Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt

体验新版 GitCode,发现更多精彩内容 >>

提交 4dd7eaa3 编写于 作者: D Daniel P. Berrange
浏览文件
操作

Push virNWFilterRuleInstPtr out of (eb|ip)tablesCreateRuleInstance 

Later refactoring will change use of the virNWFilterRuleInstPtr struct.
Prepare for this by pushing use of the virNWFilterRuleInstPtr parameter
out of the ebtablesCreateRuleInstance and iptablesCreateRuleInstance
methods. Instead they simply string(s) with the constructed rule data.
The ebiptablesCreateRuleInstance method will make use of the
virNWFilterRuleInstPtr struct instead.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 23b1d0c0
隐藏空白更改
内联 并排
Showing with 125 addition and 84 deletion
src/nwfilter/nwfilter_ebiptables_driver.c
浏览文件 @ 4dd7eaa3
...@@ -1277,17 +1277,17 @@ iptablesEnforceDirection(bool directionIn, ...@@ -1277,17 +1277,17 @@ iptablesEnforceDirection(bool directionIn,
/* /*
* _iptablesCreateRuleInstance: * _iptablesCreateRuleInstance:
* @chainPrefix : The prefix to put in front of the name of the chain * @chainPrefix : The prefix to put in front of the name of the chain
* @nwfilter : The filter
* @rule: The rule of the filter to convert * @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to * @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve * @vars : A map containing the variables to resolve
* @res : The data structure to store the result(s) into
* @match : optional string for state match * @match : optional string for state match
* @accept_target : where to jump to on accepted traffic, i.e., "RETURN" * @accept_target : where to jump to on accepted traffic, i.e., "RETURN"
* "ACCEPT" * "ACCEPT"
* @isIPv6 : Whether this is an IPv6 rule * @isIPv6 : Whether this is an IPv6 rule
* @maySkipICMP : whether this rule may under certain circumstances skip * @maySkipICMP : whether this rule may under certain circumstances skip
* the ICMP rule from being created * the ICMP rule from being created
* @templates: pointer to array to store rule template
* @ntemplates: pointer to storage rule template count
* *
* Convert a single rule into its representation for later instantiation * Convert a single rule into its representation for later instantiation
* *
...@@ -1297,15 +1297,15 @@ iptablesEnforceDirection(bool directionIn, ...@@ -1297,15 +1297,15 @@ iptablesEnforceDirection(bool directionIn,
static int static int
_iptablesCreateRuleInstance(bool directionIn, _iptablesCreateRuleInstance(bool directionIn,
const char *chainPrefix, const char *chainPrefix,
virNWFilterDefPtr nwfilter,
virNWFilterRuleDefPtr rule, virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res,
const char *match, bool defMatch, const char *match, bool defMatch,
const char *accept_target, const char *accept_target,
bool isIPv6, bool isIPv6,
bool maySkipICMP) bool maySkipICMP,
char ***templates,
size_t *ntemplates)
{ {
char chain[MAX_CHAINNAME_LENGTH]; char chain[MAX_CHAINNAME_LENGTH];
char number[MAX(INT_BUFSIZE_BOUND(uint32_t), char number[MAX(INT_BUFSIZE_BOUND(uint32_t),
...@@ -1322,6 +1322,7 @@ _iptablesCreateRuleInstance(bool directionIn, ...@@ -1322,6 +1322,7 @@ _iptablesCreateRuleInstance(bool directionIn,
bool skipRule = false; bool skipRule = false;
bool skipMatch = false; bool skipMatch = false;
bool hasICMPType = false; bool hasICMPType = false;
char *template;
if (!iptables_cmd) { if (!iptables_cmd) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
...@@ -1732,14 +1733,13 @@ _iptablesCreateRuleInstance(bool directionIn, ...@@ -1732,14 +1733,13 @@ _iptablesCreateRuleInstance(bool directionIn,
final = &buf; final = &buf;
return ebiptablesAddRuleInst(res, template = virBufferContentAndReset(final);
virBufferContentAndReset(final), if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
nwfilter->chainsuffix, VIR_FREE(template);
nwfilter->chainPriority, return -1;
'\0', }
rule->priority,
(isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
return 0;
err_exit: err_exit:
virBufferFreeAndReset(&buf); virBufferFreeAndReset(&buf);
...@@ -1775,12 +1775,12 @@ printStateMatchFlags(int32_t flags, char **bufptr) ...@@ -1775,12 +1775,12 @@ printStateMatchFlags(int32_t flags, char **bufptr)
} }
static int static int
iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter, iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res, bool isIPv6,
bool isIPv6) char ***templates,
size_t *ntemplates)
{ {
int rc; int rc;
bool directionIn = false; bool directionIn = false;
...@@ -1816,15 +1816,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter, ...@@ -1816,15 +1816,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
if (create) { if (create) {
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, false, matchState, false,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
VIR_FREE(matchState); VIR_FREE(matchState);
if (rc < 0) if (rc < 0)
...@@ -1848,15 +1848,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter, ...@@ -1848,15 +1848,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
