On Tue, Apr 30, 2024 at 01:44:03PM -0400, Laine Stump wrote: > In the past virFirewall required all rollback commands for a group > (those commands necessary to "undo" any rules that had been added in > that group in case of a later failure) to be manually added by > switching into the virFirewall object into "rollback mode" and then > re-calling the inverse of the exact virFirewallAddCmd*() APIs that had > been called to add the original rules (ie. for each > "iptables --insert" command, for rollback we would need to add a > command with all arguments identical except that "--insert" would be > replaced by "--delete"). > > Because nftables can't search for rules to remove by comparing all the > arguments (it instead expects *only* a handle that is provided via > stdout when the rule was originally added), we won't be able to follow > the iptables method and manually construct the command to undo any > given nft command by just duplicating all the args of the command > (except the action). Instead we will need to be able to automatically > create a rollback command at the time the rule-adding command is > executed (e.g. an "nft delete rule" command that would include the > rule handle returned in stdout by an "nft add rule" command). > > In order to make this happen, we need to be able to 1) learn whether > the user of the virFirewall API desires this behavior (handled by a new > transaction flag called VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK that > can be retrieved with the new virFirewallTransactionGetFlags() API), > and 2) add a new command to the current group's rollback command list (with > the new virFirewallAddRollbackCmd()). > > We will actually use this capability in an upcoming patch. > > Signed-off-by: Laine Stump <laine@xxxxxxxxxx> > --- > src/libvirt_private.syms | 1 + > src/util/virfirewall.c | 55 +++++++++++++++++++++++++++++++++++----- > src/util/virfirewall.h | 7 +++++ > 3 files changed, 57 insertions(+), 6 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Devel mailing list -- devel@xxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
