提交 3a0ca7de 编写于 作者: D Daniel P. Berrange

Introduce an object for managing firewall rulesets

The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.

This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 89f244ba
...@@ -122,6 +122,7 @@ typedef enum { ...@@ -122,6 +122,7 @@ typedef enum {
VIR_FROM_SYSTEMD = 56, /* Error from systemd code */ VIR_FROM_SYSTEMD = 56, /* Error from systemd code */
VIR_FROM_BHYVE = 57, /* Error from bhyve driver */ VIR_FROM_BHYVE = 57, /* Error from bhyve driver */
VIR_FROM_CRYPTO = 58, /* Error from crypto code */ VIR_FROM_CRYPTO = 58, /* Error from crypto code */
VIR_FROM_FIREWALL = 59, /* Error from firewall */
# ifdef VIR_ENUM_SENTINELS # ifdef VIR_ENUM_SENTINELS
VIR_ERR_DOMAIN_LAST VIR_ERR_DOMAIN_LAST
......
...@@ -161,6 +161,7 @@ src/util/virdbus.c ...@@ -161,6 +161,7 @@ src/util/virdbus.c
src/util/virdnsmasq.c src/util/virdnsmasq.c
src/util/vireventpoll.c src/util/vireventpoll.c
src/util/virfile.c src/util/virfile.c
src/util/virfirewall.c
src/util/virhash.c src/util/virhash.c
src/util/virhook.c src/util/virhook.c
src/util/virhostdev.c src/util/virhostdev.c
......
...@@ -108,6 +108,8 @@ UTIL_SOURCES = \ ...@@ -108,6 +108,8 @@ UTIL_SOURCES = \
util/virevent.c util/virevent.h \ util/virevent.c util/virevent.h \
util/vireventpoll.c util/vireventpoll.h \ util/vireventpoll.c util/vireventpoll.h \
util/virfile.c util/virfile.h \ util/virfile.c util/virfile.h \
util/virfirewall.c util/virfirewall.h \
util/virfirewallpriv.h \
util/virhash.c util/virhash.h \ util/virhash.c util/virhash.h \
util/virhashcode.c util/virhashcode.h \ util/virhashcode.c util/virhashcode.h \
util/virhook.c util/virhook.h \ util/virhook.c util/virhook.h \
......
...@@ -1275,6 +1275,23 @@ virFileWriteStr; ...@@ -1275,6 +1275,23 @@ virFileWriteStr;
virFindFileInPath; virFindFileInPath;
# util/virfirewall.h
virFirewallAddRule;
virFirewallAddRuleFull;
virFirewallApply;
virFirewallFree;
virFirewallNew;
virFirewallRemoveRule;
virFirewallRuleAddArg;
virFirewallRuleAddArgFormat;
virFirewallRuleAddArgList;
virFirewallRuleAddArgSet;
virFirewallRuleGetArgCount;
virFirewallSetBackend;
virFirewallStartRollback;
virFirewallStartTransaction;
# util/virhash.h # util/virhash.h
virHashAddEntry; virHashAddEntry;
virHashCreate; virHashCreate;
......
...@@ -129,6 +129,7 @@ VIR_ENUM_IMPL(virErrorDomain, VIR_ERR_DOMAIN_LAST, ...@@ -129,6 +129,7 @@ VIR_ENUM_IMPL(virErrorDomain, VIR_ERR_DOMAIN_LAST,
"Systemd", "Systemd",
"Bhyve", "Bhyve",
"Crypto", "Crypto",
"Firewall",
) )
......
此差异已折叠。
/*
* virfirewall.h: integration with firewalls
*
* Copyright (C) 2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
* Authors:
* Daniel P. Berrange <berrange@redhat.com>
*/
#ifndef __VIR_FIREWALL_H__
# define __VIR_FIREWALL_H__
# include "internal.h"
typedef struct _virFirewall virFirewall;
typedef virFirewall *virFirewallPtr;
typedef struct _virFirewallRule virFirewallRule;
typedef virFirewallRule *virFirewallRulePtr;
typedef enum {
VIR_FIREWALL_LAYER_ETHERNET,
VIR_FIREWALL_LAYER_IPV4,
VIR_FIREWALL_LAYER_IPV6,
VIR_FIREWALL_LAYER_LAST,
} virFirewallLayer;
virFirewallPtr virFirewallNew(void);
void virFirewallFree(virFirewallPtr firewall);
virFirewallRulePtr virFirewallAddRule(virFirewallPtr firewall,
virFirewallLayer layer,
...)
ATTRIBUTE_SENTINEL;
typedef int (*virFirewallQueryCallback)(virFirewallPtr firewall,
const char *const *lines,
void *opaque);
virFirewallRulePtr virFirewallAddRuleFull(virFirewallPtr firewall,
virFirewallLayer layer,
bool ignoreErrors,
virFirewallQueryCallback cb,
void *opaque,
...)
ATTRIBUTE_NONNULL(3) ATTRIBUTE_SENTINEL;
void virFirewallRemoveRule(virFirewallPtr firewall,
