Re: [libvirt PATCH 21/28] util: implement rollback rule autosave for nftables backend

Ján Tomko <jtomko@xxxxxxxxxx> · Wed, 3 May 2023 11:17:05 +0200

On a Sunday in 2023, Laine Stump wrote:
Determining the correct rollback rule for nftables is more complicated
than iptables - nftables give each new table/chain/rule a handle, and
the nft delete command to delete the object must contain that handle
(rather than just replicating the entire original commandline as is
done for iptables).

The handle is obtained by adding an extra "-ae" option to the original
nft commandline, and then parsing stdout of the command looking for "#
handle n" (where "n" is a decimal integer).

This code isn't yet used anywhere, since
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set.

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
src/util/virnftables.c | 106 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 105 insertions(+), 1 deletion(-)

diff --git a/src/util/virnftables.c b/src/util/virnftables.c
index b43b14bb82..0cc09caaed 100644
--- a/src/util/virnftables.c
+++ b/src/util/virnftables.c
@@ -71,12 +71,18 @@ VIR_ENUM_IMPL(virNftablesAction,
);


+#define VIR_ARG_IS_INSERT(arg) \
+    (STREQ(arg, "insert") || STREQ(arg, "add") || STREQ(arg, "create"))
+
int
virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
                             virFirewallRule *rule,
                             char **output)
{
    size_t count = virFirewallRuleGetArgCount(rule);
+    bool needRollback = false;
+    size_t cmdIdx = 0;
+    const char *objectType = NULL;
    g_autoptr(virCommand) cmd = NULL;
    g_autofree char *cmdStr = NULL;
    g_autofree char *error = NULL;
@@ -91,11 +97,45 @@ virNftablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,

    cmd = virCommandNew(NFT);

+    if ((virFirewallTransactionGetFlags(firewall)
+         & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK)
+        && count > 1) {
+        /* skip any leading options to get to command verb */
+        for (i = 0; i < count - 1; i++) {
+            if (virFirewallRuleGetArg(rule, i)[0] != '-')
+                break;
+        }
+
+        if (i + 1 < count
+            && VIR_ARG_IS_INSERT(virFirewallRuleGetArg(rule, i))) {
+
+            cmdIdx = i;
+            objectType = virFirewallRuleGetArg(rule, i + 1);
+
+            /* we currently only handle auto-rollback for rules,
+             * chains, and tables, and those all can be "rolled
+             * back" by a delete command using the handle that is
+             * returned when "-ae" is added to the add/insert
+             * command.
+             */
+            if (STREQ_NULLABLE(objectType, "rule")
+                || STREQ_NULLABLE(objectType, "chain")
+                || STREQ_NULLABLE(objectType, "table")) {
+

Same nitpick about operands on the next line applies here.

Jano
Attachment:
signature.asc

Description: PGP signature




