[PATCH v5 06/30] util: rename virNetFilterAction to iptablesAction, and add VIR_ENUM_DECL/IMPL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I had originally named these as VIR_NETFILTER_* because I assumed the
same enum would eventually be used by our nftables backend as well as
iptables. But it turns out that in most cases it's not possible to
delete an nftables rule, so we just never used the enum anyway, so
this patch is renaming the values to IPTABLES_ACTION_*, and taking
advantage of the newly defined (via VIR_ENUM_DECL/IMPL)
iptablesActionTypeToString() to replace all the ternary operators used
to translate the enum into a string for the iptables commandline with
iptablesActionTypeToString().

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
 src/network/network_iptables.c | 126 ++++++++++++++++++---------------
 1 file changed, 69 insertions(+), 57 deletions(-)

diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 5c16683cff..d7e749adf0 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -32,6 +32,7 @@
 #include "virerror.h"
 #include "virlog.h"
 #include "virhash.h"
+#include "virenum.h"
 #include "network_iptables.h"
 
 VIR_LOG_INIT("network.iptables");
@@ -45,10 +46,21 @@ VIR_LOG_INIT("network.iptables");
 #define VIR_IPTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
 #define VIR_IPTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
 
-enum {
-    VIR_NETFILTER_INSERT = 0,
-    VIR_NETFILTER_DELETE
-};
+typedef enum {
+    IPTABLES_ACTION_INSERT,
+    IPTABLES_ACTION_APPEND,
+    IPTABLES_ACTION_DELETE,
+
+    IPTABLES_ACTION_LAST
+} iptablesAction;
+
+VIR_ENUM_DECL(iptablesAction);
+VIR_ENUM_IMPL(iptablesAction,
+              IPTABLES_ACTION_LAST,
+              "--insert",
+              "--append",
+              "--delete",
+);
 
 typedef struct {
     const char *parent;
@@ -168,14 +180,14 @@ iptablesInput(virFirewall *fw,
               virFirewallLayer layer,
               const char *iface,
               int port,
-              int action,
+              iptablesAction action,
               int tcp)
 {
     g_autofree char *portstr = g_strdup_printf("%d", port);
 
     virFirewallAddCmd(fw, layer,
                       "--table", "filter",
-                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      iptablesActionTypeToString(action),
                       VIR_IPTABLES_INPUT_CHAIN,
                       "--in-interface", iface,
                       "--protocol", tcp ? "tcp" : "udp",
@@ -189,14 +201,14 @@ iptablesOutput(virFirewall *fw,
                virFirewallLayer layer,
                const char *iface,
                int port,
-               int action,
+               iptablesAction action,
                int tcp)
 {
     g_autofree char *portstr = g_strdup_printf("%d", port);
 
     virFirewallAddCmd(fw, layer,
                       "--table", "filter",
-                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      iptablesActionTypeToString(action),
                       VIR_IPTABLES_OUTPUT_CHAIN,
                       "--out-interface", iface,
                       "--protocol", tcp ? "tcp" : "udp",
@@ -220,7 +232,7 @@ iptablesAddTcpInput(virFirewall *fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
+    iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1);
 }
 
 /**
@@ -238,7 +250,7 @@ iptablesRemoveTcpInput(virFirewall *fw,
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
+    iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1);
 }
 
 /**
@@ -256,7 +268,7 @@ iptablesAddUdpInput(virFirewall *fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
+    iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0);
 }
 
 /**
@@ -274,7 +286,7 @@ iptablesRemoveUdpInput(virFirewall *fw,
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
+    iptablesInput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0);
 }
 
 /**
@@ -292,7 +304,7 @@ iptablesAddTcpOutput(virFirewall *fw,
                      const char *iface,
                      int port)
 {
-    iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1);
+    iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 1);
 }
 
 /**
@@ -310,7 +322,7 @@ iptablesRemoveTcpOutput(virFirewall *fw,
                         const char *iface,
                         int port)
 {
-    iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1);
+    iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 1);
 }
 
 /**
@@ -328,7 +340,7 @@ iptablesAddUdpOutput(virFirewall *fw,
                      const char *iface,
                      int port)
 {
-    iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0);
+    iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_INSERT, 0);
 }
 
 /**
@@ -346,7 +358,7 @@ iptablesRemoveUdpOutput(virFirewall *fw,
                         const char *iface,
                         int port)
 {
-    iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0);
+    iptablesOutput(fw, layer, iface, port, IPTABLES_ACTION_DELETE, 0);
 }
 
