[PATCH V2 2/2] nwfilter: provide basic support for firewalld

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch provides basic support for using firewalld's firewall-cmd
rather than then plain eb/ip(6)tables commands.

---
 src/Makefile.am                           |    4 
 src/conf/nwfilter_conf.h                  |    1 
 src/libvirt_private.syms                  |    4 
 src/nwfilter/nwfilter_driver.c            |  172 ++++++++++++++++++++++++++++--
 src/nwfilter/nwfilter_driver.h            |    2 
 src/nwfilter/nwfilter_ebiptables_driver.c |  144 +++++++++++++++++++++----
 6 files changed, 292 insertions(+), 35 deletions(-)

Index: libvirt-firewalld/src/Makefile.am
===================================================================
--- libvirt-firewalld.orig/src/Makefile.am
+++ libvirt-firewalld/src/Makefile.am
@@ -1149,9 +1149,9 @@ noinst_LTLIBRARIES += libvirt_driver_nwf
 #libvirt_la_BUILT_LIBADD += libvirt_driver_nwfilter.la
 endif
 libvirt_driver_nwfilter_la_CFLAGS = $(LIBPCAP_CFLAGS) \
-		-I$(top_srcdir)/src/conf $(LIBNL_CFLAGS) $(AM_CFLAGS)
+		-I$(top_srcdir)/src/conf $(LIBNL_CFLAGS) $(AM_CFLAGS) $(DBUS_CFLAGS)
 libvirt_driver_nwfilter_la_LDFLAGS = $(LD_AMFLAGS)
-libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS)
+libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS)
 if WITH_DRIVER_MODULES
 libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la
 libvirt_driver_nwfilter_la_LDFLAGS += -module -avoid-version
Index: libvirt-firewalld/src/nwfilter/nwfilter_driver.c
===================================================================
--- libvirt-firewalld.orig/src/nwfilter/nwfilter_driver.c
+++ libvirt-firewalld/src/nwfilter/nwfilter_driver.c
@@ -27,6 +27,9 @@
 
 #include <config.h>
 
+#include "virdbus.h"
+#include "logging.h"
+
 #include "internal.h"
 
 #include "virterror_internal.h"
@@ -45,10 +48,24 @@
 
 #define VIR_FROM_THIS VIR_FROM_NWFILTER
 
+#define DBUS_RULE_FWD_NAMEOWNERCHANGED \
+    "type='signal'" \
+    ",interface='"DBUS_INTERFACE_DBUS"'" \
+    ",member='NameOwnerChanged'" \
+    ",arg0='org.fedoraproject.FirewallD1'"
+
+#define DBUS_RULE_FWD_RELOADED \
+    "type='signal'" \
+    ",interface='org.fedoraproject.FirewallD1'" \
+    ",member='Reloaded'"
+
+
 static virNWFilterDriverStatePtr driverState;
 
 static int nwfilterDriverShutdown(void);
 
+static int nwfilterDriverReload(void);
+
 static void nwfilterDriverLock(virNWFilterDriverStatePtr driver)
 {
     virMutexLock(&driver->lock);
@@ -58,6 +75,89 @@ static void nwfilterDriverUnlock(virNWFi
     virMutexUnlock(&driver->lock);
 }
 
