util: refactor iptables APIs to share more code

Most of the iptables APIs share code for the add/delete paths, but a couple were separated. Merge the remaining APIs to facilitate future changes. Reviewed-by: N Laine Stump <laine@laine.org> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>

util: refactor iptables APIs to share more code
Most of the iptables APIs share code for the add/delete paths, but a couple were separated. Merge the remaining APIs to facilitate future changes. Reviewed-by: N Laine Stump <laine@laine.org> Signed-off-by: N Daniel P. Berrangé <berrange@redhat.com>
2deb74f1 · Daniel P. Berrangé · 84e7d8f4 · 2deb74f1
隐藏空白更改
内联并排

Showing with 42 addition and 31 deletion

src/util/viriptables.c src/util/viriptables.c +42 -31

未找到文件。
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
 }

+static void
+iptablesForwardAllowCross(virFirewallPtr fw,
+                          virFirewallLayer layer,
+                          const char *iface,
+                          int action)
+{
+    virFirewallAddRule(fw, layer,
+                       "--table", "filter",
+                       action == ADD ? "--insert" : "--delete", "FORWARD",
+                       "--in-interface", iface,
+                       "--out-interface", iface,
+                       "--jump", "ACCEPT",
+                       NULL);
+}
+
 /**
 * iptablesAddForwardAllowCross:
 * @ctx: pointer to the IP table context
@@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
                             virFirewallLayer layer,
                             const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--insert", "FORWARD",
-                       "--in-interface", iface,
-                       "--out-interface", iface,
-                       "--jump", "ACCEPT",
-                       NULL);
+    iptablesForwardAllowCross(fw, layer, iface, ADD);
 }

 /**
@@ -535,13 +544,21 @@ void
 iptablesRemoveForwardAllowCross(virFirewallPtr fw,
                                virFirewallLayer layer,
                                const char *iface)
+{
+    iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+}
+
+static void
+iptablesForwardRejectOut(virFirewallPtr fw,
+                         virFirewallLayer layer,
+                         const char *iface,
+                         int action)
 {
    virFirewallAddRule(fw, layer,
                       "--table", "filter",
-                       "--delete", "FORWARD",
+                       action == ADD ? "--insert" : "delete", "FORWARD",
                       "--in-interface", iface,
-                       "--out-interface", iface,
-                       "--jump", "ACCEPT",
+                       "--jump", "REJECT",
                       NULL);
 }

@@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
                            virFirewallLayer layer,
                            const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--insert", "FORWARD",
-                       "--in-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    iptablesForwardRejectOut(fw, layer, iface, ADD);
 }

 /**
@@ -582,16 +594,25 @@ void
 iptablesRemoveForwardRejectOut(virFirewallPtr fw,
                               virFirewallLayer layer,
                               const char *iface)
+{
+    iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+}
+
+
+static void
+iptablesForwardRejectIn(virFirewallPtr fw,
+                        virFirewallLayer layer,
+                        const char *iface,
+                        int action)
 {
    virFirewallAddRule(fw, layer,
                       "--table", "filter",
-                       "--delete", "FORWARD",
-                       "--in-interface", iface,
+                       action == ADD ? "--insert" : "--delete", "FORWARD",
+                       "--out-interface", iface,
                       "--jump", "REJECT",
                       NULL);
 }

-
 /**
 * iptablesAddForwardRejectIn:
 * @ctx: pointer to the IP table context
@@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
                           virFirewallLayer layer,
                           const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--insert", "FORWARD",
-                       "--out-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    iptablesForwardRejectIn(fw, layer, iface, ADD);
 }

 /**
@@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
                              virFirewallLayer layer,
                              const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--delete", "FORWARD",
-                       "--out-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    iptablesForwardRejectIn(fw, layer, iface, REMOVE);
 }