 
@@ -359,7 +371,7 @@ iptablesForwardAllowOut(virFirewall *fw,
                         unsigned int prefix,
                         const char *iface,
                         const char *physdev,
-                        int action)
+                        iptablesAction action)
 {
     g_autofree char *networkstr = NULL;
     virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
@@ -371,7 +383,7 @@ iptablesForwardAllowOut(virFirewall *fw,
     if (physdev && physdev[0])
         virFirewallAddCmd(fw, layer,
                           "--table", "filter",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_FWD_OUT_CHAIN,
                           "--source", networkstr,
                           "--in-interface", iface,
@@ -381,7 +393,7 @@ iptablesForwardAllowOut(virFirewall *fw,
     else
         virFirewallAddCmd(fw, layer,
                           "--table", "filter",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_FWD_OUT_CHAIN,
                           "--source", networkstr,
                           "--in-interface", iface,
@@ -412,7 +424,7 @@ iptablesAddForwardAllowOut(virFirewall *fw,
                            const char *physdev)
 {
     return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
-                                   VIR_NETFILTER_INSERT);
+                                   IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -436,7 +448,7 @@ iptablesRemoveForwardAllowOut(virFirewall *fw,
                               const char *physdev)
 {
     return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev,
-                                   VIR_NETFILTER_DELETE);
+                                   IPTABLES_ACTION_DELETE);
 }
 
 
@@ -449,7 +461,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
                               unsigned int prefix,
                               const char *iface,
                               const char *physdev,
-                              int action)
+                              iptablesAction action)
 {
     virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
         VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@@ -461,7 +473,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
     if (physdev && physdev[0])
         virFirewallAddCmd(fw, layer,
                           "--table", "filter",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_FWD_IN_CHAIN,
                           "--destination", networkstr,
                           "--in-interface", physdev,
@@ -473,7 +485,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
     else
         virFirewallAddCmd(fw, layer,
                           "--table", "filter",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_FWD_IN_CHAIN,
                           "--destination", networkstr,
                           "--out-interface", iface,
@@ -506,7 +518,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw,
                                  const char *physdev)
 {
     return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
-                                         VIR_NETFILTER_INSERT);
+                                         IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -530,7 +542,7 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw,
                                     const char *physdev)
 {
     return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev,
-                                         VIR_NETFILTER_DELETE);
+                                         IPTABLES_ACTION_DELETE);
 }
 
 /* Allow all traffic destined to the bridge, with a valid network address
@@ -541,7 +553,7 @@ iptablesForwardAllowIn(virFirewall *fw,
                        unsigned int prefix,
                        const char *iface,
                        const char *physdev,
-                       int action)
+                       iptablesAction action)
 {
     virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
         VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@@ -553,7 +565,7 @@ iptablesForwardAllowIn(virFirewall *fw,
     if (physdev && physdev[0])
         virFirewallAddCmd(fw, layer,
                           "--table", "filter",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_FWD_IN_CHAIN,
                           "--destination", networkstr,
                           "--in-interface", physdev,
@@ -563,7 +575,7 @@ iptablesForwardAllowIn(virFirewall *fw,
     else
         virFirewallAddCmd(fw, layer,
                           "--table", "filter",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_FWD_IN_CHAIN,
                           "--destination", networkstr,
                           "--out-interface", iface,
@@ -593,7 +605,7 @@ iptablesAddForwardAllowIn(virFirewall *fw,
                           const char *physdev)
 {
     return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
-                                  VIR_NETFILTER_INSERT);
+                                  IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -617,18 +629,18 @@ iptablesRemoveForwardAllowIn(virFirewall *fw,
                              const char *physdev)
 {
     return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev,
-                                  VIR_NETFILTER_DELETE);
+                                  IPTABLES_ACTION_DELETE);
 }
 
 static void
 iptablesForwardAllowCross(virFirewall *fw,
                           virFirewallLayer layer,
                           const char *iface,
-                          int action)
+                          iptablesAction action)
 {
     virFirewallAddCmd(fw, layer,
                       "--table", "filter",
-                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      iptablesActionTypeToString(action),
                       VIR_IPTABLES_FWD_X_CHAIN,
                       "--in-interface", iface,
                       "--out-interface", iface,
@@ -652,7 +664,7 @@ iptablesAddForwardAllowCross(virFirewall *fw,
                              virFirewallLayer layer,
                              const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT);
+    iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -671,18 +683,18 @@ iptablesRemoveForwardAllowCross(virFirewall *fw,
                                 virFirewallLayer layer,
                                 const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE);
+    iptablesForwardAllowCross(fw, layer, iface, IPTABLES_ACTION_DELETE);
 }
 
 static void
 iptablesForwardRejectOut(virFirewall *fw,
                          virFirewallLayer layer,
                          const char *iface,
-                         int action)
+                         iptablesAction action)
 {
     virFirewallAddCmd(fw, layer,
                       "--table", "filter",
-                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      iptablesActionTypeToString(action),
                       VIR_IPTABLES_FWD_OUT_CHAIN,
                       "--in-interface", iface,
                       "--jump", "REJECT",
@@ -704,7 +716,7 @@ iptablesAddForwardRejectOut(virFirewall *fw,
                             virFirewallLayer layer,
                             const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT);
+    iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -722,7 +734,7 @@ iptablesRemoveForwardRejectOut(virFirewall *fw,
                                virFirewallLayer layer,
                                const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE);
+    iptablesForwardRejectOut(fw, layer, iface, IPTABLES_ACTION_DELETE);
 }
 
