[PATCH 16/26] Convert nwfilter ebiptablesAllTeardown to virFirewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Convert the nwfilter ebiptablesAllTeardown method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 src/Makefile.am                           |  18 +-
 src/nwfilter/nwfilter_ebiptables_driver.c | 326 ++++++++++++++++++++++++++----
 tests/Makefile.am                         |  11 +
 tests/nwfilterebiptablestest.c            | 116 +++++++++++
 4 files changed, 422 insertions(+), 49 deletions(-)
 create mode 100644 tests/nwfilterebiptablestest.c

diff --git a/src/Makefile.am b/src/Makefile.am
index 7615294..70ef6b6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1536,6 +1536,9 @@ endif WITH_NODE_DEVICES
 
 
 if WITH_NWFILTER
+noinst_LTLIBRARIES += libvirt_driver_nwfilter_impl.la
+libvirt_driver_nwfilter_la_SOURCES =
+libvirt_driver_nwfilter_la_LIBADD = libvirt_driver_nwfilter_impl.la
 if WITH_DRIVER_MODULES
 mod_LTLIBRARIES += libvirt_driver_nwfilter.la
 else ! WITH_DRIVER_MODULES
@@ -1543,20 +1546,23 @@ noinst_LTLIBRARIES += libvirt_driver_nwfilter.la
 # Stateful, so linked to daemon instead
 #libvirt_la_BUILT_LIBADD += libvirt_driver_nwfilter.la
 endif ! WITH_DRIVER_MODULES
-libvirt_driver_nwfilter_la_CFLAGS = \
+libvirt_driver_nwfilter_impl_la_CFLAGS = \
 		$(LIBPCAP_CFLAGS) \
 		$(LIBNL_CFLAGS) \
 		$(DBUS_CFLAGS) \
 		-I$(top_srcdir)/src/access \
 		-I$(top_srcdir)/src/conf \
 		$(AM_CFLAGS)
-libvirt_driver_nwfilter_la_LDFLAGS = $(AM_LDFLAGS)
-libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS)
+libvirt_driver_nwfilter_impl_la_LDFLAGS = $(AM_LDFLAGS)
+libvirt_driver_nwfilter_impl_la_LIBADD = \
+		$(LIBPCAP_LIBS) \
+		$(LIBNL_LIBS) \
+		$(DBUS_LIBS)
 if WITH_DRIVER_MODULES
-libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la
-libvirt_driver_nwfilter_la_LDFLAGS += -module -avoid-version
+libvirt_driver_nwfilter_impl_la_LIBADD += ../gnulib/lib/libgnu.la
+libvirt_driver_nwfilter_impl_la_LDFLAGS += -module -avoid-version
 endif WITH_DRIVER_MODULES
-libvirt_driver_nwfilter_la_SOURCES = $(NWFILTER_DRIVER_SOURCES)
+libvirt_driver_nwfilter_impl_la_SOURCES = $(NWFILTER_DRIVER_SOURCES)
 endif WITH_NWFILTER
 
 
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 0361d99..8a53ceb 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -45,6 +45,7 @@
 #include "configmake.h"
 #include "intprops.h"
 #include "virstring.h"
+#include "virfirewall.h"
 
 #define VIR_FROM_THIS VIR_FROM_NWFILTER
 
@@ -180,22 +181,15 @@ static const char ebiptables_script_set_ifs[] =
     snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)
 
 #define PHYSDEV_IN  "--physdev-in"
-#define PHYSDEV_OUT "--physdev-is-bridged --physdev-out"
-/*
- * Previous versions of libvirt only used --physdev-out.
- * To be able to upgrade with running VMs we need to be able to
- * remove rules generated by those older versions of libvirt.
- */
-#define PHYSDEV_OUT_OLD  "--physdev-out"
 
 static const char *m_state_out_str   = "-m state --state NEW,ESTABLISHED";
 static const char *m_state_in_str    = "-m state --state ESTABLISHED";
 static const char *m_state_out_str_new = "-m conntrack --ctstate NEW,ESTABLISHED";
 static const char *m_state_in_str_new  = "-m conntrack --ctstate ESTABLISHED";
 
-static const char *m_physdev_in_str  = "-m physdev " PHYSDEV_IN;
-static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
-static const char *m_physdev_out_old_str = "-m physdev " PHYSDEV_OUT_OLD;
+static const char *m_physdev_in_str  = "-m physdev --physdev-in";
+static const char *m_physdev_out_str = "-m physdev --physdev-is-bridged --physdev-out";
+static const char *m_physdev_out_old_str = "-m physdev --physdev-out";
 
