Some of the query callbacks want to know the firewall layer that was being used for triggering the query to avoid duplicating that data. Reviewed-by: Laine Stump <laine@xxxxxxxxx> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- src/nwfilter/nwfilter_ebiptables_driver.c | 17 ++++++++++------- src/util/virfirewall.c | 2 +- src/util/virfirewall.h | 1 + tests/virfirewalltest.c | 3 ++- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c index 75ec1962b6..32bbf6d05c 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2701,6 +2701,7 @@ ebtablesCreateTmpSubChainFW(virFirewallPtr fw, static int ebtablesRemoveSubChainsQuery(virFirewallPtr fw, + virFirewallLayer layer, const char *const *lines, void *opaque) { @@ -2717,14 +2718,14 @@ ebtablesRemoveSubChainsQuery(virFirewallPtr fw, if (tmp[0] == chainprefixes[j] && tmp[1] == '-') { VIR_DEBUG("Processing chain '%s'", tmp); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, false, ebtablesRemoveSubChainsQuery, (void *)chainprefixes, "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-F", tmp, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-X", tmp, NULL); } @@ -2802,6 +2803,7 @@ ebtablesRenameTmpRootChainFW(virFirewallPtr fw, static int ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw, + virFirewallLayer layer, const char *const *lines, void *opaque ATTRIBUTE_UNUSED) { @@ -2826,17 +2828,17 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw, else newchain[0] = CHAINPREFIX_HOST_OUT; VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, false, ebtablesRenameTmpSubAndRootChainsQuery, NULL, "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-F", newchain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRuleFull(fw, layer, true, NULL, NULL, "-t", "nat", "-X", newchain, NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, + virFirewallAddRule(fw, layer, "-t", "nat", "-E", tmp, newchain, NULL); } @@ -3758,6 +3760,7 @@ ebiptablesDriverProbeCtdir(void) static int ebiptablesDriverProbeStateMatchQuery(virFirewallPtr fw ATTRIBUTE_UNUSED, + virFirewallLayer layer ATTRIBUTE_UNUSED, const char *const *lines, void *opaque) { diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 5a0cf95a44..0ed54d6228 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -824,7 +824,7 @@ virFirewallApplyRule(virFirewallPtr firewall, return -1; VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output); - if (rule->queryCB(firewall, (const char *const *)lines, rule->queryOpaque) < 0) + if (rule->queryCB(firewall, rule->layer, (const char *const *)lines, rule->queryOpaque) < 0) return -1; if (firewall->err == ENOMEM) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index a1c45e0427..2a6fc30eb7 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -56,6 +56,7 @@ void virFirewallFree(virFirewallPtr firewall); virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_ARGS__) typedef int (*virFirewallQueryCallback)(virFirewallPtr firewall, + virFirewallLayer layer, const char *const *lines, void *opaque); diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index 63b9ced820..5fde25d8f6 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -990,11 +990,12 @@ testFirewallQueryHook(const char *const*args, static int testFirewallQueryCallback(virFirewallPtr fw, + virFirewallLayer layer, const char *const *lines, void *opaque ATTRIBUTE_UNUSED) { size_t i; - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, + virFirewallAddRule(fw, layer, "-A", "INPUT", "--source-host", "!192.168.122.129", "--jump", "REJECT", NULL); -- 2.20.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list