+#if HAVE_FIREWALLD
+
+static DBusHandlerResult
+nwfilterFirewalldDBusFilter(DBusConnection *connection ATTRIBUTE_UNUSED,
+                            DBusMessage *message,
+                            void *user_data ATTRIBUTE_UNUSED)
+{
+    if (dbus_message_is_signal(message, DBUS_INTERFACE_DBUS,
+                               "NameOwnerChanged") ||
+        dbus_message_is_signal(message, "org.fedoraproject.FirewallD1",
+                               "Reloaded")) {
+        VIR_DEBUG("Reload in nwfilter_driver because of firewalld.");
+        nwfilterDriverReload();
+    }
+
+    return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
+}
+
+static void
+nwfilterDriverRemoveDBusMatches(void)
+{
+    DBusConnection *sysbus;
+
+    sysbus = virDBusGetSystemBus();
+    if (sysbus) {
+        dbus_bus_remove_match(sysbus,
+                              DBUS_RULE_FWD_NAMEOWNERCHANGED,
+                              NULL);
+        dbus_bus_remove_match(sysbus,
+                              DBUS_RULE_FWD_RELOADED,
+                              NULL);
+        dbus_connection_remove_filter(sysbus, nwfilterFirewalldDBusFilter, NULL);
+    }
+}
+
+/**
+ * virNWFilterDriverInstallDBusMatches
+ *
+ * Startup DBus matches for monitoring the state of firewalld
+ */
+static int
+nwfilterDriverInstallDBusMatches(DBusConnection *sysbus)
+{
+    int ret = 0;
+
+    if (!sysbus) {
+        ret = -1;
+    } else {
+        /* add matches for
+         * NameOwnerChanged on org.freedesktop.DBus for firewalld start/stop
+         * Reloaded on org.fedoraproject.FirewallD1 for firewalld reload
+         */
+        dbus_bus_add_match(sysbus,
+                           DBUS_RULE_FWD_NAMEOWNERCHANGED,
+                           NULL);
+        dbus_bus_add_match(sysbus,
+                           DBUS_RULE_FWD_RELOADED,
+                           NULL);
+        if (!dbus_connection_add_filter(sysbus, nwfilterFirewalldDBusFilter,
+                                        NULL, NULL)) {
+            VIR_WARN(("Adding a filter to the DBus connection failed"));
+            nwfilterDriverRemoveDBusMatches();
+            ret =  -1;
+        }
+    }
+
+    return ret;
+}
+
+#else /* HAVE_FIREWALLD */
+
+static void
+nwfilterDriverRemoveDBusMatches(void)
+{
+}
+
+static int
+nwfilterDriverInstallDBusMatches(DBusConnection *sysbus ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+#endif /* HAVE_FIREWALLD */
 
 /**
  * virNWFilterStartup:
@@ -65,14 +165,24 @@ static void nwfilterDriverUnlock(virNWFi
  * Initialization function for the QEmu daemon
  */
 static int
-nwfilterDriverStartup(int privileged) {
+nwfilterDriverStartup(int privileged)
+{
     char *base = NULL;
+    DBusConnection *sysbus = virDBusGetSystemBus();
+
+    if (VIR_ALLOC(driverState) < 0)
+        goto alloc_err_exit;
+
+    if (virMutexInit(&driverState->lock) < 0)
+        goto err_free_driverstate;
+
+    driverState->watchingFirewallD = (sysbus != NULL);
 
     if (!privileged)
         return 0;
 
     if (virNWFilterIPAddrMapInit() < 0)
-        return -1;
+        goto err_free_driverstate;
     if (virNWFilterLearnInit() < 0)
         goto err_exit_ipaddrmapshutdown;
     if (virNWFilterDHCPSnoopInit() < 0)
@@ -81,16 +191,26 @@ nwfilterDriverStartup(int privileged) {
     virNWFilterTechDriversInit(privileged);
 
     if (virNWFilterConfLayerInit(virNWFilterDomainFWUpdateCB) < 0)
-        goto conf_init_err;
-
-    if (VIR_ALLOC(driverState) < 0)
-        goto alloc_err_exit;
-
-    if (virMutexInit(&driverState->lock) < 0)
-        goto alloc_err_exit;
+        goto err_techdrivers_shutdown;
 
     nwfilterDriverLock(driverState);
 
