提交 2deb74f1 编写于 作者: D Daniel P. Berrangé

util: refactor iptables APIs to share more code

Most of the iptables APIs share code for the add/delete paths, but a
couple were separated. Merge the remaining APIs to facilitate future
changes.
Reviewed-by: NLaine Stump <laine@laine.org>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
上级 84e7d8f4
...@@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw, ...@@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE); return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
} }
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete", "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
}
/** /**
* iptablesAddForwardAllowCross: * iptablesAddForwardAllowCross:
* @ctx: pointer to the IP table context * @ctx: pointer to the IP table context
...@@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw, ...@@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer, virFirewallLayer layer,
const char *iface) const char *iface)
{ {
virFirewallAddRule(fw, layer, iptablesForwardAllowCross(fw, layer, iface, ADD);
"--table", "filter",
"--insert", "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
} }
/** /**
...@@ -535,13 +544,21 @@ void ...@@ -535,13 +544,21 @@ void
iptablesRemoveForwardAllowCross(virFirewallPtr fw, iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer, virFirewallLayer layer,
const char *iface) const char *iface)
{
iptablesForwardAllowCross(fw, layer, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
int action)
{ {
virFirewallAddRule(fw, layer, virFirewallAddRule(fw, layer,
"--table", "filter", "--table", "filter",
"--delete", "FORWARD", action == ADD ? "--insert" : "delete", "FORWARD",
"--in-interface", iface, "--in-interface", iface,
"--out-interface", iface, "--jump", "REJECT",
"--jump", "ACCEPT",
NULL); NULL);
} }
...@@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw, ...@@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer, virFirewallLayer layer,
const char *iface) const char *iface)
{ {
virFirewallAddRule(fw, layer, iptablesForwardRejectOut(fw, layer, iface, ADD);
"--table", "filter",
"--insert", "FORWARD",
"--in-interface", iface,
"--jump", "REJECT",
NULL);
} }
/** /**
...@@ -582,16 +594,25 @@ void ...@@ -582,16 +594,25 @@ void
iptablesRemoveForwardRejectOut(virFirewallPtr fw, iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer, virFirewallLayer layer,
const char *iface) const char *iface)
{
iptablesForwardRejectOut(fw, layer, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
int action)
{ {
virFirewallAddRule(fw, layer, virFirewallAddRule(fw, layer,
"--table", "filter", "--table", "filter",
"--delete", "FORWARD", action == ADD ? "--insert" : "--delete", "FORWARD",
"--in-interface", iface, "--out-interface", iface,
"--jump", "REJECT", "--jump", "REJECT",
NULL); NULL);
} }
/** /**
* iptablesAddForwardRejectIn: * iptablesAddForwardRejectIn:
* @ctx: pointer to the IP table context * @ctx: pointer to the IP table context
...@@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw, ...@@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer, virFirewallLayer layer,
const char *iface) const char *iface)
{ {
virFirewallAddRule(fw, layer, iptablesForwardRejectIn(fw, layer, iface, ADD);
"--table", "filter",
"--insert", "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
} }
/** /**
...@@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw, ...@@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer, virFirewallLayer layer,
const char *iface) const char *iface)
{ {
virFirewallAddRule(fw, layer, iptablesForwardRejectIn(fw, layer, iface, REMOVE);
"--table", "filter",
"--delete", "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册