 #define MATCH_STATE_OUT    m_state_out_str
 #define MATCH_STATE_IN     m_state_in_str
@@ -203,6 +197,10 @@ static const char *m_physdev_out_old_str = "-m physdev " PHYSDEV_OUT_OLD;
 #define MATCH_PHYSDEV_OUT  m_physdev_out_str
 #define MATCH_PHYSDEV_OUT_OLD  m_physdev_out_old_str
 
+#define MATCH_PHYSDEV_IN_FW   "-m", "physdev", "--physdev-in"
+#define MATCH_PHYSDEV_OUT_FW  "-m", "physdev", "--physdev-is-bridged", "--physdev-out"
+#define MATCH_PHYSDEV_OUT_OLD_FW  "-m", "physdev", "--physdev-out"
+
 #define COMMENT_VARNAME "comment"
 
 static int ebtablesRemoveBasicRules(const char *ifname);
@@ -661,6 +659,32 @@ _iptablesRemoveRootChain(virBufferPtr buf,
 
 
 static void
+_iptablesRemoveRootChainFW(virFirewallPtr fw,
+                           virFirewallLayer layer,
+                           char prefix,
+                           bool incoming, const char *ifname,
+                           int isTempChain)
+{
+    char chain[MAX_CHAINNAME_LENGTH];
+    char chainPrefix[2] = {
+        prefix,
+    };
+
+    if (isTempChain)
+        chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
+                                  : CHAINPREFIX_HOST_OUT_TEMP;
+    else
+        chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
+                                  : CHAINPREFIX_HOST_OUT;
+
+    PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+    virFirewallAddRule(fw, layer, "-F", chain, NULL);
+    virFirewallAddRule(fw, layer, "-X", chain, NULL);
+}
+
+
+static void
 iptablesRemoveRootChain(virBufferPtr buf,
                         char prefix,
                         bool incoming,
@@ -671,6 +695,17 @@ iptablesRemoveRootChain(virBufferPtr buf,
 
 
 static void
+iptablesRemoveRootChainFW(virFirewallPtr fw,
+                          virFirewallLayer layer,
+                          char prefix,
+                          bool incoming,
+                          const char *ifname)
+{
+    _iptablesRemoveRootChainFW(fw, layer, prefix, incoming, ifname, false);
+}
+
+
+static void
 iptablesRemoveTmpRootChain(virBufferPtr buf,
                            char prefix,
                            bool incoming,
@@ -702,6 +737,17 @@ iptablesRemoveRootChains(virBufferPtr buf,
 
 
 static void
+iptablesRemoveRootChainsFW(virFirewallPtr fw,
+                           virFirewallLayer layer,
+                           const char *ifname)
+{
+    iptablesRemoveRootChainFW(fw, layer, 'F', false, ifname);
+    iptablesRemoveRootChainFW(fw, layer, 'F', true, ifname);
+    iptablesRemoveRootChainFW(fw, layer, 'H', true, ifname);
+}
+
+
+static void
 iptablesLinkTmpRootChain(virBufferPtr buf,
                          const char *basechain,
                          char prefix,
@@ -762,14 +808,14 @@ iptablesSetupVirtInPost(virBufferPtr buf,
 
 
 static void
-iptablesClearVirtInPost(virBufferPtr buf,
-                        const char *ifname)
+iptablesClearVirtInPostFW(virFirewallPtr fw,
+                          virFirewallLayer layer,
+                          const char *ifname)
 {
-    const char *match = MATCH_PHYSDEV_IN;
-    virBufferAsprintf(buf,
-                      "$IPT -D " VIRT_IN_POST_CHAIN
-                      " %s %s -j ACCEPT" CMD_SEPARATOR,
-                      match, ifname);
+    virFirewallAddRule(fw, layer,
+                       "-D", VIRT_IN_POST_CHAIN,
+                       MATCH_PHYSDEV_IN_FW,
+                       ifname, "-j", "ACCEPT", NULL);
 }
 