+    /*
+     * startup the DBus late so we don't get a reload signal while
+     * initializing
+     */
+    if (nwfilterDriverInstallDBusMatches(sysbus) < 0) {
+        VIR_ERROR(_("DBus matches could not be installed. Disabling nwfilter "
+                  "driver"));
+        /*
+         * unfortunately this is fatal since virNWFilterTechDriversInit
+         * may have caused the ebiptables driver to use the firewall tool
+         * but now that the watches don't work, we just disable the nwfilter
+         * driver
+         */
+        goto error;
+    }
+
     if (privileged) {
         if ((base = strdup (SYSCONFDIR "/libvirt")) == NULL)
             goto out_of_memory;
@@ -124,9 +244,11 @@ error:
     nwfilterDriverShutdown();
 
 alloc_err_exit:
-    virNWFilterConfLayerShutdown();
+    return -1;
 
-conf_init_err:
+    nwfilterDriverUnlock(driverState);
+
+err_techdrivers_shutdown:
     virNWFilterTechDriversShutdown();
     virNWFilterDHCPSnoopShutdown();
 err_exit_learnshutdown:
@@ -134,6 +256,9 @@ err_exit_learnshutdown:
 err_exit_ipaddrmapshutdown:
     virNWFilterIPAddrMapShutdown();
 
+err_free_driverstate:
+    VIR_FREE(driverState);
+
     return -1;
 }
 
@@ -192,6 +317,29 @@ nwfilterDriverActive(void) {
 
     nwfilterDriverLock(driverState);
     ret = driverState->nwfilters.count ? 1 : 0;
+    ret |= driverState->watchingFirewallD;
+    nwfilterDriverUnlock(driverState);
+
+    return ret;
+}
+
+/**
+ * virNWFilterIsWatchingFirewallD:
+ *
+ * Checks if the nwfilter has the DBus watches for FirewallD installed.
+ *
+ * Returns true if it is watching firewalld, false otherwise
+ */
+bool
+virNWFilterDriverIsWatchingFirewallD(void)
+{
+    bool ret;
+
+    if (!driverState)
+        return false;
+
+    nwfilterDriverLock(driverState);
+    ret = driverState->watchingFirewallD;
     nwfilterDriverUnlock(driverState);
 
     return ret;
@@ -215,6 +363,8 @@ nwfilterDriverShutdown(void) {
 
     nwfilterDriverLock(driverState);
 
+    nwfilterDriverRemoveDBusMatches();
+
     /* free inactive nwfilters */
     virNWFilterObjListFree(&driverState->nwfilters);
 
Index: libvirt-firewalld/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-firewalld.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-firewalld/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -36,6 +36,7 @@
 #include "virterror_internal.h"
 #include "domain_conf.h"
 #include "nwfilter_conf.h"
+#include "nwfilter_driver.h"
 #include "nwfilter_gentech_driver.h"
 #include "nwfilter_ebiptables_driver.h"
 #include "virfile.h"
@@ -145,11 +146,11 @@ static const char ebiptables_script_set_
 #define NWFILTER_FUNC_SET_IFS ebiptables_script_set_ifs
 
 #define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
-    virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path);
+    virBufferAsprintf(BUFPTR, "EBT=\"%s\"\n", ebtables_cmd_path);
 #define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \
-    virBufferAsprintf(BUFPTR, "IPT=%s\n", iptables_cmd_path);
+    virBufferAsprintf(BUFPTR, "IPT=\"%s\"\n", iptables_cmd_path);
 #define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \
-    virBufferAsprintf(BUFPTR, "IPT=%s\n", ip6tables_cmd_path);
+    virBufferAsprintf(BUFPTR, "IPT=\"%s\"\n", ip6tables_cmd_path);
 
 #define VIRT_IN_CHAIN      "libvirt-in"
 #define VIRT_OUT_CHAIN     "libvirt-out"
@@ -4121,23 +4122,101 @@ virNWFilterTechDriver ebiptables_driver
     .removeBasicRules    = ebtablesRemoveBasicRules,
 };
 
