This patch provides basic support for using firewalld's firewall-cmd rather than then plain eb/ip(6)tables commands. --- src/Makefile.am | 4 src/conf/nwfilter_conf.h | 1 src/libvirt_private.syms | 4 src/nwfilter/nwfilter_driver.c | 172 ++++++++++++++++++++++++++++-- src/nwfilter/nwfilter_driver.h | 2 src/nwfilter/nwfilter_ebiptables_driver.c | 144 +++++++++++++++++++++---- 6 files changed, 292 insertions(+), 35 deletions(-) Index: libvirt-firewalld/src/Makefile.am =================================================================== --- libvirt-firewalld.orig/src/Makefile.am +++ libvirt-firewalld/src/Makefile.am @@ -1149,9 +1149,9 @@ noinst_LTLIBRARIES += libvirt_driver_nwf #libvirt_la_BUILT_LIBADD += libvirt_driver_nwfilter.la endif libvirt_driver_nwfilter_la_CFLAGS = $(LIBPCAP_CFLAGS) \ - -I$(top_srcdir)/src/conf $(LIBNL_CFLAGS) $(AM_CFLAGS) + -I$(top_srcdir)/src/conf $(LIBNL_CFLAGS) $(AM_CFLAGS) $(DBUS_CFLAGS) libvirt_driver_nwfilter_la_LDFLAGS = $(LD_AMFLAGS) -libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) +libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS) if WITH_DRIVER_MODULES libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la libvirt_driver_nwfilter_la_LDFLAGS += -module -avoid-version Index: libvirt-firewalld/src/nwfilter/nwfilter_driver.c =================================================================== --- libvirt-firewalld.orig/src/nwfilter/nwfilter_driver.c +++ libvirt-firewalld/src/nwfilter/nwfilter_driver.c @@ -27,6 +27,9 @@ #include <config.h> +#include "virdbus.h" +#include "logging.h" + #include "internal.h" #include "virterror_internal.h" @@ -45,10 +48,24 @@ #define VIR_FROM_THIS VIR_FROM_NWFILTER +#define DBUS_RULE_FWD_NAMEOWNERCHANGED \ + "type='signal'" \ + ",interface='"DBUS_INTERFACE_DBUS"'" \ + ",member='NameOwnerChanged'" \ + ",arg0='org.fedoraproject.FirewallD1'" + +#define DBUS_RULE_FWD_RELOADED \ + "type='signal'" \ + ",interface='org.fedoraproject.FirewallD1'" \ + ",member='Reloaded'" + + static virNWFilterDriverStatePtr driverState; static int nwfilterDriverShutdown(void); +static int nwfilterDriverReload(void); + static void nwfilterDriverLock(virNWFilterDriverStatePtr driver) { virMutexLock(&driver->lock); @@ -58,6 +75,89 @@ static void nwfilterDriverUnlock(virNWFi virMutexUnlock(&driver->lock); } +#if HAVE_FIREWALLD + +static DBusHandlerResult +nwfilterFirewalldDBusFilter(DBusConnection *connection ATTRIBUTE_UNUSED, + DBusMessage *message, + void *user_data ATTRIBUTE_UNUSED) +{ + if (dbus_message_is_signal(message, DBUS_INTERFACE_DBUS, + "NameOwnerChanged") || + dbus_message_is_signal(message, "org.fedoraproject.FirewallD1", + "Reloaded")) { + VIR_DEBUG("Reload in nwfilter_driver because of firewalld."); + nwfilterDriverReload(); + } + + return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; +} + +static void +nwfilterDriverRemoveDBusMatches(void) +{ + DBusConnection *sysbus; + + sysbus = virDBusGetSystemBus(); + if (sysbus) { + dbus_bus_remove_match(sysbus, + DBUS_RULE_FWD_NAMEOWNERCHANGED, + NULL); + dbus_bus_remove_match(sysbus, + DBUS_RULE_FWD_RELOADED, + NULL); + dbus_connection_remove_filter(sysbus, nwfilterFirewalldDBusFilter, NULL); + } +} + +/** + * virNWFilterDriverInstallDBusMatches + * + * Startup DBus matches for monitoring the state of firewalld + */ +static int +nwfilterDriverInstallDBusMatches(DBusConnection *sysbus) +{ + int ret = 0; + + if (!sysbus) { + ret = -1; + } else { + /* add matches for + * NameOwnerChanged on org.freedesktop.DBus for firewalld start/stop + * Reloaded on org.fedoraproject.FirewallD1 