iptablesContext no longer contains any state, so we can drop it * src/util/iptables.c, src/util/iptables.h: drop iptablesContext * src/network/bridge_driver.c: update callers * src/libvirt_private.syms: drop context new/free functions --- src/libvirt_private.syms | 2 - src/network/bridge_driver.c | 132 ++++++++----------- src/util/iptables.c | 307 ++++++++++++------------------------------- src/util/iptables.h | 59 +++------ 4 files changed, 153 insertions(+), 347 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index e5ba365..d78142e 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -235,8 +235,6 @@ iptablesAddForwardRejectIn; iptablesAddForwardRejectOut; iptablesAddTcpInput; iptablesAddUdpInput; -iptablesContextFree; -iptablesContextNew; iptablesRemoveForwardAllowCross; iptablesRemoveForwardAllowIn; iptablesRemoveForwardAllowOut; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index abee78c..28340a1 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -69,7 +69,6 @@ struct network_driver { virNetworkObjList networks; - iptablesContext *iptables; brControl *brctl; char *networkConfigDir; char *networkAutostartDir; @@ -247,11 +246,6 @@ networkStartup(int privileged) { goto error; } - if (!(driverState->iptables = iptablesContextNew())) { - goto out_of_memory; - } - - if (virNetworkLoadAllConfigs(NULL, &driverState->networks, driverState->networkConfigDir, @@ -349,8 +343,6 @@ networkShutdown(void) { if (driverState->brctl) brShutdown(driverState->brctl); - if (driverState->iptables) - iptablesContextFree(driverState->iptables); networkDriverUnlock(driverState); virMutexDestroy(&driverState->lock); @@ -590,13 +582,11 @@ cleanup: } static int -networkAddMasqueradingIptablesRules(virConnectPtr conn, - struct network_driver *driver, - virNetworkObjPtr network) { +networkAddMasqueradingIptablesRules(virConnectPtr conn, virNetworkObjPtr network) +{ int err; /* allow forwarding packets from the bridge interface */ - if ((err = iptablesAddForwardAllowOut(driver->iptables, - network->def->network, + if ((err = iptablesAddForwardAllowOut(network->def->network, network->def->bridge, network->def->forwardDev))) { virReportSystemError(conn, err, @@ -606,10 +596,9 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn, } /* allow forwarding packets to the bridge interface if they are part of an existing connection */ - if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables, - network->def->network, - network->def->bridge, - network->def->forwardDev))) { + if ((err = iptablesAddForwardAllowRelatedIn(network->def->network, + network->def->bridge, + network->def->forwardDev))) { virReportSystemError(conn, err, _("failed to add iptables rule to allow forwarding to '%s'"), network->def->bridge); @@ -617,8 +606,7 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn, } /* enable masquerading */ - if ((err = iptablesAddForwardMasquerade(driver->iptables, - network->def->network, + if ((err = iptablesAddForwardMasquerade(network->def->network, network->def->forwardDev))) { virReportSystemError(conn, err, _("failed to add iptables rule to enable masquerading to '%s'\n"), @@ -629,13 +617,11 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn, return 1; masqerr3: - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - network->def->network, - network->def->bridge, - network->def->forwardDev); + iptablesRemoveForwardAllowRelatedIn(network->def->network, + network->def->bridge, + network->def->forwardDev); masqerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - network->def->network, + iptablesRemoveForwardAllowOut(network->def->network, network->def->bridge, network->def->forwardDev); masqerr1: @@ -643,13 +629,11 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn, } static int -networkAddRoutingIptablesRules(virConnectPtr conn, - struct network_driver *driver, - virNetworkObjPtr network) { +networkAddRoutingIptablesRules(virConnectPtr conn, virNetworkObjPtr network) +{ int err; /* allow routing packets from the bridge interface */ - if ((err = iptablesAddForwardAllowOut(driver->iptables, - network->def->network, + if ((err = iptablesAddForwardAllowOut(network->def->network, network->def->bridge, network->def->forwardDev))) { virReportSystemError(conn, err, @@ -659,8 +643,7 @@ networkAddRoutingIptablesRules(virConnectPtr conn, } /* allow routing packets to the bridge interface */ - if ((err = iptablesAddForwardAllowIn(driver->iptables, - network->def->network, + if ((err = iptablesAddForwardAllowIn(network->def->network, network->def->bridge, network->def->forwardDev))) { virReportSystemError(conn, err, @@ -673,8 +656,7 @@ networkAddRoutingIptablesRules(virConnectPtr conn, routeerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - network->def->network, + iptablesRemoveForwardAllowOut(network->def->network, network->def->bridge, network->def->forwardDev); routeerr1: @@ -682,20 +664,19 @@ networkAddRoutingIptablesRules(virConnectPtr conn, } static int -networkAddIptablesRules(virConnectPtr conn, - struct network_driver *driver, - virNetworkObjPtr network) { +networkAddIptablesRules(virConnectPtr conn, virNetworkObjPtr network) +{ int err; /* allow DHCP requests through to dnsmasq */ - if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 67))) { + if ((err = iptablesAddTcpInput(network->def->bridge, 67))) { virReportSystemError(conn, err, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); goto err1; } - if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 67))) { + if ((err = iptablesAddUdpInput(network->def->bridge, 67))) { virReportSystemError(conn, err, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); @@ -703,14 +684,14 @@ networkAddIptablesRules(virConnectPtr conn, } /* allow DNS requests through to dnsmasq */ - if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 53))) { + if ((err = iptablesAddTcpInput(network->def->bridge, 53))) { virReportSystemError(conn, err, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); goto err3; } - if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 53))) { + if ((err = iptablesAddUdpInput(network->def->bridge, 53))) { virReportSystemError(conn, err, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); @@ -720,14 +701,14 @@ networkAddIptablesRules(virConnectPtr conn, /* Catch all rules to block forwarding to/from bridges */ - if ((err = iptablesAddForwardRejectOut(driver->iptables, network->def->bridge))) { + if ((err = iptablesAddForwardRejectOut(network->def->bridge))) { virReportSystemError(conn, err, _("failed to add iptables rule to block outbound traffic from '%s'"), network->def->bridge); goto err5; } - if ((err = iptablesAddForwardRejectIn(driver->iptables, network->def->bridge))) { + if ((err = iptablesAddForwardRejectIn(network->def->bridge))) { virReportSystemError(conn, err, _("failed to add iptables rule to block inbound traffic to '%s'"), network->def->bridge); @@ -735,7 +716,7 @@ networkAddIptablesRules(virConnectPtr conn, } /* Allow traffic between guests on the same bridge */ - if ((err = iptablesAddForwardAllowCross(driver->iptables, network->def->bridge))) { + if ((err = iptablesAddForwardAllowCross(network->def->bridge))) { virReportSystemError(conn, err, _("failed to add iptables rule to allow cross bridge traffic on '%s'"), network->def->bridge); @@ -745,66 +726,59 @@ networkAddIptablesRules(virConnectPtr conn, /* If masquerading is enabled, set up the rules*/ if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT && - !networkAddMasqueradingIptablesRules(conn, driver, network)) + !networkAddMasqueradingIptablesRules(conn, network)) goto err8; /* else if routing is enabled, set up the rules*/ else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE && - !networkAddRoutingIptablesRules(conn, driver, network)) + !networkAddRoutingIptablesRules(conn, network)) goto err8; return 1; err8: - iptablesRemoveForwardAllowCross(driver->iptables, - network->def->bridge); + iptablesRemoveForwardAllowCross(network->def->bridge); err7: - iptablesRemoveForwardRejectIn(driver->iptables, - network->def->bridge); + iptablesRemoveForwardRejectIn(network->def->bridge); err6: - iptablesRemoveForwardRejectOut(driver->iptables, - network->def->bridge); + iptablesRemoveForwardRejectOut(network->def->bridge); err5: - iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53); + iptablesRemoveUdpInput(network->def->bridge, 53); err4: - iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53); + iptablesRemoveTcpInput(network->def->bridge, 53); err3: - iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67); + iptablesRemoveUdpInput(network->def->bridge, 67); err2: - iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67); + iptablesRemoveTcpInput(network->def->bridge, 67); err1: return 0; } static void -networkRemoveIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) { +networkRemoveIptablesRules(virNetworkObjPtr network) +{ if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) { if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) { - iptablesRemoveForwardMasquerade(driver->iptables, - network->def->network, - network->def->forwardDev); - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - network->def->network, + iptablesRemoveForwardMasquerade(network->def->network, + network->def->forwardDev); + iptablesRemoveForwardAllowRelatedIn(network->def->network, network->def->bridge, network->def->forwardDev); } else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE) - iptablesRemoveForwardAllowIn(driver->iptables, - network->def->network, + iptablesRemoveForwardAllowIn(network->def->network, network->def->bridge, network->def->forwardDev); - iptablesRemoveForwardAllowOut(driver->iptables, - network->def->network, + iptablesRemoveForwardAllowOut(network->def->network, network->def->bridge, network->def->forwardDev); } - iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge); - iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge); - iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge); - iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53); - iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53); - iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67); - iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67); + iptablesRemoveForwardAllowCross(network->def->bridge); + iptablesRemoveForwardRejectIn(network->def->bridge); + iptablesRemoveForwardRejectOut(network->def->bridge); + iptablesRemoveUdpInput(network->def->bridge, 53); + iptablesRemoveTcpInput(network->def->bridge, 53); + iptablesRemoveUdpInput(network->def->bridge, 67); + iptablesRemoveTcpInput(network->def->bridge, 67); } static void @@ -818,8 +792,8 @@ networkReloadIptablesRules(struct network_driver *driver) virNetworkObjLock(driver->networks.objs[i]); if (virNetworkObjIsActive(driver->networks.objs[i])) { - networkRemoveIptablesRules(driver, driver->networks.objs[i]); - if (!networkAddIptablesRules(NULL, driver, driver->networks.objs[i])) { + networkRemoveIptablesRules(driver->networks.objs[i]); + if (!networkAddIptablesRules(NULL, driver->networks.objs[i])) { /* failed to add but already logged */ } } @@ -940,7 +914,7 @@ static int networkStartNetworkDaemon(virConnectPtr conn, goto err_delbr; } - if (!networkAddIptablesRules(conn, driver, network)) + if (!networkAddIptablesRules(conn, network)) goto err_delbr1; if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE && @@ -972,7 +946,7 @@ static int networkStartNetworkDaemon(virConnectPtr conn, } err_delbr2: - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); err_delbr1: if ((err = brSetInterfaceUp(driver->brctl, network->def->bridge, 0))) { @@ -1013,7 +987,7 @@ static int networkShutdownNetworkDaemon(virConnectPtr conn, if (network->dnsmasqPid > 0) kill(network->dnsmasqPid, SIGTERM); - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); char ebuf[1024]; if ((err = brSetInterfaceUp(driver->brctl, network->def->bridge, 0))) { diff --git a/src/util/iptables.c b/src/util/iptables.c index 3c02ea6..de75a24 100644 --- a/src/util/iptables.c +++ b/src/util/iptables.c @@ -52,51 +52,9 @@ enum { REMOVE }; -typedef struct -{ - char *table; - char *chain; -} iptRules; - -struct _iptablesContext -{ - iptRules *input_filter; - iptRules *forward_filter; - iptRules *nat_postrouting; -}; - -static void -iptRulesFree(iptRules *rules) -{ - VIR_FREE(rules->table); - VIR_FREE(rules->chain); - VIR_FREE(rules); -} - -static iptRules * -iptRulesNew(const char *table, - const char *chain) -{ - iptRules *rules; - - if (VIR_ALLOC(rules) < 0) - return NULL; - - if (!(rules->table = strdup(table))) - goto error; - - if (!(rules->chain = strdup(chain))) - goto error; - - return rules; - - error: - iptRulesFree(rules); - return NULL; -} - static int ATTRIBUTE_SENTINEL -iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...) +iptablesAddRemoveRule(const char *table, const char *chain, + int action, const char *arg, ...) { va_list args; int retval = ENOMEM; @@ -126,13 +84,13 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...) if (!(argv[n++] = strdup("--table"))) goto error; - if (!(argv[n++] = strdup(rules->table))) + if (!(argv[n++] = strdup(table))) goto error; if (!