External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-05 05:45:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

util: refactor iptables command construction into multiple steps

Browse Source 
Instead of creating an iptables command in one shot, do it in steps
so we can add conditional options like physdev and protocol.

This removes code duplication while keeping existing behaviour.

Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Natanael Copa 2013-02-04 10:45:23 +01:00 committed by Eric Blake
parent 66d9bc00ab
commit f3531a040c
1 changed files with 59 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
src/util/viriptables.c
View File

@ -1,7 +1,7 @@
/*
* viriptables.c: helper APIs for managing iptables
*
* Copyright (C) 2007-2012 Red Hat, Inc.
* Copyright (C) 2007-2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@ -129,15 +129,10 @@ iptRulesNew(const char *table,
return NULL;
}
static int ATTRIBUTE_SENTINEL
iptablesAddRemoveRule(iptRules *rules, int family, int action,
const char *arg, ...)
static virCommandPtr
iptablesCommandNew(iptRules *rules, int family, int action)
{
va_list args;
int ret;
virCommandPtr cmd = NULL;
const char *s;
#if HAVE_FIREWALLD
virIpTablesInitialize();
if (firewall_cmd_path) {
@ -154,16 +149,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action,
virCommandAddArgList(cmd, "--table", rules->table,
action == ADD ? "--insert" : "--delete",
rules->chain, arg, NULL);
rules->chain, NULL);
return cmd;
}
static int
iptablesCommandRunAndFree(virCommandPtr cmd)
{
int ret;
ret = virCommandRun(cmd, NULL);
virCommandFree(cmd);
return ret;
}
static int ATTRIBUTE_SENTINEL
iptablesAddRemoveRule(iptRules *rules, int family, int action,
const char *arg, ...)
{
va_list args;
virCommandPtr cmd = NULL;
const char *s;
cmd = iptablesCommandNew(rules, family, action);
virCommandAddArg(cmd, arg);
va_start(args, arg);
while ((s = va_arg(args, const char *)))
virCommandAddArg(cmd, s);
va_end(args);
ret = virCommandRun(cmd, NULL);
virCommandFree(cmd);
return ret;
return iptablesCommandRunAndFree(cmd);
}
/**
@ -372,28 +387,24 @@ iptablesForwardAllowOut(iptablesContext *ctx,
{
int ret;
char *networkstr;
virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->forward_filter,
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--source", networkstr,
"--in-interface", iface,
"--out-interface", physdev,
"--jump", "ACCEPT",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter,
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
NULL);
}
cmd = iptablesCommandNew(ctx->forward_filter,
VIR_SOCKET_ADDR_FAMILY(netaddr),
action);
virCommandAddArgList(cmd,
"--source", networkstr,
"--in-interface", iface, NULL);
if (physdev && physdev[0])
virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL);
ret = iptablesCommandRunAndFree(cmd);
VIR_FREE(networkstr);
return ret;
}
@ -799,6 +810,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
{
int ret;
char *networkstr;
virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@ -812,49 +824,23 @@ iptablesForwardMasquerade(iptablesContext *ctx,
return -1;
}
if (protocol && protocol[0]) {
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
AF_INET,
action,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
"--out-interface", physdev,
"--jump", "MASQUERADE",
"--to-ports", "1024-65535",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
AF_INET,
action,
"--source", networkstr,
"-p", protocol,
"!", "--destination", networkstr,
"--jump", "MASQUERADE",
"--to-ports", "1024-65535",
NULL);
}
} else {
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
AF_INET,
action,
"--source", networkstr,
"!", "--destination", networkstr,
"--out-interface", physdev,
"--jump", "MASQUERADE",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
AF_INET,
action,
"--source", networkstr,
"!", "--destination", networkstr,
"--jump", "MASQUERADE",
NULL);
}
}
cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action);
virCommandAddArgList(cmd, "--source", networkstr, NULL);
if (protocol && protocol[0])
virCommandAddArgList(cmd, "-p", protocol, NULL);
virCommandAddArgList(cmd, "!", "--destination", networkstr, NULL);
if (physdev && physdev[0])
virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
if (protocol && protocol[0])
virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL);
ret = iptablesCommandRunAndFree(cmd);
VIR_FREE(networkstr);
return ret;
}