mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-26 15:45:28 +00:00
Extend fwall-drv interface and call functions via interface
I am moving some of the eb/iptables related functions into the interface of the firewall driver and am making them only accessible via the driver's interface. Otherwise exsiting code is adapted where needed. I am adding one new function to the interface that checks whether the 'basic' rules can be applied, which will then be used by a subsequent patch.
This commit is contained in:
parent
8f342c6f9a
commit
c8f4dcca6a
@ -487,6 +487,17 @@ typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
|
|||||||
typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn,
|
typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn,
|
||||||
void *_inst);
|
void *_inst);
|
||||||
|
|
||||||
|
typedef int (*virNWFilterCanApplyBasicRules)(void);
|
||||||
|
|
||||||
|
typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
|
||||||
|
const unsigned char *macaddr);
|
||||||
|
|
||||||
|
typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
|
||||||
|
const unsigned char *macaddr,
|
||||||
|
const char *dhcpserver);
|
||||||
|
|
||||||
|
typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
|
||||||
|
|
||||||
enum techDrvFlags {
|
enum techDrvFlags {
|
||||||
TECHDRV_FLAG_INITIALIZED = (1 << 0),
|
TECHDRV_FLAG_INITIALIZED = (1 << 0),
|
||||||
};
|
};
|
||||||
@ -506,6 +517,11 @@ struct _virNWFilterTechDriver {
|
|||||||
virNWFilterRuleAllTeardown allTeardown;
|
virNWFilterRuleAllTeardown allTeardown;
|
||||||
virNWFilterRuleFreeInstanceData freeRuleInstance;
|
virNWFilterRuleFreeInstanceData freeRuleInstance;
|
||||||
virNWFilterRuleDisplayInstanceData displayRuleInstance;
|
virNWFilterRuleDisplayInstanceData displayRuleInstance;
|
||||||
|
|
||||||
|
virNWFilterCanApplyBasicRules canApplyBasicRules;
|
||||||
|
virNWFilterApplyBasicRules applyBasicRules;
|
||||||
|
virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
|
||||||
|
virNWFilterRemoveBasicRules removeBasicRules;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -98,6 +98,7 @@ static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
|
|||||||
#define MATCH_PHYSDEV_OUT m_physdev_out_str
|
#define MATCH_PHYSDEV_OUT m_physdev_out_str
|
||||||
|
|
||||||
|
|
||||||
|
static int ebtablesRemoveBasicRules(const char *ifname);
|
||||||
static int ebiptablesDriverInit(void);
|
static int ebiptablesDriverInit(void);
|
||||||
static void ebiptablesDriverShutdown(void);
|
static void ebiptablesDriverShutdown(void);
|
||||||
|
|
||||||
@ -2577,6 +2578,18 @@ ebiptablesInstCommand(virBufferPtr buf,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* ebiptablesCanApplyBasicRules
|
||||||
|
*
|
||||||
|
* Determine whether this driver can apply the basic rules, meaning
|
||||||
|
* run ebtablesApplyBasicRules and ebtablesApplyDHCPOnlyRules.
|
||||||
|
* In case of this driver we need the ebtables tool available.
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
ebiptablesCanApplyBasicRules(void) {
|
||||||
|
return (ebtables_cmd_path != NULL);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ebtablesApplyBasicRules
|
* ebtablesApplyBasicRules
|
||||||
*
|
*
|
||||||
@ -2591,7 +2604,7 @@ ebiptablesInstCommand(virBufferPtr buf,
|
|||||||
* - filtering for MAC address spoofing
|
* - filtering for MAC address spoofing
|
||||||
* - allowing IPv4 & ARP traffic
|
* - allowing IPv4 & ARP traffic
|
||||||
*/
|
*/
|
||||||
int
|
static int
|
||||||
ebtablesApplyBasicRules(const char *ifname,
|
ebtablesApplyBasicRules(const char *ifname,
|
||||||
const unsigned char *macaddr)
|
const unsigned char *macaddr)
|
||||||
{
|
{
|
||||||
@ -2685,7 +2698,7 @@ tear_down_tmpebchains:
|
|||||||
* Apply filtering rules so that the VM can only send and receive
|
* Apply filtering rules so that the VM can only send and receive
|
||||||
* DHCP traffic and nothing else.
|
* DHCP traffic and nothing else.
