This patch extends the NWFilter driver for Linux (ebiptables) to create rules for each member of a previously introduced list. If for example an attribute value (internally) looks like this: IP = [10.0.0.1, 10.0.0.2, 10.0.0.3] then 3 rules will be generated for a rule accessing the variable 'IP', one for each member of the list. The effect of this is that this now allows for filtering for multiple values in one field. This can then be used to support for filtering/allowing of multiple IP addresses per interface. An interator is introduced that extracts each member of a list and puts it into a hash table which then is passed to the function creating a rule. For the above example the iterator would cause 3 loops. v2: - pass the iterator all the way to the function that accesses the hash table and provide a function to pick the value of a variable that is reflected by the current state of the iterator Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> --- src/conf/nwfilter_params.c | 129 ++++++++++++++++++++++++++++++ src/conf/nwfilter_params.h | 25 +++++ src/libvirt_private.syms | 4 src/nwfilter/nwfilter_ebiptables_driver.c | 84 +++++++++++++------ 4 files changed, 215 insertions(+), 27 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -192,7 +192,7 @@ static const struct ushort_map l3_protoc static int -printVar(virNWFilterHashTablePtr vars, +printVar(virNWFilterVarCombIterPtr vars, char *buf, int bufsize, nwItemDescPtr item, int *done) @@ -200,22 +200,11 @@ printVar(virNWFilterHashTablePtr vars, *done = 0; if ((item->flags & NWFILTER_ENTRY_ITEM_FLAG_HAS_VAR)) { - virNWFilterVarValuePtr varval; const char *val; - varval = virHashLookup(vars->hashTable, item->var); - if (!varval) { - virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot find value for '%s'"), - item->var); - return 1; - } - - val = virNWFilterVarValueGetSimple(varval); + val = virNWFilterVarCombIterGetVarValue(vars, item->var); if (!val) { - virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, - _("cannot get simple value of '%s'"), - item->var); + /* error has been reported */ return 1; } @@ -234,7 +223,7 @@ printVar(virNWFilterHashTablePtr vars, static int -_printDataType(virNWFilterHashTablePtr vars, +_printDataType(virNWFilterVarCombIterPtr vars, char *buf, int bufsize, nwItemDescPtr item, bool asHex) @@ -329,7 +318,7 @@ _printDataType(virNWFilterHashTablePtr v static int -printDataType(virNWFilterHashTablePtr vars, +printDataType(virNWFilterVarCombIterPtr vars, char *buf, int bufsize, nwItemDescPtr item) { @@ -338,7 +327,7 @@ printDataType(virNWFilterHashTablePtr va static int -printDataTypeAsHex(virNWFilterHashTablePtr vars, +printDataTypeAsHex(virNWFilterVarCombIterPtr vars, char *buf, int bufsize, nwItemDescPtr item) { @@ -406,7 +395,7 @@ ebiptablesAddRuleInst(virNWFilterRuleIns static int ebtablesHandleEthHdr(virBufferPtr buf, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, ethHdrDataDefPtr ethHdr, bool reverse) { @@ -884,7 +873,7 @@ iptablesInstCommand(virBufferPtr buf, static int iptablesHandleSrcMacAddr(virBufferPtr buf, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, nwItemDescPtr srcMacAddr, int directionIn, bool *srcmacskipped) @@ -921,7 +910,7 @@ err_exit: static int iptablesHandleIpHdr(virBufferPtr buf, virBufferPtr afterStateMatch, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, ipHdrDataDefPtr ipHdr, int directionIn, bool *skipRule, bool *skipMatch, @@ -1095,7 +1084,7 @@ err_exit: static int iptablesHandlePortData(virBufferPtr buf, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, portDataDefPtr portData, int directionIn) { @@ -1201,7 +1190,7 @@ _iptablesCreateRuleInstance(int directio virNWFilterDefPtr nwfilter, virNWFilterRuleDefPtr