-
+/*
+ * ebiptablesDriverInitWithFirewallD
+ *
+ * Try to use firewall-cmd by testing it once; if it works, have ebtables
+ * and ip6tables commands use firewall-cmd.
+ */
 static int
-ebiptablesDriverInit(bool privileged)
+ebiptablesDriverInitWithFirewallD(void)
 {
     virBuffer buf = VIR_BUFFER_INITIALIZER;
-    char *errmsg = NULL;
+    char *firewall_cmd_path;
+    char *output = NULL;
+    int ret = -1;
 
-    if (!privileged)
-        return 0;
+    if (!virNWFilterDriverIsWatchingFirewallD())
+        return -1;
 
-    if (virMutexInit(&execCLIMutex) < 0)
-        return -EINVAL;
+    firewall_cmd_path = virFindFileInPath("firewall-cmd");
 
-    gawk_cmd_path = virFindFileInPath("gawk");
-    grep_cmd_path = virFindFileInPath("grep");
+    if (firewall_cmd_path) {
+        virBufferAsprintf(&buf, "FWC=%s\n", firewall_cmd_path);
+        virBufferAsprintf(&buf,
+                          CMD_DEF("$FWC --state") CMD_SEPARATOR
+                          CMD_EXEC
+                          "%s",
+                          CMD_STOPONERR(1));
+
+        if (ebiptablesExecCLI(&buf, NULL, &output) == 0 &&
+            strlen(output) == 0) {
+            VIR_DEBUG("Using firewall-cmd in nwfilter_ebiptables_driver.");
+            ebtables_cmd_path = NULL;
+            iptables_cmd_path = NULL;
+            ip6tables_cmd_path = NULL;
+
+            ignore_value(virAsprintf(&ebtables_cmd_path,
+                                     "%s --direct --passthrough eb",
+                                     firewall_cmd_path));
+            ignore_value(virAsprintf(&iptables_cmd_path,
+                                     "%s --direct --passthrough ipv4",
+                                     firewall_cmd_path));
+            ignore_value(virAsprintf(&ip6tables_cmd_path,
+                                     "%s --direct --passthrough ipv6",
+                                     firewall_cmd_path));
+
+            if (!ebtables_cmd_path || !iptables_cmd_path ||
+                !ip6tables_cmd_path) {
+                virReportOOMError();
+                VIR_FREE(ebtables_cmd_path);
+                VIR_FREE(iptables_cmd_path);
+                VIR_FREE(ip6tables_cmd_path);
+                ret = -1;
+                goto err_exit;
+            }
+            ret = 0;
+        }
+    }
+
+err_exit:
+    VIR_FREE(firewall_cmd_path);
+    VIR_FREE(output);
+
+    return ret;
+}
 
+static int
+ebiptablesDriverInitCLITools(void)
+{
     ebtables_cmd_path = virFindFileInPath("ebtables");
+    if (!ebtables_cmd_path)
+        VIR_WARN("Could not find 'ebtables' executable");
+
+    iptables_cmd_path = virFindFileInPath("iptables");
+    if (!iptables_cmd_path)
+        VIR_WARN("Could not find 'iptables' executable");
+
+    ip6tables_cmd_path = virFindFileInPath("ip6tables");
+    if (!ip6tables_cmd_path)
+        VIR_WARN("Could not find 'ip6tables' executable");
+
+    return 0;
+}
+
+/*
+ * ebiptablesDriverTestCLITools
+ *
+ * Test the CLI tools. If one is found not to be working, free the buffer
+ * holding its path as a sign that the tool cannot be used.
+ */
+static int
+ebiptablesDriverTestCLITools(void)
+{
+    virBuffer buf = VIR_BUFFER_INITIALIZER;
+    char *errmsg = NULL;
+    int ret = 0;
+
     if (ebtables_cmd_path) {
         NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
         /* basic probing */
@@ -4151,12 +4230,10 @@ ebiptablesDriverInit(bool privileged)
             VIR_FREE(ebtables_cmd_path);
             VIR_ERROR(_("Testing of ebtables command failed: %s"),
                       errmsg);
+            ret = -1;
         }
-    } else {
-        VIR_WARN("Could not find 'ebtables' executable");
     }
 