 
@@ -730,11 +742,11 @@ static void
 iptablesForwardRejectIn(virFirewall *fw,
                         virFirewallLayer layer,
                         const char *iface,
-                        int action)
+                        iptablesAction action)
 {
     virFirewallAddCmd(fw, layer,
                       "--table", "filter",
-                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      iptablesActionTypeToString(action),
                       VIR_IPTABLES_FWD_IN_CHAIN,
                       "--out-interface", iface,
                       "--jump", "REJECT",
@@ -756,7 +768,7 @@ iptablesAddForwardRejectIn(virFirewall *fw,
                            virFirewallLayer layer,
                            const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT);
+    iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -774,7 +786,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw,
                               virFirewallLayer layer,
                               const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE);
+    iptablesForwardRejectIn(fw, layer, iface, IPTABLES_ACTION_DELETE);
 }
 
 
@@ -789,7 +801,7 @@ iptablesForwardMasquerade(virFirewall *fw,
                           virSocketAddrRange *addr,
                           virPortRange *port,
                           const char *protocol,
-                          int action)
+                          iptablesAction action)
 {
     g_autofree char *networkstr = NULL;
     g_autofree char *addrStartStr = NULL;
@@ -816,7 +828,7 @@ iptablesForwardMasquerade(virFirewall *fw,
     if (protocol && protocol[0]) {
         fwCmd = virFirewallAddCmd(fw, layer,
                                   "--table", "nat",
-                                  action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                                  iptablesActionTypeToString(action),
                                   VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "-p", protocol,
@@ -825,7 +837,7 @@ iptablesForwardMasquerade(virFirewall *fw,
     } else {
         fwCmd = virFirewallAddCmd(fw, layer,
                                   "--table", "nat",
-                                  action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                                  iptablesActionTypeToString(action),
                                   VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
@@ -900,7 +912,7 @@ iptablesAddForwardMasquerade(virFirewall *fw,
 {
     return iptablesForwardMasquerade(fw, netaddr, prefix,
                                      physdev, addr, port, protocol,
-                                     VIR_NETFILTER_INSERT);
+                                     IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -927,7 +939,7 @@ iptablesRemoveForwardMasquerade(virFirewall *fw,
 {
     return iptablesForwardMasquerade(fw, netaddr, prefix,
                                      physdev, addr, port, protocol,
-                                     VIR_NETFILTER_DELETE);
+                                     IPTABLES_ACTION_DELETE);
 }
 
 
@@ -940,7 +952,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
                               unsigned int prefix,
                               const char *physdev,
                               const char *destaddr,
-                              int action)
+                              iptablesAction action)
 {
     g_autofree char *networkstr = NULL;
     virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
@@ -952,7 +964,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
     if (physdev && physdev[0])
         virFirewallAddCmd(fw, layer,
                           "--table", "nat",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                           "--out-interface", physdev,
                           "--source", networkstr,
@@ -962,7 +974,7 @@ iptablesForwardDontMasquerade(virFirewall *fw,
     else
         virFirewallAddCmd(fw, layer,
                           "--table", "nat",
-                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          iptablesActionTypeToString(action),
                           VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                           "--source", networkstr,
                           "--destination", destaddr,
@@ -994,7 +1006,7 @@ iptablesAddDontMasquerade(virFirewall *fw,
                           const char *destaddr)
 {
     return iptablesForwardDontMasquerade(fw, netaddr, prefix,
-                                         physdev, destaddr, VIR_NETFILTER_INSERT);
+                                         physdev, destaddr, IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -1020,7 +1032,7 @@ iptablesRemoveDontMasquerade(virFirewall *fw,
 {
     return iptablesForwardDontMasquerade(fw, netaddr, prefix,
                                          physdev, destaddr,
-                                         VIR_NETFILTER_DELETE);
+                                         IPTABLES_ACTION_DELETE);
 }
 
 
@@ -1028,13 +1040,13 @@ static void
 iptablesOutputFixUdpChecksum(virFirewall *fw,
                              const char *iface,
                              int port,
-                             int action)
+                             iptablesAction action)
 {
     g_autofree char *portstr = g_strdup_printf("%d", port);
 
     virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
                       "--table", "mangle",
-                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      iptablesActionTypeToString(action),
                       VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
                       "--out-interface", iface,
                       "--protocol", "udp",
@@ -1059,7 +1071,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw,
                                 const char *iface,
                                 int port)
 {
-    iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT);
+    iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_INSERT);
 }
 
 /**
@@ -1076,7 +1088,7 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw,
                                    const char *iface,
                                    int port)
 {
-    iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE);
+    iptablesOutputFixUdpChecksum(fw, iface, port, IPTABLES_ACTION_DELETE);
 }
 
 
-- 
2.45.0




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux