[PATCH 7/7] Convert ebtables code over to use firewall APIs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Convert the virebtables.{c,h} files to use the new virFirewall
APIs for changing ebtables rules.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 src/util/virebtables.c | 187 ++++++++++++-------------------------------------
 1 file changed, 46 insertions(+), 141 deletions(-)

diff --git a/src/util/virebtables.c b/src/util/virebtables.c
index 01fb15e..8fbae98 100644
--- a/src/util/virebtables.c
+++ b/src/util/virebtables.c
@@ -25,65 +25,16 @@
 
 #include <config.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <errno.h>
-#include <limits.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-
 #include "internal.h"
 #include "virebtables.h"
-#include "vircommand.h"
 #include "viralloc.h"
 #include "virerror.h"
-#include "virfile.h"
 #include "virlog.h"
-#include "virthread.h"
 #include "virstring.h"
-#include "virutil.h"
+#include "virfirewall.h"
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
-#if HAVE_FIREWALLD
-static char *firewall_cmd_path = NULL;
-
-static int
-virEbTablesOnceInit(void)
-{
-    firewall_cmd_path = virFindFileInPath("firewall-cmd");
-    if (!firewall_cmd_path) {
-        VIR_INFO("firewall-cmd not found on system. "
-                 "firewalld support disabled for ebtables.");
-    } else {
-        virCommandPtr cmd = virCommandNew(firewall_cmd_path);
-
-        virCommandAddArgList(cmd, "--state", NULL);
-        if (virCommandRun(cmd, NULL) < 0) {
-            VIR_INFO("firewall-cmd found but disabled for ebtables");
-            VIR_FREE(firewall_cmd_path);
-            firewall_cmd_path = NULL;
-        } else {
-            VIR_INFO("using firewalld for ebtables commands");
-        }
-        virCommandFree(cmd);
-    }
-    return 0;
-}
-
-VIR_ONCE_GLOBAL_INIT(virEbTables)
-
-#endif
-
 struct _ebtablesContext
 {
     char *chain;
@@ -94,84 +45,6 @@ enum {
     REMOVE,
 };
 
-
-static int ATTRIBUTE_SENTINEL
-ebtablesAddRemoveRule(const char *arg, ...)
-{
-    va_list args;
-    int retval = ENOMEM;
-    char **argv;
-    const char *s;
-    int n;
-
-    n = 1 + /* /sbin/ebtables  */
-        2 + /*   --table foo   */
-        2 + /*   --insert bar  */
-        1;  /*   arg           */
-
-#if HAVE_FIREWALLD
-    virEbTablesInitialize();
-    if (firewall_cmd_path)
-        n += 3; /* --direct --passthrough eb */
-#endif
-
-    va_start(args, arg);
-    while (va_arg(args, const char *))
-        n++;
-
-    va_end(args);
-
-    if (VIR_ALLOC_N(argv, n + 1) < 0)
-        goto error;
-
-    n = 0;
-
-#if HAVE_FIREWALLD
-    if (firewall_cmd_path) {
-        if (VIR_STRDUP(argv[n++], firewall_cmd_path) < 0)
-            goto error;
-        if (VIR_STRDUP(argv[n++], "--direct") < 0)
-            goto error;
-        if (VIR_STRDUP(argv[n++], "--passthrough") < 0)
-            goto error;
-        if (VIR_STRDUP(argv[n++], "eb") < 0)
-            goto error;
-    } else
-#endif
-    if (VIR_STRDUP(argv[n++], EBTABLES_PATH) < 0)
-        goto error;
-
-    if (VIR_STRDUP(argv[n++], arg) < 0)
-        goto error;
-
-    va_start(args, arg);
-
-    while ((s = va_arg(args, const char *))) {
-        if (VIR_STRDUP(argv[n++], s) < 0) {
-            va_end(args);
-            goto error;
-        }
-    }
-
-    va_end(args);
-
-    if (virRun((const char **)argv, NULL) < 0) {
-        retval = errno;
-        goto error;
-    }
-
- error:
-    if (argv) {
-        n = 0;
-        while (argv[n])
-            VIR_FREE(argv[n++]);
-        VIR_FREE(argv);
-    }
-
-    return retval;
-}
-
-
 /**
  * ebtablesContextNew:
  *
@@ -214,12 +87,30 @@ ebtablesContextFree(ebtablesContext *ctx)
 int
 ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
 {
-    ebtablesAddRemoveRule("--new-chain", ctx->chain, NULL,
-                          NULL);
-    ebtablesAddRemoveRule("--insert", "FORWARD", "--jump",
-                          ctx->chain, NULL);
-    return ebtablesAddRemoveRule("-P", ctx->chain, "DROP",
-                                 NULL);
+    virFirewallPtr fw = NULL;
+    int ret = -1;
+
+    fw = virFirewallNew();
+    virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                       "--new-chain", ctx->chain,
+                       NULL);
+    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                       "--insert", "FORWARD",
+                       "--jump", ctx->chain, NULL);
+
+    virFirewallStartTransaction(fw, 0);
+    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                       "-P", ctx->chain, "DROP",
+                       NULL);
+
+    if (virFirewallApply(fw) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virFirewallFree(fw);
+    return ret;
 }
 
 
@@ -232,12 +123,26 @@ ebtablesForwardAllowIn(ebtablesContext *ctx,
                        const char *macaddr,
                        int action)
 {
-    return ebtablesAddRemoveRule(action == ADD ? "--insert" : "--delete",
-                                 ctx->chain,
-                                 "--in-interface", iface,
-                                 "--source", macaddr,
-                                 "--jump", "ACCEPT",
-                                 NULL);
+    virFirewallPtr fw = NULL;
+    int ret = -1;
+
+    fw = virFirewallNew();
+    virFirewallStartTransaction(fw, 0);
+    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                       action == ADD ? "--insert" : "--delete",
+                       ctx->chain,
+                       "--in-interface", iface,
+                       "--source", macaddr,
+                       "--jump", "ACCEPT",
+                       NULL);
+
+    if (virFirewallApply(fw) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virFirewallFree(fw);
+    return ret;
 }
 
 /**
@@ -259,7 +164,7 @@ ebtablesAddForwardAllowIn(ebtablesContext *ctx,
 {
     char macaddr[VIR_MAC_STRING_BUFLEN];
 
-    virMacAddrFormat(mac, macaddr);
+    virMacAddrFormat(mac, macaddr);    
     return ebtablesForwardAllowIn(ctx, iface, macaddr, ADD);
 }
 
-- 
1.8.5.3

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]