From c8f4dcca6a25f749303569b9ac9490fe66d176b8 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Tue, 20 Apr 2010 17:07:15 -0400 Subject: [PATCH] Extend fwall-drv interface and call functions via interface I am moving some of the eb/iptables related functions into the interface of the firewall driver and am making them only accessible via the driver's interface. Otherwise exsiting code is adapted where needed. I am adding one new function to the interface that checks whether the 'basic' rules can be applied, which will then be used by a subsequent patch. --- src/conf/nwfilter_conf.h | 16 +++++++++++++++ src/nwfilter/nwfilter_ebiptables_driver.c | 24 ++++++++++++++++++++--- src/nwfilter/nwfilter_ebiptables_driver.h | 8 -------- src/nwfilter/nwfilter_gentech_driver.c | 3 ++- src/nwfilter/nwfilter_learnipaddr.c | 24 +++++++++++++---------- src/nwfilter/nwfilter_learnipaddr.h | 4 +++- 6 files changed, 56 insertions(+), 23 deletions(-) diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index 8b6b4f25bc..f8ce834d0d 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -487,6 +487,17 @@ typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst); typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn, void *_inst); +typedef int (*virNWFilterCanApplyBasicRules)(void); + +typedef int (*virNWFilterApplyBasicRules)(const char *ifname, + const unsigned char *macaddr); + +typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname, + const unsigned char *macaddr, + const char *dhcpserver); + +typedef int (*virNWFilterRemoveBasicRules)(const char *ifname); + enum techDrvFlags { TECHDRV_FLAG_INITIALIZED = (1 << 0), }; @@ -506,6 +517,11 @@ struct _virNWFilterTechDriver { virNWFilterRuleAllTeardown allTeardown; virNWFilterRuleFreeInstanceData freeRuleInstance; virNWFilterRuleDisplayInstanceData displayRuleInstance; + + virNWFilterCanApplyBasicRules canApplyBasicRules; + virNWFilterApplyBasicRules applyBasicRules; + virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules; + virNWFilterRemoveBasicRules removeBasicRules; }; diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index eef9e5245f..2bae2dc3f7 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -98,6 +98,7 @@ static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT; #define MATCH_PHYSDEV_OUT m_physdev_out_str +static int ebtablesRemoveBasicRules(const char *ifname); static int ebiptablesDriverInit(void); static void ebiptablesDriverShutdown(void); @@ -2577,6 +2578,18 @@ ebiptablesInstCommand(virBufferPtr buf, } +/** + * ebiptablesCanApplyBasicRules + * + * Determine whether this driver can apply the basic rules, meaning + * run ebtablesApplyBasicRules and ebtablesApplyDHCPOnlyRules. + * In case of this driver we need the ebtables tool available. + */ +static int +ebiptablesCanApplyBasicRules(void) { + return (ebtables_cmd_path != NULL); +} + /** * ebtablesApplyBasicRules * @@ -2591,7 +2604,7 @@ ebiptablesInstCommand(virBufferPtr buf, * - filtering for MAC address spoofing * - allowing IPv4 & ARP traffic */ -int +static int ebtablesApplyBasicRules(const char *ifname, const unsigned char *macaddr) { @@ -2685,7 +2698,7 @@ tear_down_tmpebchains: * Apply filtering rules so that the VM can only send and receive * DHCP traffic and nothing else. */ -int +static int ebtablesApplyDHCPOnlyRules(const char *ifname, const unsigned char *macaddr, const char *dhcpserver) @@ -2794,7 +2807,7 @@ tear_down_tmpebchains: } -int +static int ebtablesRemoveBasicRules(const char *ifname) { virBuffer buf = VIR_BUFFER_INITIALIZER; @@ -3188,6 +3201,11 @@ virNWFilterTechDriver ebiptables_driver = { .removeRules = ebiptablesRemoveRules, .freeRuleInstance = ebiptablesFreeRuleInstance, .displayRuleInstance = ebiptablesDisplayRuleInstance, + + .canApplyBasicRules = ebiptablesCanApplyBasicRules, + .applyBasicRules = ebtablesApplyBasicRules, + .applyDHCPOnlyRules = ebtablesApplyDHCPOnlyRules, + .removeBasicRules = ebtablesRemoveBasicRules, }; diff --git a/src/nwfilter/nwfilter_ebiptables_driver.h b/src/nwfilter/nwfilter_ebiptables_driver.h index 4129d05d8d..d99de3b719 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.h +++ b/src/nwfilter/nwfilter_ebiptables_driver.h @@ -45,12 +45,4 @@ extern virNWFilterTechDriver ebiptables_driver; # define EBIPTABLES_DRIVER_ID "ebiptables" - -int ebtablesApplyBasicRules(const char *ifname, - const unsigned char *macaddr); -int ebtablesApplyDHCPOnlyRules(const char *ifname, - const unsigned char *macaddr, - const char *dhcpServer); -int ebtablesRemoveBasicRules(const char *ifname); - #endif diff --git a/src/nwfilter/nwfilter_gentech_driver.c b/src/nwfilter/nwfilter_gentech_driver.c index d5a16934ea..2457fd6922 100644 --- a/src/nwfilter/nwfilter_gentech_driver.c +++ b/src/nwfilter/nwfilter_gentech_driver.c @@ -593,7 +593,8 @@ virNWFilterInstantiate(virConnectPtr conn, if (virHashLookup(missing_vars->hashTable, NWFILTER_STD_VAR_IP) != NULL) { if (virNWFilterLookupLearnReq(ifname) == NULL) { - rc = virNWFilterLearnIPAddress(ifname, + rc = virNWFilterLearnIPAddress(techdriver, + ifname, linkdev, nettype, macaddr, filter->name, diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c index bd4f3a56a2..7d6422b7a6 100644 --- a/src/nwfilter/nwfilter_learnipaddr.c +++ b/src/nwfilter/nwfilter_learnipaddr.c @@ -293,6 +293,7 @@ learnIPAddressThread(void *arg) char *filter= NULL; uint16_t etherType; enum howDetect howDetected = 0; + virNWFilterTechDriverPtr techdriver = req->techdriver; req->status = 0; @@ -458,7 +459,7 @@ learnIPAddressThread(void *arg) if (handle) pcap_close(handle); - ebtablesRemoveBasicRules(req->ifname); + techdriver->removeBasicRules(req->ifname); if (req->status == 0) { int ret; @@ -493,7 +494,7 @@ learnIPAddressThread(void *arg) /** * virNWFilterLearnIPAddress - * @conn: pointer to virConnect object + * @techdriver : driver to build firewalls * @ifname: the name of the interface * @linkdev : the name of the link device; currently only used in case of a * macvtap device @@ -513,7 +514,8 @@ learnIPAddressThread(void *arg) * firewall rules on the interface. */ int -virNWFilterLearnIPAddress(const char *ifname, +virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver, + const char *ifname, const char *linkdev, enum virDomainNetType nettype, const unsigned char *macaddr, @@ -569,6 +571,7 @@ virNWFilterLearnIPAddress(const char *ifname, req->filterparams = ht; ht = NULL; req->howDetect = howDetect; + req->techdriver = techdriver; rc = virNWFilterRegisterLearnReq(req); @@ -577,14 +580,14 @@ virNWFilterLearnIPAddress(const char *ifname, switch (howDetect) { case DETECT_DHCP: - if (ebtablesApplyDHCPOnlyRules(ifname, - macaddr, - NULL)) + if (techdriver->applyDHCPOnlyRules(ifname, + macaddr, + NULL)) goto err_free_ht; break; default: - if (ebtablesApplyBasicRules(ifname, - macaddr)) + if (techdriver->applyBasicRules(ifname, + macaddr)) goto err_free_ht; } @@ -598,7 +601,7 @@ virNWFilterLearnIPAddress(const char *ifname, return 0; err_remove_rules: - ebtablesRemoveBasicRules(ifname); + techdriver->removeBasicRules(ifname); err_free_ht: virNWFilterHashTableFree(ht); err_no_ht: @@ -610,7 +613,8 @@ err_no_req: #else int -virNWFilterLearnIPAddress(const char *ifname ATTRIBUTE_UNUSED, +virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED, + const char *ifname ATTRIBUTE_UNUSED, const char *linkdev ATTRIBUTE_UNUSED, enum virDomainNetType nettype ATTRIBUTE_UNUSED, const unsigned char *macaddr ATTRIBUTE_UNUSED, diff --git a/src/nwfilter/nwfilter_learnipaddr.h b/src/nwfilter/nwfilter_learnipaddr.h index ffdd342a95..5fd8119f8b 100644 --- a/src/nwfilter/nwfilter_learnipaddr.h +++ b/src/nwfilter/nwfilter_learnipaddr.h @@ -33,6 +33,7 @@ enum howDetect { typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq; typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr; struct _virNWFilterIPAddrLearnReq { + virNWFilterTechDriverPtr techdriver; char ifname[IF_NAMESIZE]; char linkdev[IF_NAMESIZE]; enum virDomainNetType nettype; @@ -46,7 +47,8 @@ struct _virNWFilterIPAddrLearnReq { pthread_t thread; }; -int virNWFilterLearnIPAddress(const char *ifname, +int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver, + const char *ifname, const char *linkdev, enum virDomainNetType nettype, const unsigned char *macaddr, -- GitLab