if (create) { if (create) {
rc = _iptablesCreateRuleInstance(!directionIn, rc = _iptablesCreateRuleInstance(!directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, false, matchState, false,
"ACCEPT", "ACCEPT",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
VIR_FREE(matchState); VIR_FREE(matchState);
...@@ -1883,15 +1883,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter, ...@@ -1883,15 +1883,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, false, matchState, false,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
VIR_FREE(matchState); VIR_FREE(matchState);
} }
...@@ -1900,12 +1900,12 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter, ...@@ -1900,12 +1900,12 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
static int static int
iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res, bool isIPv6,
bool isIPv6) char ***templates,
size_t *ntemplates)
{ {
int rc; int rc;
bool directionIn = false; bool directionIn = false;
...@@ -1916,12 +1916,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ...@@ -1916,12 +1916,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
if (!(rule->flags & RULE_FLAG_NO_STATEMATCH) && if (!(rule->flags & RULE_FLAG_NO_STATEMATCH) &&
(rule->flags & IPTABLES_STATE_FLAGS)) { (rule->flags & IPTABLES_STATE_FLAGS)) {
return iptablesCreateRuleInstanceStateCtrl(nwfilter, return iptablesCreateRuleInstanceStateCtrl(rule,
rule,
ifname, ifname,
vars, vars,
res, isIPv6,
isIPv6); templates,
ntemplates);
} }
if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) || if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
...@@ -1947,15 +1947,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ...@@ -1947,15 +1947,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, true, matchState, true,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
if (rc < 0) if (rc < 0)
return rc; return rc;
...@@ -1969,15 +1969,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ...@@ -1969,15 +1969,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
rc = _iptablesCreateRuleInstance(!directionIn, rc = _iptablesCreateRuleInstance(!directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, true, matchState, true,
"ACCEPT", "ACCEPT",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
if (rc < 0) if (rc < 0)
return rc; return rc;
...@@ -1991,15 +1991,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ...@@ -1991,15 +1991,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn, rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix, chainPrefix,
nwfilter,
rule, rule,
ifname, ifname,
vars, vars,
res,
matchState, true, matchState, true,
"RETURN", "RETURN",
isIPv6, isIPv6,
maySkipICMP); maySkipICMP,
templates,
ntemplates);
return rc; return rc;
} }
...@@ -2010,12 +2010,13 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ...@@ -2010,12 +2010,13 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
/* /*
* ebtablesCreateRuleInstance: * ebtablesCreateRuleInstance:
* @chainPrefix : The prefix to put in front of the name of the chain * @chainPrefix : The prefix to put in front of the name of the chain
* @nwfilter : The filter * @chainSuffix: The suffix to put on the end of the name of the chain
* @rule: The rule of the filter to convert * @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to * @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve * @vars : A map containing the variables to resolve
* @res : The data structure to store the result(s) into
* @reverse : Whether to reverse src and dst attributes * @reverse : Whether to reverse src and dst attributes
* @templates: pointer to array to store rule template
* @ntemplates: pointer to storage rule template count
* *
* Convert a single rule into its representation for later instantiation * Convert a single rule into its representation for later instantiation
* *
...@@ -2024,12 +2025,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ...@@ -2024,12 +2025,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
*/ */
static int static int
ebtablesCreateRuleInstance(char chainPrefix, ebtablesCreateRuleInstance(char chainPrefix,
virNWFilterDefPtr nwfilter, const char *chainSuffix,
virNWFilterRuleDefPtr rule, virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res, bool reverse,
bool reverse) char **template)
{ {
char macaddr[VIR_MAC_STRING_BUFLEN], char macaddr[VIR_MAC_STRING_BUFLEN],
ipaddr[INET_ADDRSTRLEN], ipaddr[INET_ADDRSTRLEN],
...@@ -2043,6 +2044,8 @@ ebtablesCreateRuleInstance(char chainPrefix, ...@@ -2043,6 +2044,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
const char *target; const char *target;
bool hasMask = false; bool hasMask = false;
*template = NULL;
if (!ebtables_cmd_path) { if (!ebtables_cmd_path) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("cannot create rule since ebtables tool is " _("cannot create rule since ebtables tool is "
...@@ -2050,13 +2053,13 @@ ebtablesCreateRuleInstance(char chainPrefix, ...@@ -2050,13 +2053,13 @@ ebtablesCreateRuleInstance(char chainPrefix,
