Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt

体验新版 GitCode,发现更多精彩内容 >>

提交 f3531a04 编写于 作者: N Natanael Copa 提交者: Eric Blake
浏览文件
操作

util: refactor iptables command construction into multiple steps 

Instead of creating an iptables command in one shot, do it in steps
so we can add conditional options like physdev and protocol.

This removes code duplication while keeping existing behaviour.
Signed-off-by: NNatanael Copa <ncopa@alpinelinux.org>
Signed-off-by: NEric Blake <eblake@redhat.com>
上级 66d9bc00
隐藏空白更改
内联 并排
Showing with 59 addition and 73 deletion
src/util/viriptables.c
浏览文件 @ f3531a04
/* /*
* viriptables.c: helper APIs for managing iptables * viriptables.c: helper APIs for managing iptables
* *
* Copyright (C) 2007-2012 Red Hat, Inc. * Copyright (C) 2007-2013 Red Hat, Inc.
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public * modify it under the terms of the GNU Lesser General Public
...@@ -129,15 +129,10 @@ iptRulesNew(const char *table, ...@@ -129,15 +129,10 @@ iptRulesNew(const char *table,
return NULL; return NULL;
} }
static int ATTRIBUTE_SENTINEL static virCommandPtr
iptablesAddRemoveRule(iptRules *rules, int family, int action, iptablesCommandNew(iptRules *rules, int family, int action)
const char *arg, ...)
{ {
va_list args;
int ret;
virCommandPtr cmd = NULL; virCommandPtr cmd = NULL;
const char *s;
#if HAVE_FIREWALLD #if HAVE_FIREWALLD
virIpTablesInitialize(); virIpTablesInitialize();
if (firewall_cmd_path) { if (firewall_cmd_path) {
...@@ -154,16 +149,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action, ...@@ -154,16 +149,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action,
virCommandAddArgList(cmd, "--table", rules->table, virCommandAddArgList(cmd, "--table", rules->table,
action == ADD ? "--insert" : "--delete", action == ADD ? "--insert" : "--delete",
rules->chain, arg, NULL); rules->chain, NULL);
return cmd;
}
static int
iptablesCommandRunAndFree(virCommandPtr cmd)
{
int ret;
ret = virCommandRun(cmd, NULL);
virCommandFree(cmd);
return ret;
}
static int ATTRIBUTE_SENTINEL
iptablesAddRemoveRule(iptRules *rules, int family, int action,
const char *arg, ...)
{
va_list args;
virCommandPtr cmd = NULL;
const char *s;
cmd = iptablesCommandNew(rules, family, action);
virCommandAddArg(cmd, arg);
va_start(args, arg); va_start(args, arg);
while ((s = va_arg(args, const char *))) while ((s = va_arg(args, const char *)))
virCommandAddArg(cmd, s); virCommandAddArg(cmd, s);
va_end(args); va_end(args);
ret = virCommandRun(cmd, NULL); return iptablesCommandRunAndFree(cmd);
virCommandFree(cmd);
return ret;
} }
/** /**
...@@ -372,28 +387,24 @@ iptablesForwardAllowOut(iptablesContext *ctx, ...@@ -372,28 +387,24 @@ iptablesForwardAllowOut(iptablesContext *ctx,
{ {
int ret; int ret;
char *networkstr; char *networkstr;
virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1; return -1;
if (physdev && physdev[0]) { cmd = iptablesCommandNew(ctx->forward_filter,
ret = iptablesAddRemoveRule(ctx->forward_filter, VIR_SOCKET_ADDR_FAMILY(netaddr),
VIR_SOCKET_ADDR_FAMILY(netaddr), action);
action, virCommandAddArgList(cmd,
"--source", networkstr, "--source", networkstr,
"--in-interface", iface, "--in-interface", iface, NULL);
"--out-interface", physdev,
"--jump", "ACCEPT", if (physdev && physdev[0])
NULL); virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
} else {
ret = iptablesAddRemoveRule(ctx->forward_filter, virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL);
VIR_SOCKET_ADDR_FAMILY(netaddr),
action, ret = iptablesCommandRunAndFree(cmd);
"--source", networkstr,
"--in-interface", iface,
"--jump", "ACCEPT",
NULL);
}
VIR_FREE(networkstr); VIR_FREE(networkstr);
return ret; return ret;
} }
...@@ -799,6 +810,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, ...@@ -799,6 +810,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
{ {
int ret; int ret;
char *networkstr; char *networkstr;
virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1; return -1;
...@@ -812,49 +824,23 @@ iptablesForwardMasquerade(iptablesContext *ctx, ...@@ -812,49 +824,23 @@ iptablesForwardMasquerade(iptablesContext *ctx,
return -1; return -1;
} }
if (protocol && protocol[0]) { cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action);
if (physdev && physdev[0]) { virCommandAddArgList(cmd, "--source", networkstr, NULL);
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
AF_INET, if (protocol && protocol[0])
action, virCommandAddArgList(cmd, "-p", protocol, NULL);
"--source", networkstr,
"-p", protocol, virCommandAddArgList(cmd, "!", "--destination", networkstr, NULL);
"!", "--destination", networkstr,
"--out-interface", physdev, if (physdev && physdev[0])
"--jump", "MASQUERADE", virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
"--to-ports", "1024-65535",
NULL); virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
} else {
ret = iptablesAddRemoveRule(ctx->nat_postrouting, if (protocol && protocol[0])
AF_INET, virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL);
action,
"--source", networkstr, ret = iptablesCommandRunAndFree(cmd);
"-p", protocol,
"!", "--destination", networkstr,
"--jump", "MASQUERADE",
"--to-ports", "1024-65535",
NULL);
}
} else {
if (physdev && physdev[0]) {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
AF_INET,
action,
"--source", networkstr,
"!", "--destination", networkstr,
"--out-interface", physdev,
"--jump", "MASQUERADE",
NULL);
} else {
ret = iptablesAddRemoveRule(ctx->nat_postrouting,
AF_INET,
action,
"--source", networkstr,
"!", "--destination", networkstr,
"--jump", "MASQUERADE",
NULL);
}
}
VIR_FREE(networkstr); VIR_FREE(networkstr);
return ret; return ret;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册