(argv[n++] = strdup(action == ADD ? "--insert" : "--delete"))) goto error; - if (!(argv[n++] = strdup(rules->chain))) + if (!(argv[n++] = strdup(chain))) goto error; if (!(argv[n++] = strdup(arg))) @@ -164,58 +122,8 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...) return retval; } -/** - * iptablesContextNew: - * - * Create a new IPtable context - * - * Returns a pointer to the new structure or NULL in case of error - */ -iptablesContext * -iptablesContextNew(void) -{ - iptablesContext *ctx; - - if (VIR_ALLOC(ctx) < 0) - return NULL; - - if (!(ctx->input_filter = iptRulesNew("filter", "INPUT"))) - goto error; - - if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD"))) - goto error; - - if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING"))) - goto error; - - return ctx; - - error: - iptablesContextFree(ctx); - return NULL; -} - -/** - * iptablesContextFree: - * @ctx: pointer to the IP table context - * - * Free the resources associated with an IP table context - */ -void -iptablesContextFree(iptablesContext *ctx) -{ - if (ctx->input_filter) - iptRulesFree(ctx->input_filter); - if (ctx->forward_filter) - iptRulesFree(ctx->forward_filter); - if (ctx->nat_postrouting) - iptRulesFree(ctx->nat_postrouting); - VIR_FREE(ctx); -} - static int -iptablesInput(iptablesContext *ctx, - const char *iface, +iptablesInput(const char *iface, int port, int action, int tcp) @@ -225,7 +133,7 @@ iptablesInput(iptablesContext *ctx, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule(ctx->input_filter, + return iptablesAddRemoveRule("filter", "INPUT", action, "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -236,7 +144,6 @@ iptablesInput(iptablesContext *ctx, /** * iptablesAddTcpInput: - * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to add * @@ -247,16 +154,13 @@ iptablesInput(iptablesContext *ctx, */ int -iptablesAddTcpInput(iptablesContext *ctx, - const char *iface, - int port) +iptablesAddTcpInput(const char *iface, int port) { - return iptablesInput(ctx, iface, port, ADD, 1); + return iptablesInput(iface, port, ADD, 1); } /** * iptablesRemoveTcpInput: - * @ctx: pointer to the IP table context * @iface: the interface name * @port: the TCP port to remove * @@ -266,16 +170,13 @@ iptablesAddTcpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveTcpInput(iptablesContext *ctx, - const char *iface, - int port) +iptablesRemoveTcpInput(const char *iface, int port) { - return iptablesInput(ctx, iface, port, REMOVE, 1); + return iptablesInput(iface, port, REMOVE, 1); } /** * iptablesAddUdpInput: - * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to add * @@ -286,16 +187,13 @@ iptablesRemoveTcpInput(iptablesContext *ctx, */ int -iptablesAddUdpInput(iptablesContext *ctx, - const char *iface, - int port) +iptablesAddUdpInput(const char *iface, int port) { - return iptablesInput(ctx, iface, port, ADD, 0); + return iptablesInput(iface, port, ADD, 0); } /** * iptablesRemoveUdpInput: - * @ctx: pointer to the IP table context * @iface: the interface name * @port: the UDP port to remove * @@ -305,11 +203,9 @@ iptablesAddUdpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveUdpInput(iptablesContext *ctx, - const char *iface, - int port) +iptablesRemoveUdpInput(const char *iface, int port) { - return iptablesInput(ctx, iface, port, REMOVE, 0); + return iptablesInput(iface, port, REMOVE, 0); } @@ -317,14 +213,13 @@ iptablesRemoveUdpInput(iptablesContext *ctx, * to proceed to WAN */ static int -iptablesForwardAllowOut(iptablesContext *ctx, - const char *network, - const char *iface, - const char *physdev, - int action) +iptablesForwardAllowOut(const char *network, + const char *iface, + const char *physdev, + int action) { if (physdev && physdev[0]) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--source", network, "--in-interface", iface, @@ -332,7 +227,7 @@ iptablesForwardAllowOut(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--source", network, "--in-interface", iface, @@ -343,7 +238,6 @@ iptablesForwardAllowOut(iptablesContext *ctx, /** * iptablesAddForwardAllowOut: - * @ctx: pointer to the IP table context * @network: the source network name * @iface: the source interface name * @physdev: the physical output device @@ -355,17 +249,15 @@ iptablesForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowOut(iptablesContext *ctx, - const char *network, - const char *iface, - const char *physdev) +iptablesAddForwardAllowOut(const char *network, + const char *iface, + const char *physdev) { - return iptablesForwardAllowOut(ctx, network, iface, physdev, ADD); + return iptablesForwardAllowOut(network, iface, physdev, ADD); } /** * iptablesRemoveForwardAllowOut: - * @ctx: pointer to the IP table context * @network: the source network name * @iface: the source interface name * @physdev: the physical output device @@ -377,12 +269,11 @@ iptablesAddForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowOut(iptablesContext *ctx, - const char *network, - const char *iface, - const char *physdev) +iptablesRemoveForwardAllowOut(const char *network, + const char *iface, + const char *physdev) { - return iptablesForwardAllowOut(ctx, network, iface, physdev, REMOVE); + return iptablesForwardAllowOut(network, iface, physdev, REMOVE); } @@ -390,14 +281,13 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx, * and associated with an existing connection */ static int -iptablesForwardAllowRelatedIn(iptablesContext *ctx, - const char *network, - const char *iface, - const char *physdev, - int action) +iptablesForwardAllowRelatedIn(const char *network, + const char *iface, + const char *physdev, + int action) { if (physdev && physdev[0]) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--destination", network, "--in-interface", physdev, @@ -407,7 +297,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--destination", network, "--out-interface", iface, @@ -420,7 +310,6 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, /** * iptablesAddForwardAllowRelatedIn: - * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name * @physdev: the physical input device or NULL @@ -432,17 +321,15 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - const char *network, - const char *iface, - const char *physdev) +iptablesAddForwardAllowRelatedIn(const char *network, + const char *iface, + const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(network, iface, physdev, ADD); } /** * iptablesRemoveForwardAllowRelatedIn: - * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name * @physdev: the physical input device or NULL @@ -454,25 +341,23 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - const char *network, - const char *iface, - const char *physdev) +iptablesRemoveForwardAllowRelatedIn(const char *network, + const char *iface, + const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(network, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int -iptablesForwardAllowIn(iptablesContext *ctx, - const char *network, +iptablesForwardAllowIn(const char *network, const char *iface, const char *physdev, int action) { if (physdev && physdev[0]) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--destination", network, "--in-interface", physdev, @@ -480,7 +365,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--destination", network, "--out-interface", iface, @@ -491,7 +376,6 @@ iptablesForwardAllowIn(iptablesContext *ctx, /** * iptablesAddForwardAllowIn: - * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name * @physdev: the physical input device or NULL @@ -503,17 +387,15 @@ iptablesForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowIn(iptablesContext *ctx, - const char *network, +iptablesAddForwardAllowIn(const char *network, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, network, iface, physdev, ADD); + return iptablesForwardAllowIn(network, iface, physdev, ADD); } /** * iptablesRemoveForwardAllowIn: - * @ctx: pointer to the IP table context * @network: the source network name * @iface: the output interface name * @physdev: the physical input device or NULL @@ -525,12 +407,11 @@ iptablesAddForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowIn(iptablesContext *ctx, - const char *network, +iptablesRemoveForwardAllowIn(const char *network, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, network, iface, physdev, REMOVE); + return iptablesForwardAllowIn(network, iface, physdev, REMOVE); } @@ -538,11 +419,9 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx, * with a valid network address */ static int -iptablesForwardAllowCross(iptablesContext *ctx, - const char *iface, - int action) +iptablesForwardAllowCross(const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--in-interface", iface, "--out-interface", iface, @@ -552,7 +431,6 @@ iptablesForwardAllowCross(iptablesContext *ctx, /** * iptablesAddForwardAllowCross: - * @ctx: pointer to the IP table context * @iface: the input/output interface name * * Add rules to the IP table context to allow traffic to cross that @@ -562,14 +440,13 @@ iptablesForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowCross(iptablesContext *ctx, - const char *iface) { - return iptablesForwardAllowCross(ctx, iface, ADD); +iptablesAddForwardAllowCross( const char *iface) +{ + return iptablesForwardAllowCross(iface, ADD); } /** * iptablesRemoveForwardAllowCross: - * @ctx: pointer to the IP table context * @iface: the input/output interface name * * Remove rules to the IP table context to block traffic to cross that @@ -579,9 +456,9 @@ iptablesAddForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowCross(iptablesContext *ctx, - const char *iface) { - return iptablesForwardAllowCross(ctx, iface, REMOVE); +iptablesRemoveForwardAllowCross(const char *iface) +{ + return iptablesForwardAllowCross(iface, REMOVE); } @@ -589,20 +466,17 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx, * ie the bridge is the in interface */ static int -iptablesForwardRejectOut(iptablesContext *ctx, - const char *iface, - int action) +iptablesForwardRejectOut(const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, - action, - "--in-interface", iface, - "--jump", "REJECT", - NULL); + return iptablesAddRemoveRule("filter", "FORWARD", + action, + "--in-interface", iface, + "--jump", "REJECT", + NULL); } /** * iptablesAddForwardRejectOut: - * @ctx: pointer to the IP table context * @iface: the output interface name * * Add rules to the IP table context to forbid all traffic to that @@ -611,15 +485,13 @@ iptablesForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectOut(iptablesContext *ctx, - const char *iface) +iptablesAddForwardRejectOut(const char *iface) { - return iptablesForwardRejectOut(ctx, iface, ADD); + return iptablesForwardRejectOut(iface, ADD); } /** * iptablesRemoveForwardRejectOut: - * @ctx: pointer to the IP table context * @iface: the output interface name * * Remove rules from the IP table context forbidding all traffic to that @@ -628,24 +500,18 @@ iptablesAddForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectOut(iptablesContext *ctx, - const char *iface) +iptablesRemoveForwardRejectOut(const char *iface) { - return iptablesForwardRejectOut(ctx, iface, REMOVE); + return iptablesForwardRejectOut(iface, REMOVE); } - - - /* Drop all traffic trying to forward to the bridge. * ie the bridge is the out interface */ static int -iptablesForwardRejectIn(iptablesContext *ctx, - const char *iface, - int action) +iptablesForwardRejectIn(const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", action, "--out-interface", iface, "--jump", "REJECT", @@ -654,7 +520,6 @@ iptablesForwardRejectIn(iptablesContext *ctx, /** * iptablesAddForwardRejectIn: - * @ctx: pointer to the IP table context * @iface: the input interface name * * Add rules to the IP table context to forbid all traffic from that @@ -663,15 +528,13 @@ iptablesForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectIn(iptablesContext *ctx, - const char *iface) +iptablesAddForwardRejectIn(const char *iface) { - return iptablesForwardRejectIn(ctx, iface, ADD); + return iptablesForwardRejectIn(iface, ADD); } /** * iptablesRemoveForwardRejectIn: - * @ctx: pointer to the IP table context * @iface: the input interface name * * Remove rules from the IP table context forbidding all traffic from that @@ -680,10 +543,9 @@ iptablesAddForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectIn(iptablesContext *ctx, - const char *iface) +iptablesRemoveForwardRejectIn(const char *iface) { - return iptablesForwardRejectIn(ctx, iface, REMOVE); + return iptablesForwardRejectIn(iface, REMOVE); } @@ -691,13 +553,12 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx, * with the bridge */ static int -iptablesForwardMasquerade(iptablesContext *ctx, - const char *network, - const char *physdev, - int action) +iptablesForwardMasquerade(const char *network, + const char *physdev, + int action) { if (physdev && physdev[0]) { - return iptablesAddRemoveRule(ctx->nat_postrouting, + return iptablesAddRemoveRule("nat", "POSTROUTING", action, "--source", network, "!", "--destination", network, @@ -705,7 +566,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, "--jump", "MASQUERADE", NULL); } else { - return iptablesAddRemoveRule(ctx->nat_postrouting, + return iptablesAddRemoveRule("nat", "POSTROUTING", action, "--source", network, "!", "--destination", network, @@ -716,7 +577,6 @@ iptablesForwardMasquerade(iptablesContext *ctx, /** * iptablesAddForwardMasquerade: - * @ctx: pointer to the IP table context * @network: the source network name * @physdev: the physical input device or NULL * @@ -727,16 +587,14 @@ iptablesForwardMasquerade(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardMasquerade(iptablesContext *ctx, - const char *network, +iptablesAddForwardMasquerade(const char *network, const char *physdev) { - return iptablesForwardMasquerade(ctx, network, physdev, ADD); + return iptablesForwardMasquerade(network, physdev, ADD); } /** * iptablesRemoveForwardMasquerade: - * @ctx: pointer to the IP table context * @network: the source network name * @physdev: the physical input device or NULL * @@ -747,9 +605,8 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardMasquerade(iptablesContext *ctx, - const char *network, +iptablesRemoveForwardMasquerade(const char *network, const char *physdev) { - return iptablesForwardMasquerade(ctx, network, physdev, REMOVE); + return iptablesForwardMasquerade(network, physdev, REMOVE); } diff --git a/src/util/iptables.h b/src/util/iptables.h index 68d9e0d..8809d7d 100644 --- a/src/util/iptables.h +++ b/src/util/iptables.h @@ -22,72 +22,49 @@ #ifndef __QEMUD_IPTABLES_H__ #define __QEMUD_IPTABLES_H__ -typedef struct _iptablesContext iptablesContext; - -iptablesContext *iptablesContextNew (void); -void iptablesContextFree (iptablesContext *ctx); - -int iptablesAddTcpInput (iptablesContext *ctx, - const char *iface, +int iptablesAddTcpInput (const char *iface, int port); -int iptablesRemoveTcpInput (iptablesContext *ctx, - const char *iface, +int iptablesRemoveTcpInput (const char *iface, int port); -int iptablesAddUdpInput (iptablesContext *ctx, - const char *iface, +int iptablesAddUdpInput (const char *iface, int port); -int iptablesRemoveUdpInput (iptablesContext *ctx, - const char *iface, +int iptablesRemoveUdpInput (const char *iface, int port); -int iptablesAddForwardAllowOut (iptablesContext *ctx, - const char *network, +int iptablesAddForwardAllowOut (const char *network, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowOut (iptablesContext *ctx, - const char *network, +int iptablesRemoveForwardAllowOut (const char *network, const char *iface, const char *physdev); -int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - const char *network, +int iptablesAddForwardAllowRelatedIn(const char *network, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - const char *network, +int iptablesRemoveForwardAllowRelatedIn(const char *network, const char *iface, const char *physdev); -int iptablesAddForwardAllowIn (iptablesContext *ctx, - const char *network, +int iptablesAddForwardAllowIn (const char *network, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowIn (iptablesContext *ctx, - const char *network, +int iptablesRemoveForwardAllowIn (const char *network, const char *iface, const char *physdev); -int iptablesAddForwardAllowCross (iptablesContext *ctx, - const char *iface); -int iptablesRemoveForwardAllowCross (iptablesContext *ctx, - const char *iface); +int iptablesAddForwardAllowCross (const char *iface); +int iptablesRemoveForwardAllowCross (const char *iface); -int iptablesAddForwardRejectOut (iptablesContext *ctx, - const char *iface); -int iptablesRemoveForwardRejectOut (iptablesContext *ctx, - const char *iface); +int iptablesAddForwardRejectOut (const char *iface); +int iptablesRemoveForwardRejectOut (const char *iface); -int iptablesAddForwardRejectIn (iptablesContext *ctx, - const char *iface); -int iptablesRemoveForwardRejectIn (iptablesContext *ctx, - const char *iface); +int iptablesAddForwardRejectIn (const char *iface); +int iptablesRemoveForwardRejectIn (const char *iface); -int iptablesAddForwardMasquerade (iptablesContext *ctx, - const char *network, +int iptablesAddForwardMasquerade (const char *network, const char *physdev); -int iptablesRemoveForwardMasquerade (iptablesContext *ctx, - const char *network, +int iptablesRemoveForwardMasquerade (const char *network, const char *physdev); #endif /* __QEMUD_IPTABLES_H__ */ -- 1.6.5.2 -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list