for firewalld reload + */ + dbus_bus_add_match(sysbus, + DBUS_RULE_FWD_NAMEOWNERCHANGED, + NULL); + dbus_bus_add_match(sysbus, + DBUS_RULE_FWD_RELOADED, + NULL); + if (!dbus_connection_add_filter(sysbus, nwfilterFirewalldDBusFilter, + NULL, NULL)) { + VIR_WARN(("Adding a filter to the DBus connection failed")); + nwfilterDriverRemoveDBusMatches(); + ret = -1; + } + } + + return ret; +} + +#else /* HAVE_FIREWALLD */ + +static void +nwfilterDriverRemoveDBusMatches(void) +{ +} + +static int +nwfilterDriverInstallDBusMatches(DBusConnection *sysbus ATTRIBUTE_UNUSED) +{ + return 0; +} + +#endif /* HAVE_FIREWALLD */ /** * virNWFilterStartup: @@ -65,14 +165,24 @@ static void nwfilterDriverUnlock(virNWFi * Initialization function for the QEmu daemon */ static int -nwfilterDriverStartup(int privileged) { +nwfilterDriverStartup(int privileged) +{ char *base = NULL; + DBusConnection *sysbus = virDBusGetSystemBus(); + + if (VIR_ALLOC(driverState) < 0) + goto alloc_err_exit; + + if (virMutexInit(&driverState->lock) < 0) + goto err_free_driverstate; + + driverState->watchingFirewallD = (sysbus != NULL); if (!privileged) return 0; if (virNWFilterIPAddrMapInit() < 0) - return -1; + goto err_free_driverstate; if (virNWFilterLearnInit() < 0) goto err_exit_ipaddrmapshutdown; if (virNWFilterDHCPSnoopInit() < 0) @@ -81,16 +191,26 @@ nwfilterDriverStartup(int privileged) { virNWFilterTechDriversInit(privileged); if (virNWFilterConfLayerInit(virNWFilterDomainFWUpdateCB) < 0) - goto conf_init_err; - - if (VIR_ALLOC(driverState) < 0) - goto alloc_err_exit; - - if (virMutexInit(&driverState->lock) < 0) - goto alloc_err_exit; + goto err_techdrivers_shutdown; nwfilterDriverLock(driverState); + /* + * startup the DBus late so we don't get a reload signal while + * initializing + */ + if (nwfilterDriverInstallDBusMatches(sysbus) < 0) { + VIR_ERROR(_("DBus matches could not be installed. Disabling nwfilter " + "driver")); + /* + * unfortunately this is fatal since virNWFilterTechDriversInit + * may have caused the ebiptables driver to use the firewall tool + * but now that the watches don't work, we just disable the nwfilter + * driver + */ + goto error; + } + if (privileged) { if ((base = strdup (SYSCONFDIR "/libvirt")) == NULL) goto out_of_memory; @@ -124,9 +244,11 @@ error: nwfilterDriverShutdown(); alloc_err_exit: - virNWFilterConfLayerShutdown(); + return -1; -conf_init_err: + nwfilterDriverUnlock(driverState); + +err_techdrivers_shutdown: virNWFilterTechDriversShutdown(); virNWFilterDHCPSnoopShutdown(); err_exit_learnshutdown: @@ -134,6 +256,9 @@ err_exit_learnshutdown: err_exit_ipaddrmapshutdown: virNWFilterIPAddrMapShutdown(); +err_free_driverstate: + VIR_FREE(driverState); + return -1; } @@ -192,6 +317,29 @@ nwfilterDriverActive(void) { nwfilterDriverLock(driverState); ret = driverState->nwfilters.count ? 1 : 0; + ret |= driverState->watchingFirewallD; + nwfilterDriverUnlock(driverState); + + return ret; +} + +/** + * virNWFilterIsWatchingFirewallD: + * + * Checks if the nwfilter has the DBus watches for FirewallD installed. + * + * Returns true if it is watching firewalld, false otherwise + */ +bool +virNWFilterDriverIsWatchingFirewallD(void) +{ + bool ret; + + if (!driverState) + return false; + + nwfilterDriverLock(driverState); + ret = driverState->watchingFirewallD; nwfilterDriverUnlock(driverState); return ret; @@ -215,6 +363,8 @@ nwfilterDriverShutdown(void) { nwfilterDriverLock(driverState); + nwfilterDriverRemoveDBusMatches(); + /* free inactive nwfilters */ virNWFilterObjListFree(&driverState->nwfilters); Index: libvirt-firewalld/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-firewalld.