|
||||||
*/
|
*/
|
||||||
int
|
static int
|
||||||
ebtablesApplyDHCPOnlyRules(const char *ifname,
|
ebtablesApplyDHCPOnlyRules(const char *ifname,
|
||||||
const unsigned char *macaddr,
|
const unsigned char *macaddr,
|
||||||
const char *dhcpserver)
|
const char *dhcpserver)
|
||||||
@ -2794,7 +2807,7 @@ tear_down_tmpebchains:
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int
|
static int
|
||||||
ebtablesRemoveBasicRules(const char *ifname)
|
ebtablesRemoveBasicRules(const char *ifname)
|
||||||
{
|
{
|
||||||
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
||||||
@ -3188,6 +3201,11 @@ virNWFilterTechDriver ebiptables_driver = {
|
|||||||
.removeRules = ebiptablesRemoveRules,
|
.removeRules = ebiptablesRemoveRules,
|
||||||
.freeRuleInstance = ebiptablesFreeRuleInstance,
|
.freeRuleInstance = ebiptablesFreeRuleInstance,
|
||||||
.displayRuleInstance = ebiptablesDisplayRuleInstance,
|
.displayRuleInstance = ebiptablesDisplayRuleInstance,
|
||||||
|
|
||||||
|
.canApplyBasicRules = ebiptablesCanApplyBasicRules,
|
||||||
|
.applyBasicRules = ebtablesApplyBasicRules,
|
||||||
|
.applyDHCPOnlyRules = ebtablesApplyDHCPOnlyRules,
|
||||||
|
.removeBasicRules = ebtablesRemoveBasicRules,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -45,12 +45,4 @@ extern virNWFilterTechDriver ebiptables_driver;
|
|||||||
|
|
||||||
# define EBIPTABLES_DRIVER_ID "ebiptables"
|
# define EBIPTABLES_DRIVER_ID "ebiptables"
|
||||||
|
|
||||||
|
|
||||||
int ebtablesApplyBasicRules(const char *ifname,
|
|
||||||
const unsigned char *macaddr);
|
|
||||||
int ebtablesApplyDHCPOnlyRules(const char *ifname,
|
|
||||||
const unsigned char *macaddr,
|
|
||||||
const char *dhcpServer);
|
|
||||||
int ebtablesRemoveBasicRules(const char *ifname);
|
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -593,7 +593,8 @@ virNWFilterInstantiate(virConnectPtr conn,
|
|||||||
if (virHashLookup(missing_vars->hashTable,
|
if (virHashLookup(missing_vars->hashTable,
|
||||||
NWFILTER_STD_VAR_IP) != NULL) {
|
NWFILTER_STD_VAR_IP) != NULL) {
|
||||||
if (virNWFilterLookupLearnReq(ifname) == NULL) {
|
if (virNWFilterLookupLearnReq(ifname) == NULL) {
|
||||||
rc = virNWFilterLearnIPAddress(ifname,
|
rc = virNWFilterLearnIPAddress(techdriver,
|
||||||
|
ifname,
|
||||||
linkdev,
|
linkdev,
|
||||||
nettype, macaddr,
|
nettype, macaddr,
|
||||||
filter->name,
|
filter->name,
|
||||||
|
@ -293,6 +293,7 @@ learnIPAddressThread(void *arg)
|
|||||||
char *filter= NULL;
|
char *filter= NULL;
|
||||||
uint16_t etherType;
|
uint16_t etherType;
|
||||||
enum howDetect howDetected = 0;
|
enum howDetect howDetected = 0;
|
||||||
|
virNWFilterTechDriverPtr techdriver = req->techdriver;
|
||||||
|
|
||||||
req->status = 0;
|
req->status = 0;
|
||||||
|
|
||||||
@ -458,7 +459,7 @@ learnIPAddressThread(void *arg)
|
|||||||
if (handle)
|
if (handle)
|
||||||
pcap_close(handle);
|
pcap_close(handle);
|
||||||
|
|
||||||
ebtablesRemoveBasicRules(req->ifname);
|
techdriver->removeBasicRules(req->ifname);
|
||||||
|
|
||||||
if (req->status == 0) {
|
if (req->status == 0) {
|
||||||
int ret;
|
int ret;
|
||||||
@ -493,7 +494,7 @@ learnIPAddressThread(void *arg)
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* virNWFilterLearnIPAddress
|
* virNWFilterLearnIPAddress
|
||||||
* @conn: pointer to virConnect object
|
* @techdriver : driver to build firewalls
|
||||||
* @ifname: the name of the interface
|
* @ifname: the name of the interface
|
||||||
* @linkdev : the name of the link device; currently only used in case of a
|
* @linkdev : the name of the link device; currently only used in case of a
|
||||||
* macvtap device
|
* macvtap device
|
||||||
@ -513,7 +514,8 @@ learnIPAddressThread(void *arg)
|
|||||||
* firewall rules on the interface.