rule, const char *ifname, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, virNWFilterRuleInstPtr res, const char *match, bool defMatch, const char *accept_target, @@ -1687,7 +1676,7 @@ static int iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter, virNWFilterRuleDefPtr rule, const char *ifname, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, virNWFilterRuleInstPtr res, bool isIPv6) { @@ -1812,7 +1801,7 @@ static int iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter, virNWFilterRuleDefPtr rule, const char *ifname, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, virNWFilterRuleInstPtr res, bool isIPv6) { @@ -1937,7 +1926,7 @@ ebtablesCreateRuleInstance(char chainPre virNWFilterDefPtr nwfilter, virNWFilterRuleDefPtr rule, const char *ifname, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, virNWFilterRuleInstPtr res, bool reverse) { @@ -2429,7 +2418,7 @@ ebiptablesCreateRuleInstance(virConnectP virNWFilterDefPtr nwfilter, virNWFilterRuleDefPtr rule, const char *ifname, - virNWFilterHashTablePtr vars, + virNWFilterVarCombIterPtr vars, virNWFilterRuleInstPtr res) { int rc = 0; @@ -2513,6 +2502,47 @@ ebiptablesCreateRuleInstance(virConnectP return rc; } +static int +ebiptablesCreateRuleInstanceCombinations( + virConnectPtr conn ATTRIBUTE_UNUSED, + enum virDomainNetType nettype ATTRIBUTE_UNUSED, + virNWFilterDefPtr nwfilter, + virNWFilterRuleDefPtr rule, + const char *ifname, + virNWFilterHashTablePtr vars, + virNWFilterRuleInstPtr res) +{ + int rc = 0; + virNWFilterVarCombIterPtr vciter; + unsigned int loop_limit = 10; + + /* rule->vars holds all the variables names that this rule will access. + * iterate over all combinations of the variables' values and instantiate + * the filtering rule with each combination. + */ + vciter = virNWFilterVarCombIterCreate(vars, rule->vars, rule->nvars, + loop_limit); + if (!vciter) { + return 1; + } + + do { + rc = ebiptablesCreateRuleInstance(conn, + nettype, + nwfilter, + rule, + ifname, + vciter, + res); + if (rc) + break; + vciter = virNWFilterVarCombIterNext(vciter); + } while (vciter != NULL); + + virNWFilterVarCombIterFree(vciter); + + return rc; +} static int ebiptablesFreeRuleInstance(void *_inst) @@ -3896,7 +3926,7 @@ virNWFilterTechDriver ebiptables_driver .init = ebiptablesDriverInit, .shutdown = ebiptablesDriverShutdown, - .createRuleInstance = ebiptablesCreateRuleInstance, + .createRuleInstance = ebiptablesCreateRuleInstanceCombinations, .applyNewRules = ebiptablesApplyNewRules, .tearNewRules = ebiptablesTearNewRules, .tearOldRules = ebiptablesTearOldRules, Index: libvirt-acl/src/conf/nwfilter_params.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_params.c +++ libvirt-acl/src/conf/nwfilter_params.c @@ -288,6 +288,135 @@ virNWFilterVarValueAddValue(virNWFilterV return rc; } +void +virNWFilterVarCombIterFree(virNWFilterVarCombIterPtr ci) +{ + if (!ci) + return; + + VIR_FREE(ci); +} + +virNWFilterVarCombIterPtr +virNWFilterVarCombIterCreate(virNWFilterHashTablePtr hash, + char * const *vars, unsigned int nVars, + unsigned int loop_limit) +{ + virNWFilterVarCombIterPtr res; + virNWFilterVarValuePtr varVal; + unsigned int i; + unsigned int loops = 1; + + if (VIR_ALLOC_VAR(res, virNWFilterVarCombEntry, nVars) < 0) { + virReportOOMError(); + return NULL; + } + + res->nEntries = nVars; + res->hashTable = hash; + + for (i = 0; i < nVars; i++) { + varVal = virHashLookup(hash->hashTable, vars[i]); + if (varVal == NULL) { + virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not find value for variable '%s'"), + vars[i]); + goto err_exit; + } + + res->entry[i].key = vars[i]; + res->entry[i].cardinality = virNWFilterVarValueGetCardinality(varVal); + + loops *= res->entry[i].cardinality; + if (loop_limit && loops > loop_limit) { + virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, + _("Lists sizes are too big and would cause " + "the iterator to exceep the maximum number" + "of loops (%u)"), loop_limit); + goto err_exit; + } + } + + return res; + +err_exit: + virNWFilterVarCombIterFree(res); + return NULL; +} + +virNWFilterVarCombIterPtr +virNWFilterVarCombIterNext(virNWFilterVarCombIterPtr ci) +{ + unsigned int i; + + if ((ci->nEntries == 0) || + (ci->nEntries == 1 && ci->entry[0].cardinality == 1)) { + virNWFilterVarCombIterFree(ci); + return NULL; + } + + for (i = 0; i < ci->nEntries; i++) { + if (ci->entry[i].cardinality == 1) + continue; + + ci->entry[i].idx++; + if (ci->entry[i].idx < ci->entry[i].cardinality) + break; + else + ci->entry[i].idx = 0; + } + + if (ci->nEntries == i) { + virNWFilterVarCombIterFree(ci); + return NULL; + } + + return ci; +} + +const char * +virNWFilterVarCombIterGetVarValue(virNWFilterVarCombIterPtr ci, + const char *varname) +{ + unsigned int i; + bool found = false; + const char *res = NULL; + virNWFilterVarValuePtr value; + + for (i = 0; i < ci->nEntries; i++) { + if (STREQ(ci->entry[i].key, varname)) { + found = true; + break; + } + } + + if (!found) { + virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not find variable '%s' in iterator"), + varname); + return NULL; + } + + value = virHashLookup(ci->hashTable->hashTable, varname); + if (!value) { + virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not find value for variable '%s'"), + varname); + return NULL; + } + + res = virNWFilterVarValueGetNthValue(value, ci->entry[i].idx); + if (!res) { + virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not get nth (%u) value of " + "variable '%s'"), + ci->entry[i].idx, varname); + return NULL; + } + + return res; +} + static void hashDataFree(void *payload, const void *name ATTRIBUTE_UNUSED) { Index: libvirt-acl/src/conf/nwfilter_params.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_params.h +++ libvirt-acl/src/conf/nwfilter_params.h @@ -91,4 +91,29 @@ int virNWFilterHashTablePutAll(virNWFilt # define VALID_VARVALUE \ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_.:" +typedef struct _virNWFilterVarCombEntry virNWFilterVarCombEntry; +struct _virNWFilterVarCombEntry { + const char *key; + unsigned int idx; + unsigned int cardinality; +}; + +typedef struct _virNWFilterVarCombIter virNWFilterVarCombIter; +typedef virNWFilterVarCombIter *virNWFilterVarCombIterPtr; +struct _virNWFilterVarCombIter { + virNWFilterHashTablePtr hashTable; + unsigned int nEntries; + virNWFilterVarCombEntry entry[1]; +}; +virNWFilterVarCombIterPtr virNWFilterVarCombIterCreate( + virNWFilterHashTablePtr hash, + char * const *vars, unsigned int nVars, + unsigned int loop_limit); + +void virNWFilterVarCombIterFree(virNWFilterVarCombIterPtr ci); +virNWFilterVarCombIterPtr virNWFilterVarCombIterNext( + virNWFilterVarCombIterPtr ci); +const char *virNWFilterVarCombIterGetVarValue(virNWFilterVarCombIterPtr ci, + const char *varname); + #endif /* NWFILTER_PARAMS_H */ Index: libvirt-acl/src/libvirt_private.syms =================================================================== --- libvirt-acl.orig/src/libvirt_private.syms +++ libvirt-acl/src/libvirt_private.syms @@ -881,6 +881,10 @@ virNWFilterHashTableFree; virNWFilterHashTablePut; virNWFilterHashTablePutAll; virNWFilterHashTableRemoveEntry; +virNWFilterVarCombIterCreate; +virNWFilterVarCombIterFree; +virNWFilterVarCombIterGetVarValue; +virNWFilterVarCombIterNext; virNWFilterVarValueCreateSimple; virNWFilterVarValueGetSimple; virNWFilterVarValuePrint; -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list