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-firewalld/src/nwfilter/nwfilter_ebiptables_driver.c @@ -36,6 +36,7 @@ #include "virterror_internal.h" #include "domain_conf.h" #include "nwfilter_conf.h" +#include "nwfilter_driver.h" #include "nwfilter_gentech_driver.h" #include "nwfilter_ebiptables_driver.h" #include "virfile.h" @@ -145,11 +146,11 @@ static const char ebiptables_script_set_ #define NWFILTER_FUNC_SET_IFS ebiptables_script_set_ifs #define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \ - virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path); + virBufferAsprintf(BUFPTR, "EBT=\"%s\"\n", ebtables_cmd_path); #define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \ - virBufferAsprintf(BUFPTR, "IPT=%s\n", iptables_cmd_path); + virBufferAsprintf(BUFPTR, "IPT=\"%s\"\n", iptables_cmd_path); #define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \ - virBufferAsprintf(BUFPTR, "IPT=%s\n", ip6tables_cmd_path); + virBufferAsprintf(BUFPTR, "IPT=\"%s\"\n", ip6tables_cmd_path); #define VIRT_IN_CHAIN "libvirt-in" #define VIRT_OUT_CHAIN "libvirt-out" @@ -4121,23 +4122,101 @@ virNWFilterTechDriver ebiptables_driver .removeBasicRules = ebtablesRemoveBasicRules, }; - +/* + * ebiptablesDriverInitWithFirewallD + * + * Try to use firewall-cmd by testing it once; if it works, have ebtables + * and ip6tables commands use firewall-cmd. + */ static int -ebiptablesDriverInit(bool privileged) +ebiptablesDriverInitWithFirewallD(void) { virBuffer buf = VIR_BUFFER_INITIALIZER; - char *errmsg = NULL; + char *firewall_cmd_path; + char *output = NULL; + int ret = -1; - if (!privileged) - return 0; + if (!virNWFilterDriverIsWatchingFirewallD()) + return -1; - if (virMutexInit(&execCLIMutex) < 0) - return -EINVAL; + firewall_cmd_path = virFindFileInPath("firewall-cmd"); - gawk_cmd_path = virFindFileInPath("gawk"); - grep_cmd_path = virFindFileInPath("grep"); + if (firewall_cmd_path) { + virBufferAsprintf(&buf, "FWC=%s\n", firewall_cmd_path); + virBufferAsprintf(&buf, + CMD_DEF("$FWC --state") CMD_SEPARATOR + CMD_EXEC + "%s", + CMD_STOPONERR(1)); + + if (ebiptablesExecCLI(&buf, NULL, &output) == 0 && + strlen(output) == 0) { + VIR_DEBUG("Using firewall-cmd in nwfilter_ebiptables_driver."); + ebtables_cmd_path = NULL; + iptables_cmd_path = NULL; + ip6tables_cmd_path = NULL; + + ignore_value(virAsprintf(&ebtables_cmd_path, + "%s --direct --passthrough eb", + firewall_cmd_path)); + ignore_value(virAsprintf(&iptables_cmd_path, + "%s --direct --passthrough ipv4", + firewall_cmd_path)); + ignore_value(virAsprintf(&ip6tables_cmd_path, + "%s --direct --passthrough ipv6", + firewall_cmd_path)); + + if (!ebtables_cmd_path || !iptables_cmd_path || + !ip6tables_cmd_path) { + virReportOOMError(); + VIR_FREE(ebtables_cmd_path); + VIR_FREE(iptables_cmd_path); + VIR_FREE(ip6tables_cmd_path); + ret = -1; + goto err_exit; + } + ret = 0; + } + } + +err_exit: + VIR_FREE(firewall_cmd_path); + VIR_FREE(output); + + return ret; +} +static int +ebiptablesDriverInitCLITools(void) +{ ebtables_cmd_path = virFindFileInPath("ebtables"); + if (!ebtables_cmd_path) + VIR_WARN("Could not find 'ebtables' executable"); + + iptables_cmd_path = virFindFileInPath("iptables"); + if (!iptables_cmd_path) + VIR_WARN("Could not find 'iptables' executable"); + + ip6tables_cmd_path = virFindFileInPath("ip6tables"); + if (!ip6tables_cmd_path) + VIR_WARN("Could not find 'ip6tables' executable"); + + return 0; +} + +/* + * ebiptablesDriverTestCLITools + * + * Test the CLI tools. If one is found not to be working, free the buffer + * holding its path as a sign that the tool cannot be used. + */ +static int +ebiptablesDriverTestCLITools(void) +{ + virBuffer buf = VIR_BUFFER_INITIALIZER; + char *errmsg = NULL; + int ret = 0; + if (ebtables_cmd_path) { NWFILTER_SET_EBTABLES_SHELLVAR(&buf); /* basic probing */ @@ -4151,12 +4230,10 @@ ebiptablesDriverInit(bool privileged) VIR_FREE(ebtables_cmd_path); VIR_ERROR(_("Testing of ebtables command failed: %s"), errmsg); + ret = -1; } - } else { - VIR_WARN("Could not find 'ebtables' executable"); } - iptables_cmd_path = virFindFileInPath("iptables"); if (iptables_cmd_path) { NWFILTER_SET_IPTABLES_SHELLVAR(&buf); @@ -4170,12 +4247,10 @@ ebiptablesDriverInit(bool privileged) VIR_FREE(iptables_cmd_path); VIR_ERROR(_("Testing of iptables command failed: %s"), errmsg); + ret = -1; } - } else { - VIR_WARN("Could not find 'iptables' executable"); } - ip6tables_cmd_path = virFindFileInPath("ip6tables"); if (ip6tables_cmd_path) { NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); @@ -4189,11 +4264,38 @@ ebiptablesDriverInit(bool privileged) VIR_FREE(ip6tables_cmd_path); VIR_ERROR(_("Testing of ip6tables command failed: %s"), errmsg); + ret = -1; } - } else { - VIR_WARN("Could not find 'ip6tables' executable"); } + VIR_FREE(errmsg); + + return ret; +} + +static int +ebiptablesDriverInit(bool privileged) +{ + if (!privileged) + return 0; + + if (virMutexInit(&execCLIMutex) < 0) + return -EINVAL; + + gawk_cmd_path = virFindFileInPath("gawk"); + grep_cmd_path = virFindFileInPath("grep"); + + /* + * check whether we can run with firewalld's tools -- + * if not, we just fall back to eb/iptables command + * line tools. + */ + if (ebiptablesDriverInitWithFirewallD() < 0) + ebiptablesDriverInitCLITools(); + + /* make sure tools are available and work */ + ebiptablesDriverTestCLITools(); + /* ip(6)tables support needs gawk & grep, ebtables doesn't */ if ((iptables_cmd_path != NULL || ip6tables_cmd_path != NULL) && (!grep_cmd_path || !gawk_cmd_path)) { @@ -4203,8 +4305,6 @@ ebiptablesDriverInit(bool privileged) VIR_FREE(ip6tables_cmd_path); } - VIR_FREE(errmsg); - if (!ebtables_cmd_path && !iptables_cmd_path && !ip6tables_cmd_path) { VIR_ERROR(_("firewall tools were not found or cannot be used")); ebiptablesDriverShutdown(); Index: libvirt-firewalld/src/conf/nwfilter_conf.h =================================================================== --- libvirt-firewalld.orig/src/conf/nwfilter_conf.h +++ libvirt-firewalld/src/conf/nwfilter_conf.h @@ -563,6 +563,7 @@ struct _virNWFilterDriverState { virNWFilterObjList nwfilters; char *configDir; + bool watchingFirewallD; }; Index: libvirt-firewalld/src/libvirt_private.syms =================================================================== --- libvirt-firewalld.orig/src/libvirt_private.syms +++ libvirt-firewalld/src/libvirt_private.syms @@ -891,6 +891,10 @@ virNWFilterIPAddrMapInit; virNWFilterIPAddrMapShutdown; +# nwfilter_driver.h +virNWFilterDriverIsWatchingFirewallD; + + # nwfilter_params.h virNWFilterHashTableCreate; virNWFilterHashTableFree; Index: libvirt-firewalld/src/nwfilter/nwfilter_driver.h =================================================================== --- libvirt-firewalld.orig/src/nwfilter/nwfilter_driver.h +++ libvirt-firewalld/src/nwfilter/nwfilter_driver.h @@ -33,4 +33,6 @@ int nwfilterRegister(void); +bool virNWFilterDriverIsWatchingFirewallD(void); + #endif /* __VIR_NWFILTER_DRIVER_H__ */ -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list