[patch 1/2] Do not try and delete built-in iptables chains

Mark McLoughlin <markmc@xxxxxxxxxx> · Mon, 07 Jan 2008 18:12:37 +0000

Previously, when we supported adding our rules to chains
with a custom prefix (e.g. libvirt-Fedora-POSTROUTING)
we needed to be able to handle adding and deleting these
custom chains.

Now that we only use built-in iptables chains, we don't
need to add or delete them - in fact, deleting them is
not allowed.

(Note: this was the only user of the iptablesSpawn(NO_ERRORS)
stuff - we didn't want error spew when adding/deleting
the chains failed as expected in most cases)

Signed-off-by: Mark McLoughlin <markmc@xxxxxxxxxx>

Index: libvirt/src/iptables.c
===================================================================

--- libvirt.orig/src/iptables.c	2008-01-07 17:26:42.000000000 +0000
+++ libvirt.orig/src/iptables.c	2008-01-07 17:26:42.000000000 +0000
@@ -386,53 +386,6 @@ iptRulesNew(const char *table,
     return NULL;
 }
 
-static int
-iptablesAddRemoveChain(iptRules *rules, int action)
-{
-    char **argv;
-    int retval = ENOMEM;
-    int n, status;
-
-    n = 1 + /* /sbin/iptables    */
-        2 + /*   --table foo     */
-        2;  /*   --new-chain bar */
-
-    if (!(argv = calloc(n + 1, sizeof(*argv))))
-        goto error;
-
-    n = 0;
-
-    if (!(argv[n++] = strdup(IPTABLES_PATH)))
-        goto error;
-
-    if (!(argv[n++] = strdup("--table")))
-        goto error;
-
-    if (!(argv[n++] = strdup(rules->table)))
-        goto error;
-
-    if (!(argv[n++] = strdup(action == ADD ? "--new-chain" : "--delete-chain")))
-        goto error;
-
-    if (!(argv[n++] = strdup(rules->chain)))
-        goto error;
-
-    if (virRun(NULL, argv, &status) < 0)
-        retval = errno;
-
-    retval = 0;
-
- error:
-    if (argv) {
-        n = 0;
-        while (argv[n])
-            free(argv[n++]);
-        free(argv);
-    }
-
-    return retval;
-}
-
 static char *
 argvToString(char **argv)
 {
@@ -521,19 +474,11 @@ iptablesAddRemoveRule(iptRules *rules, i
             goto error;
     }
 
-    if (action == ADD &&
-        (retval = iptablesAddRemoveChain(rules, action)))
-        goto error;
-
     if (virRun(NULL, argv, NULL) < 0) {
         retval = errno;
         goto error;
     }
 
-    if (action == REMOVE &&
-        (retval = iptablesAddRemoveChain(rules, action)))
-        goto error;
-
     if (action == ADD) {
         retval = iptRulesAppend(rules, rule, argv, command_idx);
         rule = NULL;
@@ -641,11 +586,6 @@ iptRulesReload(iptRules *rules)
         rule->argv[rule->command_idx] = orig;
     }
 
-    if ((retval = iptablesAddRemoveChain(rules, REMOVE)) ||
-        (retval = iptablesAddRemoveChain(rules, ADD)))
-        qemudLog(QEMUD_WARN, "Failed to re-create chain '%s' in table '%s': %s",
-                 rules->chain, rules->table, strerror(retval));
-
     for (i = 0; i < rules->nrules; i++)
         if (virRun(NULL, rules->rules[i].argv, NULL) < 0)
             qemudLog(QEMUD_WARN, "Failed to add iptables rule '%s' to chain '%s' in table '%s': %s",

-- 

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




