[RFC PATCHv2 6/9] support addRules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch adds the capability of adding individual rules to existing chains.

Signed-off-by: David L Stevens <dlstevens@xxxxxxxxxx>
---
 src/conf/nwfilter_conf.h                  |    6 ++
 src/nwfilter/nwfilter_ebiptables_driver.c |   73 +++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+), 0 deletions(-)

diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 4348378..12d1e0f 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -540,6 +540,11 @@ typedef int (*virNWFilterRuleTeardownNewRules)(virConnectPtr conn,
 typedef int (*virNWFilterRuleTeardownOldRules)(virConnectPtr conn,
                                                const char *ifname);
 
+typedef int (*virNWFilterRuleAddRules)(virConnectPtr conn,
+                                       const char *ifname,
+                                       int nruleInstances,
+                                       void **_inst);
+
 typedef int (*virNWFilterRuleRemoveRules)(virConnectPtr conn,
                                           const char *ifname,
                                           int nruleInstances,
@@ -580,6 +585,7 @@ struct _virNWFilterTechDriver {
     virNWFilterRuleApplyNewRules applyNewRules;
     virNWFilterRuleTeardownNewRules tearNewRules;
     virNWFilterRuleTeardownOldRules tearOldRules;
+    virNWFilterRuleAddRules addRules;
     virNWFilterRuleRemoveRules removeRules;
     virNWFilterRuleAllTeardown allTeardown;
     virNWFilterRuleFreeInstanceData freeRuleInstance;
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 918625c..1169e5a 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -3695,6 +3695,78 @@ err_exit:
     return rc;
 }
 
+/**
+ * ebiptablesAddRules:
+ * @conn : pointer to virConnect object
+ * @ifname : the name of the interface to which the rules apply
+ * @nRuleInstance : the number of given rules
+ * @_inst : array of rule instantiation data
+ *
+ * Add all rules one after the other
+ *
+ * Return 0 on success, 1 if execution of one or more cleanup
+ * commands failed.
+ */
+static int
+ebiptablesAddRules(virConnectPtr conn,
+                      const char *ifname,
+                      int nruleInstances,
+                      void **_inst)
+{
+    int i;
+    int cli_status;
+    ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst;
+    virBuffer buf = VIR_BUFFER_INITIALIZER;
+    bool haveIptables = false;
+    bool haveIp6tables = false;
+
+    for (i = 0; i < nruleInstances; i++) {
+        sa_assert (inst);
+        switch (inst[i]->ruleType) {
+        case RT_EBTABLES:
+            ebiptablesInstCommand(&buf,
+                                  inst[i]->commandTemplate,
+                                  'A', -1, 1);
+        break;
+        case RT_IPTABLES:
+            if (inst[i]->ruleType == RT_IPTABLES)
+                iptablesInstCommand(&buf,
+                                    inst[i]->commandTemplate,
+                                    'A', -1, 1);
+            haveIptables = true;
+        break;
+        case RT_IP6TABLES:
+            if (inst[i]->ruleType == RT_IP6TABLES)
+                iptablesInstCommand(&buf,
+                                    inst[i]->commandTemplate,
+                                    'A', -1, 1);
+            haveIp6tables = true;
+        break;
+        }
+    }
+
+    if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0)
+        goto err_exit;
+
+    if (haveIptables)
+        iptablesCheckBridgeNFCallEnabled(false);
+
+    if (haveIp6tables)
+        iptablesCheckBridgeNFCallEnabled(true);
+
+    return 0;
+
+err_exit:
+    (void) ebiptablesRemoveRules(conn, ifname, nruleInstances, _inst);
+
+    virNWFilterReportError(VIR_ERR_BUILD_FIREWALL,
+                           _("Some rules could not be created for "
+                             "interface %s."),
+                           ifname);
+
+    return 1;
+}
+
 
 /**
  * ebiptablesAllTeardown:
@@ -3751,6 +3823,7 @@ virNWFilterTechDriver ebiptables_driver = {
     .tearNewRules        = ebiptablesTearNewRules,
     .tearOldRules        = ebiptablesTearOldRules,
     .allTeardown         = ebiptablesAllTeardown,
+    .addRules            = ebiptablesAddRules,
     .removeRules         = ebiptablesRemoveRules,
     .freeRuleInstance    = ebiptablesFreeRuleInstance,
     .displayRuleInstance = ebiptablesDisplayRuleInstance,
-- 
1.7.6.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]