openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

util: pass layer into firewall query callback 

Some of the query callbacks want to know the firewall layer that was
being used for triggering the query to avoid duplicating that data.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-12-04 16:33:28 +00:00
parent 0fc746aa54
commit b092a4357d
4 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/nwfilter/nwfilter_ebiptables_driver.c
View File

@ -2701,6 +2701,7 @@ ebtablesCreateTmpSubChainFW(virFirewallPtr fw,
static int
ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
virFirewallLayer layer,
const char *const *lines,
void *opaque)
{
@ -2717,14 +2718,14 @@ ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
if (tmp[0] == chainprefixes[j] &&
tmp[1] == '-') {
VIR_DEBUG("Processing chain '%s'", tmp);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
virFirewallAddRuleFull(fw, layer,
false, ebtablesRemoveSubChainsQuery,
(void *)chainprefixes,
"-t", "nat", "-L", tmp, NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
virFirewallAddRuleFull(fw, layer,
true, NULL, NULL,
"-t", "nat", "-F", tmp, NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
virFirewallAddRuleFull(fw, layer,
true, NULL, NULL,
"-t", "nat", "-X", tmp, NULL);
}
@ -2802,6 +2803,7 @@ ebtablesRenameTmpRootChainFW(virFirewallPtr fw,
static int
ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw,
virFirewallLayer layer,
const char *const *lines,
void *opaque ATTRIBUTE_UNUSED)
{
@ -2826,17 +2828,17 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw,
else
newchain[0] = CHAINPREFIX_HOST_OUT;
VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
virFirewallAddRuleFull(fw, layer,
false, ebtablesRenameTmpSubAndRootChainsQuery,
NULL,
"-t", "nat", "-L", tmp, NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
virFirewallAddRuleFull(fw, layer,
true, NULL, NULL,
"-t", "nat", "-F", newchain, NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
virFirewallAddRuleFull(fw, layer,
true, NULL, NULL,
"-t", "nat", "-X", newchain, NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
virFirewallAddRule(fw, layer,
"-t", "nat", "-E", tmp, newchain, NULL);
}
@ -3758,6 +3760,7 @@ ebiptablesDriverProbeCtdir(void)
static int
ebiptablesDriverProbeStateMatchQuery(virFirewallPtr fw ATTRIBUTE_UNUSED,
virFirewallLayer layer ATTRIBUTE_UNUSED,
const char *const *lines,
void *opaque)
{

2
src/util/virfirewall.c
View File

@ -824,7 +824,7 @@ virFirewallApplyRule(virFirewallPtr firewall,
return -1;
VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output);
if (rule->queryCB(firewall, (const char *const *)lines, rule->queryOpaque) < 0)
if (rule->queryCB(firewall, rule->layer, (const char *const *)lines, rule->queryOpaque) < 0)
return -1;
if (firewall->err == ENOMEM) {

1
src/util/virfirewall.h
View File

@ -56,6 +56,7 @@ void virFirewallFree(virFirewallPtr firewall);
virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
typedef int (*virFirewallQueryCallback)(virFirewallPtr firewall,
virFirewallLayer layer,
const char *const *lines,
void *opaque);

3
tests/virfirewalltest.c
View File

@ -990,11 +990,12 @@ testFirewallQueryHook(const char *const*args,
static int
testFirewallQueryCallback(virFirewallPtr fw,
virFirewallLayer layer,
const char *const *lines,
void *opaque ATTRIBUTE_UNUSED)
{
size_t i;
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
virFirewallAddRule(fw, layer,
"-A", "INPUT",
"--source-host", "!192.168.122.129",
"--jump", "REJECT", NULL);