Extend fwall-drv interface and call functions via interface

I am moving some of the eb/iptables related functions into the interface
of the firewall driver and am making them only accessible via the driver's
interface. Otherwise exsiting code is adapted where needed. I am adding one
new function to the interface that checks whether the 'basic' rules can be
applied,  which will then be used by a subsequent patch.
This commit is contained in:
Stefan Berger 2010-04-20 17:07:15 -04:00
parent 8f342c6f9a
commit c8f4dcca6a
6 changed files with 56 additions and 23 deletions

View File

@ -487,6 +487,17 @@ typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn, typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn,
void *_inst); void *_inst);
typedef int (*virNWFilterCanApplyBasicRules)(void);
typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
const unsigned char *macaddr);
typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
const unsigned char *macaddr,
const char *dhcpserver);
typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
enum techDrvFlags { enum techDrvFlags {
TECHDRV_FLAG_INITIALIZED = (1 << 0), TECHDRV_FLAG_INITIALIZED = (1 << 0),
}; };
@ -506,6 +517,11 @@ struct _virNWFilterTechDriver {
virNWFilterRuleAllTeardown allTeardown; virNWFilterRuleAllTeardown allTeardown;
virNWFilterRuleFreeInstanceData freeRuleInstance; virNWFilterRuleFreeInstanceData freeRuleInstance;
virNWFilterRuleDisplayInstanceData displayRuleInstance; virNWFilterRuleDisplayInstanceData displayRuleInstance;
virNWFilterCanApplyBasicRules canApplyBasicRules;
virNWFilterApplyBasicRules applyBasicRules;
virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
virNWFilterRemoveBasicRules removeBasicRules;
}; };

View File

@ -98,6 +98,7 @@ static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
#define MATCH_PHYSDEV_OUT m_physdev_out_str #define MATCH_PHYSDEV_OUT m_physdev_out_str
static int ebtablesRemoveBasicRules(const char *ifname);
static int ebiptablesDriverInit(void); static int ebiptablesDriverInit(void);
static void ebiptablesDriverShutdown(void); static void ebiptablesDriverShutdown(void);
@ -2577,6 +2578,18 @@ ebiptablesInstCommand(virBufferPtr buf,
} }
/**
* ebiptablesCanApplyBasicRules
*
* Determine whether this driver can apply the basic rules, meaning
* run ebtablesApplyBasicRules and ebtablesApplyDHCPOnlyRules.
* In case of this driver we need the ebtables tool available.
*/
static int
ebiptablesCanApplyBasicRules(void) {
return (ebtables_cmd_path != NULL);
}
/** /**
* ebtablesApplyBasicRules * ebtablesApplyBasicRules
* *
@ -2591,7 +2604,7 @@ ebiptablesInstCommand(virBufferPtr buf,
* - filtering for MAC address spoofing * - filtering for MAC address spoofing
* - allowing IPv4 & ARP traffic * - allowing IPv4 & ARP traffic
*/ */
int static int
ebtablesApplyBasicRules(const char *ifname, ebtablesApplyBasicRules(const char *ifname,
const unsigned char *macaddr) const unsigned char *macaddr)
{ {
@ -2685,7 +2698,7 @@ tear_down_tmpebchains:
* Apply filtering rules so that the VM can only send and receive * Apply filtering rules so that the VM can only send and receive
* DHCP traffic and nothing else. * DHCP traffic and nothing else.
*/ */
int static int
ebtablesApplyDHCPOnlyRules(const char *ifname, ebtablesApplyDHCPOnlyRules(const char *ifname,
const unsigned char *macaddr, const unsigned char *macaddr,
const char *dhcpserver) const char *dhcpserver)
@ -2794,7 +2807,7 @@ tear_down_tmpebchains:
} }
int static int
ebtablesRemoveBasicRules(const char *ifname) ebtablesRemoveBasicRules(const char *ifname)
{ {
virBuffer buf = VIR_BUFFER_INITIALIZER; virBuffer buf = VIR_BUFFER_INITIALIZER;
@ -3188,6 +3201,11 @@ virNWFilterTechDriver ebiptables_driver = {
.removeRules = ebiptablesRemoveRules, .removeRules = ebiptablesRemoveRules,
.freeRuleInstance = ebiptablesFreeRuleInstance, .freeRuleInstance = ebiptablesFreeRuleInstance,
.displayRuleInstance = ebiptablesDisplayRuleInstance, .displayRuleInstance = ebiptablesDisplayRuleInstance,
.canApplyBasicRules = ebiptablesCanApplyBasicRules,
.applyBasicRules = ebtablesApplyBasicRules,
.applyDHCPOnlyRules = ebtablesApplyDHCPOnlyRules,
.removeBasicRules = ebtablesRemoveBasicRules,
}; };

View File

@ -45,12 +45,4 @@ extern virNWFilterTechDriver ebiptables_driver;
# define EBIPTABLES_DRIVER_ID "ebiptables" # define EBIPTABLES_DRIVER_ID "ebiptables"
int ebtablesApplyBasicRules(const char *ifname,
const unsigned char *macaddr);
int ebtablesApplyDHCPOnlyRules(const char *ifname,
const unsigned char *macaddr,
const char *dhcpServer);
int ebtablesRemoveBasicRules(const char *ifname);
#endif #endif