|
* firewall rules on the interface.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
virNWFilterLearnIPAddress(const char *ifname,
|
virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
|
||||||
|
const char *ifname,
|
||||||
const char *linkdev,
|
const char *linkdev,
|
||||||
enum virDomainNetType nettype,
|
enum virDomainNetType nettype,
|
||||||
const unsigned char *macaddr,
|
const unsigned char *macaddr,
|
||||||
@ -569,6 +571,7 @@ virNWFilterLearnIPAddress(const char *ifname,
|
|||||||
req->filterparams = ht;
|
req->filterparams = ht;
|
||||||
ht = NULL;
|
ht = NULL;
|
||||||
req->howDetect = howDetect;
|
req->howDetect = howDetect;
|
||||||
|
req->techdriver = techdriver;
|
||||||
|
|
||||||
rc = virNWFilterRegisterLearnReq(req);
|
rc = virNWFilterRegisterLearnReq(req);
|
||||||
|
|
||||||
@ -577,13 +580,13 @@ virNWFilterLearnIPAddress(const char *ifname,
|
|||||||
|
|
||||||
switch (howDetect) {
|
switch (howDetect) {
|
||||||
case DETECT_DHCP:
|
case DETECT_DHCP:
|
||||||
if (ebtablesApplyDHCPOnlyRules(ifname,
|
if (techdriver->applyDHCPOnlyRules(ifname,
|
||||||
macaddr,
|
macaddr,
|
||||||
NULL))
|
NULL))
|
||||||
goto err_free_ht;
|
goto err_free_ht;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
if (ebtablesApplyBasicRules(ifname,
|
if (techdriver->applyBasicRules(ifname,
|
||||||
macaddr))
|
macaddr))
|
||||||
goto err_free_ht;
|
goto err_free_ht;
|
||||||
}
|
}
|
||||||
@ -598,7 +601,7 @@ virNWFilterLearnIPAddress(const char *ifname,
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
err_remove_rules:
|
err_remove_rules:
|
||||||
ebtablesRemoveBasicRules(ifname);
|
techdriver->removeBasicRules(ifname);
|
||||||
err_free_ht:
|
err_free_ht:
|
||||||
virNWFilterHashTableFree(ht);
|
virNWFilterHashTableFree(ht);
|
||||||
err_no_ht:
|
err_no_ht:
|
||||||
@ -610,7 +613,8 @@ err_no_req:
|
|||||||
#else
|
#else
|
||||||
|
|
||||||
int
|
int
|
||||||
virNWFilterLearnIPAddress(const char *ifname ATTRIBUTE_UNUSED,
|
virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
|
||||||
|
const char *ifname ATTRIBUTE_UNUSED,
|
||||||
const char *linkdev ATTRIBUTE_UNUSED,
|
const char *linkdev ATTRIBUTE_UNUSED,
|
||||||
enum virDomainNetType nettype ATTRIBUTE_UNUSED,
|
enum virDomainNetType nettype ATTRIBUTE_UNUSED,
|
||||||
const unsigned char *macaddr ATTRIBUTE_UNUSED,
|
const unsigned char *macaddr ATTRIBUTE_UNUSED,
|
||||||
|
@ -33,6 +33,7 @@ enum howDetect {
|
|||||||
typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
|
typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
|
||||||
typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
|
typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
|
||||||
struct _virNWFilterIPAddrLearnReq {
|
struct _virNWFilterIPAddrLearnReq {
|
||||||
|
virNWFilterTechDriverPtr techdriver;
|
||||||
char ifname[IF_NAMESIZE];
|
char ifname[IF_NAMESIZE];
|
||||||
char linkdev[IF_NAMESIZE];
|
char linkdev[IF_NAMESIZE];
|
||||||
enum virDomainNetType nettype;
|
enum virDomainNetType nettype;
|
||||||
@ -46,7 +47,8 @@ struct _virNWFilterIPAddrLearnReq {
|
|||||||
pthread_t thread;
|
pthread_t thread;
|
||||||
};
|
};
|
||||||
|
|
||||||
int virNWFilterLearnIPAddress(const char *ifname,
|
int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
|
||||||
|
const char *ifname,
|
||||||
const char *linkdev,
|
const char *linkdev,
|
||||||
enum virDomainNetType nettype,
|
enum virDomainNetType nettype,
|
||||||
const unsigned char *macaddr,
|
const unsigned char *macaddr,
|
||||||
|
Loading…
Reference in New Issue
Block a user