virFirewallRulePtr rule);
void virFirewallRuleAddArg(virFirewallPtr firewall,
virFirewallRulePtr rule,
const char *arg)
ATTRIBUTE_NONNULL(3);
void virFirewallRuleAddArgFormat(virFirewallPtr firewall,
virFirewallRulePtr rule,
const char *fmt, ...)
ATTRIBUTE_NONNULL(3) ATTRIBUTE_FMT_PRINTF(3, 4);
void virFirewallRuleAddArgSet(virFirewallPtr firewall,
virFirewallRulePtr rule,
const char *const *args)
ATTRIBUTE_NONNULL(3);
void virFirewallRuleAddArgList(virFirewallPtr firewall,
virFirewallRulePtr rule,
...)
ATTRIBUTE_SENTINEL;
size_t virFirewallRuleGetArgCount(virFirewallRulePtr rule);
typedef enum {
/* Ignore all errors when applying rules, so no
* rollback block will be required */
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS = (1 << 0),
} virFirewallTransactionFlags;
void virFirewallStartTransaction(virFirewallPtr firewall,
unsigned int flags);
typedef enum {
/* Execute previous rollback block before this
* one, to chain cleanup */
VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS = (1 << 0),
} virFirewallRollbackFlags;
void virFirewallStartRollback(virFirewallPtr firewall,
unsigned int flags);
int virFirewallApply(virFirewallPtr firewall);
#endif /* __VIR_FIREWALL_H__ */
/*
* virfirewallpriv.h: integration with firewalls private APIs
*
* Copyright (C) 2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
* Authors:
* Daniel P. Berrange <berrange@redhat.com>
*/
#ifndef __VIR_FIREWALL_PRIV_H_ALLOW__
# error "virfirewallpriv.h may only be included by virfirewall.c or test suites"
#endif
#ifndef __VIR_FIREWALL_PRIV_H__
# define __VIR_FIREWALL_PRIV_H__
# include "virfirewall.h"
# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1"
typedef enum {
VIR_FIREWALL_BACKEND_AUTOMATIC,
VIR_FIREWALL_BACKEND_DIRECT,
VIR_FIREWALL_BACKEND_FIREWALLD,
VIR_FIREWALL_BACKEND_LAST,
} virFirewallBackend;
int virFirewallSetBackend(virFirewallBackend backend);
#endif /* __VIR_FIREWALL_PRIV_H__ */
...@@ -152,6 +152,7 @@ test_programs = virshtest sockettest \ ...@@ -152,6 +152,7 @@ test_programs = virshtest sockettest \
virpcitest \ virpcitest \
virendiantest \ virendiantest \
virfiletest \ virfiletest \
virfirewalltest \
viriscsitest \ viriscsitest \
virkeycodetest \ virkeycodetest \
virlockspacetest \ virlockspacetest \
...@@ -1006,6 +1007,11 @@ virfiletest_SOURCES = \ ...@@ -1006,6 +1007,11 @@ virfiletest_SOURCES = \
virfiletest.c testutils.h testutils.c virfiletest.c testutils.h testutils.c
virfiletest_LDADD = $(LDADDS) virfiletest_LDADD = $(LDADDS)
virfirewalltest_SOURCES = \
virfirewalltest.c testutils.h testutils.c
virfirewalltest_LDADD = $(LDADDS)
virfirewalltest_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)
jsontest_SOURCES = \ jsontest_SOURCES = \
jsontest.c testutils.h testutils.c jsontest.c testutils.h testutils.c
jsontest_LDADD = $(LDADDS) jsontest_LDADD = $(LDADDS)
......
...@@ -459,10 +459,20 @@ int virtTestDifference(FILE *stream, ...@@ -459,10 +459,20 @@ int virtTestDifference(FILE *stream,
const char *expect, const char *expect,
const char *actual) const char *actual)
{ {
const char *expectStart = expect; const char *expectStart;
const char *expectEnd = expect + (strlen(expect)-1); const char *expectEnd;
const char *actualStart = actual; const char *actualStart;
const char *actualEnd = actual + (strlen(actual)-1); const char *actualEnd;
if (!expect)
expect = "";
if (!actual)
actual = "";
expectStart = expect;
expectEnd = expect + (strlen(expect)-1);
actualStart = actual;
actualEnd = actual + (strlen(actual)-1);
if (!virTestGetDebug()) if (!virTestGetDebug())
return 0; return 0;
......
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册