goto err_exit; goto err_exit;
} }
if (STREQ(nwfilter->chainsuffix, if (STREQ(chainSuffix,
virNWFilterChainSuffixTypeToString( virNWFilterChainSuffixTypeToString(
VIR_NWFILTER_CHAINSUFFIX_ROOT))) VIR_NWFILTER_CHAINSUFFIX_ROOT)))
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
else else
PRINT_CHAIN(chain, chainPrefix, ifname, PRINT_CHAIN(chain, chainPrefix, ifname,
nwfilter->chainsuffix); chainSuffix);
switch (rule->prtclType) { switch (rule->prtclType) {
...@@ -2620,13 +2623,8 @@ ebtablesCreateRuleInstance(char chainPrefix, ...@@ -2620,13 +2623,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
return -1; return -1;
} }
return ebiptablesAddRuleInst(res, *template = virBufferContentAndReset(&buf);
virBufferContentAndReset(&buf), return 0;
nwfilter->chainsuffix,
nwfilter->chainPriority,
chainPrefix,
rule->priority,
RT_EBTABLES);
err_exit: err_exit:
virBufferFreeAndReset(&buf); virBufferFreeAndReset(&buf);
...@@ -2637,7 +2635,8 @@ ebtablesCreateRuleInstance(char chainPrefix, ...@@ -2637,7 +2635,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
/* /*
* ebiptablesCreateRuleInstance: * ebiptablesCreateRuleInstance:
* @nwfilter : The filter * @chainPriority : The priority of the chain
* @chainSuffix: The suffix to put on the end of the name of the chain
* @rule: The rule of the filter to convert * @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to * @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve * @vars : A map containing the variables to resolve
...@@ -2649,40 +2648,66 @@ ebtablesCreateRuleInstance(char chainPrefix, ...@@ -2649,40 +2648,66 @@ ebtablesCreateRuleInstance(char chainPrefix,
* pointed to by res, -1 otherwise * pointed to by res, -1 otherwise
*/ */
static int static int
ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ebiptablesCreateRuleInstance(virNWFilterChainPriority chainPriority,
const char *chainSuffix,
virNWFilterRuleDefPtr rule, virNWFilterRuleDefPtr rule,
const char *ifname, const char *ifname,
virNWFilterVarCombIterPtr vars, virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res) virNWFilterRuleInstPtr res)
{ {
int rc = 0;
if (virNWFilterRuleIsProtocolEthernet(rule)) { if (virNWFilterRuleIsProtocolEthernet(rule)) {
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT || if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) { rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
rc = ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP, char *template;
nwfilter, if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP,
rule, chainSuffix,
ifname, rule,
vars, ifname,
res, vars,
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT); rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT,
if (rc < 0) &template) < 0)
return rc; return -1;
if (ebiptablesAddRuleInst(res,
template,
chainSuffix,
chainPriority,
CHAINPREFIX_HOST_IN_TEMP,
rule->priority,
RT_EBTABLES) < 0) {
VIR_FREE(template);
return -1;
}
} }
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN || if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) { rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
rc = ebtablesCreateRuleInstance(CHAINPREFIX_HOST_OUT_TEMP, char *template;
nwfilter, if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_OUT_TEMP,
rule, chainSuffix,
ifname, rule,
vars, ifname,
res, vars,
false); false,
&template) < 0)
return -1;
if (ebiptablesAddRuleInst(res,
template,
chainSuffix,
chainPriority,
CHAINPREFIX_HOST_OUT_TEMP,
rule->priority,
RT_EBTABLES) < 0) {
VIR_FREE(template);
return -1;
}
} }
} else { } else {
bool isIPv6; bool isIPv6;
char **templates = NULL;
size_t ntemplates = 0;
size_t i, j;
if (virNWFilterRuleIsProtocolIPv6(rule)) { if (virNWFilterRuleIsProtocolIPv6(rule)) {
isIPv6 = true; isIPv6 = true;
} else if (virNWFilterRuleIsProtocolIPv4(rule)) { } else if (virNWFilterRuleIsProtocolIPv4(rule)) {
...@@ -2693,15 +2718,30 @@ ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, ...@@ -2693,15 +2718,30 @@ ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
return -1; return -1;
} }
rc = iptablesCreateRuleInstance(nwfilter, if (iptablesCreateRuleInstance(rule,
rule, ifname,
ifname, vars,
vars, isIPv6,
res, &templates,
isIPv6); &ntemplates) < 0)
return -1;
for (i = 0; i < ntemplates; i++) {
if (ebiptablesAddRuleInst(res,
templates[i],
chainSuffix,
chainPriority,
'\0',
rule->priority,
(isIPv6) ? RT_IP6TABLES : RT_IPTABLES) < 0) {
for (j = i; j < ntemplates; j++)
VIR_FREE(templates[j]);
return -1;
}
}
} }
return rc; return 0;
} }
static int static int
...@@ -2724,7 +2764,8 @@ ebiptablesCreateRuleInstanceIterate(virNWFilterDefPtr nwfilter, ...@@ -2724,7 +2764,8 @@ ebiptablesCreateRuleInstanceIterate(virNWFilterDefPtr nwfilter,
return -1; return -1;
do { do {
rc = ebiptablesCreateRuleInstance(nwfilter, rc = ebiptablesCreateRuleInstance(nwfilter->chainPriority,
nwfilter->chainsuffix,
rule, rule,
ifname, ifname,
tmp, tmp,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册