[PATCH V4 02/10] Introduce an internal priority for chains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



For better handling of the sorting of chains introduce an internally used
priority. Use a lookup table to store the priorities. For now their actual
values do not matter just that the values cause the chains to be properly
sorted through changes in the following patches. However, the values are
chosen as negative so that once they are sorted along with filtering rules
(whose priority may only be positive for now) they will always be instantiated
before them (lower values cause instantiation before higher values). This
is done to maintain backwards compatibility.

v3:
 - increased filter priorities to have more room before them

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>

---
 src/conf/nwfilter_conf.c                  |   14 ++++++++++++++
 src/conf/nwfilter_conf.h                  |   12 ++++++++++++
 src/nwfilter/nwfilter_ebiptables_driver.c |    4 ++++
 src/nwfilter/nwfilter_ebiptables_driver.h |    1 +
 4 files changed, 31 insertions(+)

Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -357,8 +357,18 @@ enum virNWFilterEbtablesTableType {
 };
 
 
+# define MIN_RULE_PRIORITY  0
 # define MAX_RULE_PRIORITY  1000
 
+# define NWFILTER_MIN_FILTER_PRIORITY -1000
+# define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY
+
+# define NWFILTER_ROOT_FILTER_PRI 0
+# define NWFILTER_IPV4_FILTER_PRI -700
+# define NWFILTER_IPV6_FILTER_PRI -600
+# define NWFILTER_ARP_FILTER_PRI  -500
+# define NWFILTER_RARP_FILTER_PRI -400
+
 enum virNWFilterRuleFlags {
     RULE_FLAG_NO_STATEMATCH      = (1 << 0),
     RULE_FLAG_STATE_NEW          = (1 << 1),
@@ -436,6 +446,7 @@ enum virNWFilterChainSuffixType {
     VIR_NWFILTER_CHAINSUFFIX_LAST,
 };
 
+typedef int32_t virNWFilterChainPriority;
 
 typedef struct _virNWFilterDef virNWFilterDef;
 typedef virNWFilterDef *virNWFilterDefPtr;
@@ -445,6 +456,7 @@ struct _virNWFilterDef {
     unsigned char uuid[VIR_UUID_BUFLEN];
 
     int chainsuffix; /*enum virNWFilterChainSuffixType */
+    virNWFilterChainPriority chainPriority;
 
     int nentries;
     virNWFilterEntryPtr *filterEntries;
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -124,6 +124,14 @@ struct int_map {
 #define INTMAP_ENTRY(ATT, VAL) { .attr = ATT, .val = VAL }
 #define INTMAP_ENTRY_LAST      { .val = NULL }
 
+static const struct int_map chain_priorities[] = {
+    INTMAP_ENTRY(NWFILTER_ROOT_FILTER_PRI, "root"),
+    INTMAP_ENTRY(NWFILTER_IPV4_FILTER_PRI, "ipv4"),
+    INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, "ipv6"),
+    INTMAP_ENTRY(NWFILTER_ARP_FILTER_PRI , "arp" ),
+    INTMAP_ENTRY(NWFILTER_RARP_FILTER_PRI, "rarp"),
+    INTMAP_ENTRY_LAST,
+};
 
 /*
  * only one filter update allowed
@@ -2030,6 +2038,12 @@ virNWFilterDefParseXML(xmlXPathContextPt
                                    _("unknown chain suffix '%s'"), chain);
             goto cleanup;
         }
+        /* assign an implicit priority -- support XML attribute later */
+        if (intMapGetByString(chain_priorities, chain, 0,
+                              &ret->chainPriority) == false) {
+            ret->chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
+                                  NWFILTER_MIN_FILTER_PRIORITY) / 2;
+        }
     }
 
     uuid = virXPathString("string(./uuid)", ctxt);
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.h
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -36,6 +36,7 @@ typedef ebiptablesRuleInst *ebiptablesRu
 struct _ebiptablesRuleInst {
     char *commandTemplate;
     enum virNWFilterChainSuffixType neededProtocolChain;
+    virNWFilterChainPriority chainPriority;
     char chainprefix;    /* I for incoming, O for outgoing */
     unsigned int priority;
     enum RuleType ruleType;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -327,6 +327,7 @@ static int
 ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
                       char *commandTemplate,
                       enum virNWFilterChainSuffixType neededChain,
+                      virNWFilterChainPriority chainPriority,
                       char chainprefix,
                       unsigned int priority,
                       enum RuleType ruleType)
@@ -340,6 +341,7 @@ ebiptablesAddRuleInst(virNWFilterRuleIns
 
     inst->commandTemplate = commandTemplate;
     inst->neededProtocolChain = neededChain;
+    inst->chainPriority = chainPriority;
     inst->chainprefix = chainprefix;
     inst->priority = priority;
     inst->ruleType = ruleType;
@@ -1588,6 +1590,7 @@ _iptablesCreateRuleInstance(int directio
     return ebiptablesAddRuleInst(res,
                                  virBufferContentAndReset(final),
                                  nwfilter->chainsuffix,
+                                 nwfilter->chainPriority,
                                  '\0',
                                  rule->priority,
                                  (isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
@@ -2337,6 +2340,7 @@ ebtablesCreateRuleInstance(char chainPre
     return ebiptablesAddRuleInst(res,
                                  virBufferContentAndReset(&buf),
                                  nwfilter->chainsuffix,
+                                 nwfilter->chainPriority,
                                  chainPrefix,
                                  rule->priority,
                                  RT_EBTABLES);

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]