char *ifname,
|
||||
req->filterparams = ht;
|
||||
ht = NULL;
|
||||
req->howDetect = howDetect;
|
||||
req->techdriver = techdriver;
|
||||
|
||||
rc = virNWFilterRegisterLearnReq(req);
|
||||
|
||||
@ -577,14 +580,14 @@ virNWFilterLearnIPAddress(const char *ifname,
|
||||
|
||||
switch (howDetect) {
|
||||
case DETECT_DHCP:
|
||||
if (ebtablesApplyDHCPOnlyRules(ifname,
|
||||
macaddr,
|
||||
NULL))
|
||||
if (techdriver->applyDHCPOnlyRules(ifname,
|
||||
macaddr,
|
||||
NULL))
|
||||
goto err_free_ht;
|
||||
break;
|
||||
default:
|
||||
if (ebtablesApplyBasicRules(ifname,
|
||||
macaddr))
|
||||
if (techdriver->applyBasicRules(ifname,
|
||||
macaddr))
|
||||
goto err_free_ht;
|
||||
}
|
||||
|
||||
@ -598,7 +601,7 @@ virNWFilterLearnIPAddress(const char *ifname,
|
||||
return 0;
|
||||
|
||||
err_remove_rules:
|
||||
ebtablesRemoveBasicRules(ifname);
|
||||
techdriver->removeBasicRules(ifname);
|
||||
err_free_ht:
|
||||
virNWFilterHashTableFree(ht);
|
||||
err_no_ht:
|
||||
@ -610,7 +613,8 @@ err_no_req:
|
||||
#else
|
||||
|
||||
int
|
||||
virNWFilterLearnIPAddress(const char *ifname ATTRIBUTE_UNUSED,
|
||||
virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
|
||||
const char *ifname ATTRIBUTE_UNUSED,
|
||||
const char *linkdev ATTRIBUTE_UNUSED,
|
||||
enum virDomainNetType nettype ATTRIBUTE_UNUSED,
|
||||
const unsigned char *macaddr ATTRIBUTE_UNUSED,
|
||||
|
@ -33,6 +33,7 @@ enum howDetect {
|
||||
typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
|
||||
typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
|
||||
struct _virNWFilterIPAddrLearnReq {
|
||||
virNWFilterTechDriverPtr techdriver;
|
||||
char ifname[IF_NAMESIZE];
|
||||
char linkdev[IF_NAMESIZE];
|
||||
enum virDomainNetType nettype;
|
||||
@ -46,7 +47,8 @@ struct _virNWFilterIPAddrLearnReq {
|
||||
pthread_t thread;
|
||||
};
|
||||
|
||||
int virNWFilterLearnIPAddress(const char *ifname,
|
||||
int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
|
||||
const char *ifname,
|
||||
const char *linkdev,
|
||||
enum virDomainNetType nettype,
|
||||
const unsigned char *macaddr,
|
||||
|
Loading…
Reference in New Issue
Block a user