View File

@ -593,7 +593,8 @@ virNWFilterInstantiate(virConnectPtr conn,
if (virHashLookup(missing_vars->hashTable, if (virHashLookup(missing_vars->hashTable,
NWFILTER_STD_VAR_IP) != NULL) { NWFILTER_STD_VAR_IP) != NULL) {
if (virNWFilterLookupLearnReq(ifname) == NULL) { if (virNWFilterLookupLearnReq(ifname) == NULL) {
rc = virNWFilterLearnIPAddress(ifname, rc = virNWFilterLearnIPAddress(techdriver,
ifname,
linkdev, linkdev,
nettype, macaddr, nettype, macaddr,
filter->name, filter->name,

View File

@ -293,6 +293,7 @@ learnIPAddressThread(void *arg)
char *filter= NULL; char *filter= NULL;
uint16_t etherType; uint16_t etherType;
enum howDetect howDetected = 0; enum howDetect howDetected = 0;
virNWFilterTechDriverPtr techdriver = req->techdriver;
req->status = 0; req->status = 0;
@ -458,7 +459,7 @@ learnIPAddressThread(void *arg)
if (handle) if (handle)
pcap_close(handle); pcap_close(handle);
ebtablesRemoveBasicRules(req->ifname); techdriver->removeBasicRules(req->ifname);
if (req->status == 0) { if (req->status == 0) {
int ret; int ret;
@ -493,7 +494,7 @@ learnIPAddressThread(void *arg)
/** /**
* virNWFilterLearnIPAddress * virNWFilterLearnIPAddress
* @conn: pointer to virConnect object * @techdriver : driver to build firewalls
* @ifname: the name of the interface * @ifname: the name of the interface
* @linkdev : the name of the link device; currently only used in case of a * @linkdev : the name of the link device; currently only used in case of a
* macvtap device * macvtap device
@ -513,7 +514,8 @@ learnIPAddressThread(void *arg)
* firewall rules on the interface. * firewall rules on the interface.
*/ */
int int
virNWFilterLearnIPAddress(const char *ifname, virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
const char *ifname,
const char *linkdev, const char *linkdev,
enum virDomainNetType nettype, enum virDomainNetType nettype,
const unsigned char *macaddr, const unsigned char *macaddr,
@ -569,6 +571,7 @@ virNWFilterLearnIPAddress(const char *ifname,
req->filterparams = ht; req->filterparams = ht;
ht = NULL; ht = NULL;
req->howDetect = howDetect; req->howDetect = howDetect;
req->techdriver = techdriver;
rc = virNWFilterRegisterLearnReq(req); rc = virNWFilterRegisterLearnReq(req);
@ -577,13 +580,13 @@ virNWFilterLearnIPAddress(const char *ifname,
switch (howDetect) { switch (howDetect) {
case DETECT_DHCP: case DETECT_DHCP:
if (ebtablesApplyDHCPOnlyRules(ifname, if (techdriver->applyDHCPOnlyRules(ifname,
macaddr, macaddr,
NULL)) NULL))
goto err_free_ht; goto err_free_ht;
break; break;
default: default:
if (ebtablesApplyBasicRules(ifname, if (techdriver->applyBasicRules(ifname,
macaddr)) macaddr))
goto err_free_ht; goto err_free_ht;
} }
@ -598,7 +601,7 @@ virNWFilterLearnIPAddress(const char *ifname,
return 0; return 0;
err_remove_rules: err_remove_rules:
ebtablesRemoveBasicRules(ifname); techdriver->removeBasicRules(ifname);
err_free_ht: err_free_ht:
virNWFilterHashTableFree(ht); virNWFilterHashTableFree(ht);
err_no_ht: err_no_ht:
@ -610,7 +613,8 @@ err_no_req:
#else #else
int int
virNWFilterLearnIPAddress(const char *ifname ATTRIBUTE_UNUSED, virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
const char *ifname ATTRIBUTE_UNUSED,
const char *linkdev ATTRIBUTE_UNUSED, const char *linkdev ATTRIBUTE_UNUSED,
enum virDomainNetType nettype ATTRIBUTE_UNUSED, enum virDomainNetType nettype ATTRIBUTE_UNUSED,
const unsigned char *macaddr ATTRIBUTE_UNUSED, const unsigned char *macaddr ATTRIBUTE_UNUSED,

View File

@ -33,6 +33,7 @@ enum howDetect {
typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq; typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr; typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
struct _virNWFilterIPAddrLearnReq { struct _virNWFilterIPAddrLearnReq {
virNWFilterTechDriverPtr techdriver;
char ifname[IF_NAMESIZE]; char ifname[IF_NAMESIZE];
char linkdev[IF_NAMESIZE]; char linkdev[IF_NAMESIZE];
enum virDomainNetType nettype; enum virDomainNetType nettype;
@ -46,7 +47,8 @@ struct _virNWFilterIPAddrLearnReq {
pthread_t thread; pthread_t thread;
}; };
int virNWFilterLearnIPAddress(const char *ifname, int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
const char *ifname,
const char *linkdev, const char *linkdev,
enum virDomainNetType nettype, enum virDomainNetType nettype,
const unsigned char *macaddr, const unsigned char *macaddr,