-    iptables_cmd_path = virFindFileInPath("iptables");
     if (iptables_cmd_path) {
         NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
 
@@ -4170,12 +4247,10 @@ ebiptablesDriverInit(bool privileged)
             VIR_FREE(iptables_cmd_path);
             VIR_ERROR(_("Testing of iptables command failed: %s"),
                       errmsg);
+            ret = -1;
         }
-    } else {
-        VIR_WARN("Could not find 'iptables' executable");
     }
 
-    ip6tables_cmd_path = virFindFileInPath("ip6tables");
     if (ip6tables_cmd_path) {
         NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
 
@@ -4189,11 +4264,38 @@ ebiptablesDriverInit(bool privileged)
             VIR_FREE(ip6tables_cmd_path);
             VIR_ERROR(_("Testing of ip6tables command failed: %s"),
                       errmsg);
+            ret = -1;
         }
-    } else {
-        VIR_WARN("Could not find 'ip6tables' executable");
     }
 
+    VIR_FREE(errmsg);
+
+    return ret;
+}
+
+static int
+ebiptablesDriverInit(bool privileged)
+{
+    if (!privileged)
+        return 0;
+
+    if (virMutexInit(&execCLIMutex) < 0)
+        return -EINVAL;
+
+    gawk_cmd_path = virFindFileInPath("gawk");
+    grep_cmd_path = virFindFileInPath("grep");
+
+    /*
+     * check whether we can run with firewalld's tools --
+     * if not, we just fall back to eb/iptables command
+     * line tools.
+     */
+    if (ebiptablesDriverInitWithFirewallD() < 0)
+        ebiptablesDriverInitCLITools();
+
+    /* make sure tools are available and work */
+    ebiptablesDriverTestCLITools();
+
     /* ip(6)tables support needs gawk & grep, ebtables doesn't */
     if ((iptables_cmd_path != NULL || ip6tables_cmd_path != NULL) &&
         (!grep_cmd_path || !gawk_cmd_path)) {
@@ -4203,8 +4305,6 @@ ebiptablesDriverInit(bool privileged)
         VIR_FREE(ip6tables_cmd_path);
     }
 
-    VIR_FREE(errmsg);
-
     if (!ebtables_cmd_path && !iptables_cmd_path && !ip6tables_cmd_path) {
         VIR_ERROR(_("firewall tools were not found or cannot be used"));
         ebiptablesDriverShutdown();
Index: libvirt-firewalld/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-firewalld.orig/src/conf/nwfilter_conf.h
+++ libvirt-firewalld/src/conf/nwfilter_conf.h
@@ -563,6 +563,7 @@ struct _virNWFilterDriverState {
     virNWFilterObjList nwfilters;
 
     char *configDir;
+    bool watchingFirewallD;
 };
 
 
Index: libvirt-firewalld/src/libvirt_private.syms
===================================================================
--- libvirt-firewalld.orig/src/libvirt_private.syms
+++ libvirt-firewalld/src/libvirt_private.syms
@@ -891,6 +891,10 @@ virNWFilterIPAddrMapInit;
 virNWFilterIPAddrMapShutdown;
 
 
+# nwfilter_driver.h
+virNWFilterDriverIsWatchingFirewallD;
+
+
 # nwfilter_params.h
 virNWFilterHashTableCreate;
 virNWFilterHashTableFree;
Index: libvirt-firewalld/src/nwfilter/nwfilter_driver.h
===================================================================
--- libvirt-firewalld.orig/src/nwfilter/nwfilter_driver.h
+++ libvirt-firewalld/src/nwfilter/nwfilter_driver.h
@@ -33,4 +33,6 @@
 
 int nwfilterRegister(void);
 
+bool virNWFilterDriverIsWatchingFirewallD(void);
+
 #endif /* __VIR_NWFILTER_DRIVER_H__ */

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]