 static void
@@ -817,6 +863,54 @@ _iptablesUnlinkRootChain(virBufferPtr buf,
 
 
 static void
+_iptablesUnlinkRootChainFW(virFirewallPtr fw,
+                           virFirewallLayer layer,
+                           const char *basechain,
+                           char prefix,
+                           bool incoming, const char *ifname,
+                           int isTempChain)
+{
+    char chain[MAX_CHAINNAME_LENGTH];
+    char chainPrefix[2] = {
+        prefix,
+    };
+    if (isTempChain)
+        chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
+                                  : CHAINPREFIX_HOST_OUT_TEMP;
+    else
+        chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
+                                  : CHAINPREFIX_HOST_OUT;
+
+    PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+    if (incoming)
+        virFirewallAddRule(fw, layer,
+                           "-D", basechain,
+                           MATCH_PHYSDEV_IN_FW, ifname,
+                           "-g", chain,
+                           NULL);
+    else
+        virFirewallAddRule(fw, layer,
+                           "-D", basechain,
+                           MATCH_PHYSDEV_OUT_FW, ifname,
+                           "-g", chain,
+                           NULL);
+
+    /*
+     * Previous versions of libvirt may have created a rule
+     * with the --physdev-is-bridged missing. Remove this one
+     * as well.
+     */
+    if (!incoming)
+        virFirewallAddRule(fw, layer,
+                           "-D", basechain,
+                           MATCH_PHYSDEV_OUT_OLD_FW, ifname,
+                           "-g", chain,
+                           NULL);
+}
+
+
+static void
 iptablesUnlinkRootChain(virBufferPtr buf,
                         const char *basechain,
                         char prefix,
@@ -826,6 +920,17 @@ iptablesUnlinkRootChain(virBufferPtr buf,
                              basechain, prefix, incoming, ifname, false);
 }
 
+static void
+iptablesUnlinkRootChainFW(virFirewallPtr fw,
+                          virFirewallLayer layer,
+                          const char *basechain,
+                          char prefix,
+                          bool incoming, const char *ifname)
+{
+    _iptablesUnlinkRootChainFW(fw, layer,
+                               basechain, prefix, incoming, ifname, false);
+}
+
 
 static void
 iptablesUnlinkTmpRootChain(virBufferPtr buf,
@@ -849,6 +954,17 @@ iptablesUnlinkRootChains(virBufferPtr buf,
 
 
 static void
+iptablesUnlinkRootChainsFW(virFirewallPtr fw,
+                           virFirewallLayer layer,
+                           const char *ifname)
+{
+    iptablesUnlinkRootChainFW(fw, layer, VIRT_OUT_CHAIN, 'F', false, ifname);
+    iptablesUnlinkRootChainFW(fw, layer, VIRT_IN_CHAIN,  'F', true, ifname);
+    iptablesUnlinkRootChainFW(fw, layer, HOST_IN_CHAIN,  'H', true, ifname);
+}
+
+
+static void
 iptablesUnlinkTmpRootChains(virBufferPtr buf,
                             const char *ifname)
 {
@@ -2802,6 +2918,29 @@ _ebtablesRemoveRootChain(virBufferPtr buf,
 
 
 static void
+_ebtablesRemoveRootChainFW(virFirewallPtr fw,
+                           bool incoming, const char *ifname,
+                           int isTempChain)
+{
+    char chain[MAX_CHAINNAME_LENGTH];
+    char chainPrefix;
+    if (isTempChain)
+        chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+                               : CHAINPREFIX_HOST_OUT_TEMP;
+    else
+        chainPrefix = incoming ? CHAINPREFIX_HOST_IN
+                               : CHAINPREFIX_HOST_OUT;
+
+    PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                       "-t", "nat", "-F", chain, NULL);
+    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                       "-t", "nat", "-X", chain, NULL);
+}
+
+
+static void
 ebtablesRemoveRootChain(virBufferPtr buf,
                         bool incoming, const char *ifname)
 {
@@ -2810,6 +2949,14 @@ ebtablesRemoveRootChain(virBufferPtr buf,
 
 
 static void
+ebtablesRemoveRootChainFW(virFirewallPtr fw,
+                          bool incoming, const char *ifname)
+{
+    _ebtablesRemoveRootChainFW(fw, incoming, ifname, false);
+}
+
+
+static void
 ebtablesRemoveTmpRootChain(virBufferPtr buf,
                            bool incoming, const char *ifname)
 {
@@ -2845,6 +2992,32 @@ _ebtablesUnlinkRootChain(virBufferPtr buf,
 
 
 static void
+_ebtablesUnlinkRootChainFW(virFirewallPtr fw,
+                           bool incoming, const char *ifname,
+                           int isTempChain)
+{
+    char chain[MAX_CHAINNAME_LENGTH];
+    char chainPrefix;
+
+    if (isTempChain) {
+        chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+                               : CHAINPREFIX_HOST_OUT_TEMP;
+    } else {
+        chainPrefix = incoming ? CHAINPREFIX_HOST_IN
+                               : CHAINPREFIX_HOST_OUT;
+    }
+
+    PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                       "-t", "nat", "-D",
+                       incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+                       incoming ? "-i" : "-o",
+                       ifname, "-j", chain, NULL);
+}
+
+
+static void
 ebtablesUnlinkRootChain(virBufferPtr buf,
                         bool incoming, const char *ifname)
 {
@@ -2853,6 +3026,14 @@ ebtablesUnlinkRootChain(virBufferPtr buf,
 
 
 static void
+ebtablesUnlinkRootChainFW(virFirewallPtr fw,
+                          bool incoming, const char *ifname)
+{
+    _ebtablesUnlinkRootChainFW(fw, incoming, ifname, false);
+}
+
+
+static void
 ebtablesUnlinkTmpRootChain(virBufferPtr buf,
                            bool incoming, const char *ifname)
 {
@@ -2972,6 +3153,58 @@ _ebtablesRemoveSubChains(virBufferPtr buf,
     virBufferAddLit(buf, "rm_chains $chains\n");
 }
 
