On 11/26/24 04:24, Laine Stump wrote: > If the layer of a virFirewallCmd is "tc", then the "tc" utility will > be executed using the arguments that had been added to the > virFirewallCmd > > tc layer doesn't support auto-rollback command creation (any rollback > needs to be added manually with virFirewallAddRollbackCmd()), and also > tc layer isn't supported by the iptables backend (it would have been > straightforward to add, but the iptables backend doesn't need it, and > I didn't want to take the chance of causing a regression in that > code for no good reason). > > Signed-off-by: Laine Stump <laine@xxxxxxxxxx> > --- > src/network/network_nftables.c | 1 + > src/util/virfirewall.c | 66 +++++++++++++++++++++------------- > src/util/virfirewall.h | 1 + > src/util/virfirewalld.c | 1 + > 4 files changed, 44 insertions(+), 25 deletions(-) > > diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c > index f8b5ab665d..b3605bd40e 100644 > --- a/src/network/network_nftables.c > +++ b/src/network/network_nftables.c > @@ -73,6 +73,7 @@ VIR_ENUM_IMPL(nftablesLayer, > "", > "ip", > "ip6", > + "", > ); > > > diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c > index 811b787ecc..754bc18162 100644 > --- a/src/util/virfirewall.c > +++ b/src/util/virfirewall.c > @@ -47,6 +47,7 @@ VIR_ENUM_IMPL(virFirewallLayer, > "ethernet", > "ipv4", > "ipv6", > + "tc", > ); > > typedef struct _virFirewallGroup virFirewallGroup; > @@ -57,6 +58,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand, > EBTABLES, > IPTABLES, > IP6TABLES, > + TC, > ); > > struct _virFirewallCmd { > @@ -591,6 +593,7 @@ virFirewallCmdIptablesApply(virFirewall *firewall, > case VIR_FIREWALL_LAYER_IPV6: > virCommandAddArg(cmd, "-w"); > break; > + case VIR_FIREWALL_LAYER_TC: > case VIR_FIREWALL_LAYER_LAST: > break; > } > @@ -672,39 +675,52 @@ virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED, > size_t i; > int status; > > - cmd = virCommandNew(NFT); > + if (fwCmd->layer == VIR_FIREWALL_LAYER_TC) { > > - if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) && > - fwCmd->argsLen > 1) { > - /* skip any leading options to get to command verb */ > - for (i = 0; i < fwCmd->argsLen - 1; i++) { > - if (fwCmd->args[i][0] != '-') > - break; > - } > + /* for VIR_FIREWALL_LAYER_TC, we run the 'tc' (traffic control) command with > + * the supplied args. > + */ > + cmd = virCommandNew(TC); Alignment. Michal