[PATCH v2 1/4] util: refactor iptables command construction into multiple steps

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Instead of creating an iptables command in one shot, do it in steps
so we can add conditional options like physdev and protocol.

This removes code duplication while keeping existing behaviour.

Signed-off-by: Natanael Copa <ncopa@xxxxxxxxxxxxxxx>
---
This patch is unmodified since last time i sent it [1].

[1] https://www.redhat.com/archives/libvir-list/2012-November/msg00986.html

 src/util/viriptables.c | 130 ++++++++++++++++++++++---------------------------
 1 file changed, 58 insertions(+), 72 deletions(-)

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 2c4290a..b03b0e9 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -129,15 +129,10 @@ iptRulesNew(const char *table,
     return NULL;
 }
 
-static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(iptRules *rules, int family, int action,
-                      const char *arg, ...)
+static virCommandPtr
+iptablesCommandNew(iptRules *rules, int family, int action)
 {
-    va_list args;
-    int ret;
     virCommandPtr cmd = NULL;
-    const char *s;
-
 #if HAVE_FIREWALLD
     virIpTablesInitialize();
     if (firewall_cmd_path) {
@@ -154,16 +149,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action,
 
     virCommandAddArgList(cmd, "--table", rules->table,
                          action == ADD ? "--insert" : "--delete",
-                         rules->chain, arg, NULL);
+                         rules->chain, NULL);
+    return cmd;
+}
+
+static int
+iptablesCommandRunAndFree(virCommandPtr cmd)
+{
+    int ret;
+    ret = virCommandRun(cmd, NULL);
+    virCommandFree(cmd);
+    return ret;
+}
+
+static int ATTRIBUTE_SENTINEL
+iptablesAddRemoveRule(iptRules *rules, int family, int action,
+                      const char *arg, ...)
+{
+    va_list args;
+    virCommandPtr cmd = NULL;
+    const char *s;
+
+    cmd = iptablesCommandNew(rules, family, action);
+    virCommandAddArg(cmd, arg);
 
     va_start(args, arg);
     while ((s = va_arg(args, const char *)))
         virCommandAddArg(cmd, s);
     va_end(args);
 
-    ret = virCommandRun(cmd, NULL);
-    virCommandFree(cmd);
-    return ret;
+    return iptablesCommandRunAndFree(cmd);
 }
 
 /**
@@ -372,28 +387,24 @@ iptablesForwardAllowOut(iptablesContext *ctx,
 {
     int ret;
     char *networkstr;
+    virCommandPtr cmd = NULL;
 
     if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
         return -1;
 
-    if (physdev && physdev[0]) {
-        ret = iptablesAddRemoveRule(ctx->forward_filter,
-                                    VIR_SOCKET_ADDR_FAMILY(netaddr),
-                                    action,
-                                    "--source", networkstr,
-                                    "--in-interface", iface,
-                                    "--out-interface", physdev,
-                                    "--jump", "ACCEPT",
-                                    NULL);
-    } else {
-        ret = iptablesAddRemoveRule(ctx->forward_filter,
-                                    VIR_SOCKET_ADDR_FAMILY(netaddr),
-                                    action,
-                                    "--source", networkstr,
-                                    "--in-interface", iface,
-                                    "--jump", "ACCEPT",
-                                    NULL);
-    }
+    cmd = iptablesCommandNew(ctx->forward_filter,
+                             VIR_SOCKET_ADDR_FAMILY(netaddr),
+                             action);
+    virCommandAddArgList(cmd,
+                         "--source", networkstr,
+			 "--in-interface", iface, NULL);
+
+    if (physdev && physdev[0])
+        virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
+
+    virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL);
+
+    ret = iptablesCommandRunAndFree(cmd);
     VIR_FREE(networkstr);
     return ret;
 }
@@ -799,6 +810,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
 {
     int ret;
     char *networkstr;
+    virCommandPtr cmd = NULL;
 
     if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
         return -1;
@@ -812,49 +824,23 @@ iptablesForwardMasquerade(iptablesContext *ctx,
         return -1;
     }
 
-    if (protocol && protocol[0]) {
-        if (physdev && physdev[0]) {
-            ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        AF_INET,
-                                        action,
-                                        "--source", networkstr,
-                                        "-p", protocol,
-                                        "!", "--destination", networkstr,
-                                        "--out-interface", physdev,
-                                        "--jump", "MASQUERADE",
-                                        "--to-ports", "1024-65535",
-                                        NULL);
-        } else {
-            ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        AF_INET,
-                                        action,
-                                        "--source", networkstr,
-                                        "-p", protocol,
-                                        "!", "--destination", networkstr,
-                                        "--jump", "MASQUERADE",
-                                        "--to-ports", "1024-65535",
-                                        NULL);
-        }
-    } else {
-        if (physdev && physdev[0]) {
-            ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        AF_INET,
-                                        action,
-                                        "--source", networkstr,
-                                        "!", "--destination", networkstr,
-                                        "--out-interface", physdev,
-                                        "--jump", "MASQUERADE",
-                                        NULL);
-        } else {
-            ret = iptablesAddRemoveRule(ctx->nat_postrouting,
-                                        AF_INET,
-                                        action,
-                                        "--source", networkstr,
-                                        "!", "--destination", networkstr,
-                                        "--jump", "MASQUERADE",
-                                        NULL);
-        }
-    }
+    cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action);
+    virCommandAddArgList(cmd, "--source", networkstr, NULL);
+
+    if (protocol && protocol[0])
+        virCommandAddArgList(cmd, "-p", protocol, NULL);
+
+    virCommandAddArgList(cmd, "!", "--destination", networkstr, NULL);
+
+    if (physdev && physdev[0])
+        virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
+
+    virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
+
+    if (protocol && protocol[0])
+        virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL);
+
+    ret = iptablesCommandRunAndFree(cmd);
     VIR_FREE(networkstr);
     return ret;
 }
-- 
1.8.1.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]