util: refactor iptables APIs to share more code

Most of the iptables APIs share code for the add/delete paths, but a
couple were separated. Merge the remaining APIs to facilitate future
changes.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-10-31 18:51:34 +00:00
parent 84e7d8f461
commit 2deb74f1fe
1 changed files with 42 additions and 31 deletions

View File

@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
}
static void
iptablesForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
action == ADD ? "--insert" : "--delete", "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
}
/**
* iptablesAddForwardAllowCross:
* @ctx: pointer to the IP table context
@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
"--insert", "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
NULL);
iptablesForwardAllowCross(fw, layer, iface, ADD);
}
/**
@ -535,13 +544,21 @@ void
iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
iptablesForwardAllowCross(fw, layer, iface, REMOVE);
}
static void
iptablesForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
"--delete", "FORWARD",
action == ADD ? "--insert" : "delete", "FORWARD",
"--in-interface", iface,
"--out-interface", iface,
"--jump", "ACCEPT",
"--jump", "REJECT",
NULL);
}
@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
"--insert", "FORWARD",
"--in-interface", iface,
"--jump", "REJECT",
NULL);
iptablesForwardRejectOut(fw, layer, iface, ADD);
}
/**
@ -582,16 +594,25 @@ void
iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
iptablesForwardRejectOut(fw, layer, iface, REMOVE);
}
static void
iptablesForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface,
int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
"--delete", "FORWARD",
"--in-interface", iface,
action == ADD ? "--insert" : "--delete", "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
}
/**
* iptablesAddForwardRejectIn:
* @ctx: pointer to the IP table context
@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
"--insert", "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
iptablesForwardRejectIn(fw, layer, iface, ADD);
}
/**
@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
"--delete", "FORWARD",
"--out-interface", iface,
"--jump", "REJECT",
NULL);
iptablesForwardRejectIn(fw, layer, iface, REMOVE);
}