+
+static int
+ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
+                             const char *const *lines,
+                             void *opaque)
+{
+    size_t i, j;
+    const char *chains = opaque;
+
+    for (i = 0; lines[i] != NULL; i++) {
+        VIR_DEBUG("Considering '%s'", lines[i]);
+        char *tmp = strstr(lines[i], "-j ");
+        if (!tmp)
+            continue;
+        tmp = tmp + 3;
+        for (j = 0; chains[j]; j++) {
+            if (tmp[0] == chains[j] &&
+                tmp[1] == '-') {
+                VIR_DEBUG("Processing chain '%s'", tmp);
+                virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                       false, ebtablesRemoveSubChainsQuery,
+                                       (void *)chains,
+                                        "-t", "nat", "-L", tmp, NULL);
+                virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-F", tmp, NULL);
+                virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-X", tmp, NULL);
+            }
+        }
+    }
+
+    return 0;
+}
+
+
+static void
+_ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+                           const char *ifname,
+                           const char *chains)
+{
+    char rootchain[MAX_CHAINNAME_LENGTH];
+    size_t i;
+
+    for (i = 0; chains[i] != 0; i++) {
+        PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
+        virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                               false, ebtablesRemoveSubChainsQuery,
+                               (void *)chains,
+                               "-t", "nat", "-L", rootchain, NULL);
+    }
+}
+
 static void
 ebtablesRemoveSubChains(virBufferPtr buf,
                         const char *ifname)
@@ -2986,6 +3219,19 @@ ebtablesRemoveSubChains(virBufferPtr buf,
 }
 
 static void
+ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+                          const char *ifname)
+{
+    char chains[3] = {
+        CHAINPREFIX_HOST_IN,
+        CHAINPREFIX_HOST_OUT,
+        0
+    };
+
+    _ebtablesRemoveSubChainsFW(fw, ifname, chains);
+}
+
+static void
 ebtablesRemoveTmpSubChains(virBufferPtr buf,
                            const char *ifname)
 {
@@ -4052,43 +4298,37 @@ ebiptablesTearOldRules(const char *ifname)
  * Unconditionally remove all possible user defined tables and rules
  * that were created for the given interface (ifname).
  *
- * Always returns 0.
+ * Returns 0 on success, -1 on OOM
  */
 static int
 ebiptablesAllTeardown(const char *ifname)
 {
-    virBuffer buf = VIR_BUFFER_INITIALIZER;
-
-    if (iptables_cmd_path) {
-        NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+    virFirewallPtr fw = virFirewallNew();
+    int ret = -1;
 
-        iptablesUnlinkRootChains(&buf, ifname);
-        iptablesClearVirtInPost(&buf, ifname);
-        iptablesRemoveRootChains(&buf, ifname);
-    }
+    virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
 
-    if (ip6tables_cmd_path) {
-        NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+    iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+    iptablesClearVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+    iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
 
-        iptablesUnlinkRootChains(&buf, ifname);
-        iptablesClearVirtInPost(&buf, ifname);
-        iptablesRemoveRootChains(&buf, ifname);
-    }
+    iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+    iptablesClearVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+    iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
 
-    if (ebtables_cmd_path) {
-        NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+    ebtablesUnlinkRootChainFW(fw, true, ifname);
+    ebtablesUnlinkRootChainFW(fw, false, ifname);
 
-        ebtablesUnlinkRootChain(&buf, true, ifname);
-        ebtablesUnlinkRootChain(&buf, false, ifname);
+    ebtablesRemoveSubChainsFW(fw, ifname);
 
-        ebtablesRemoveSubChains(&buf, ifname);
+    ebtablesRemoveRootChainFW(fw, true, ifname);
+    ebtablesRemoveRootChainFW(fw, false, ifname);
 
-        ebtablesRemoveRootChain(&buf, true, ifname);
-        ebtablesRemoveRootChain(&buf, false, ifname);
-    }
-    ebiptablesExecCLI(&buf, true, NULL);
-
-    return 0;
+    virMutexLock(&execCLIMutex);
+    ret = virFirewallApply(fw);
+    virMutexUnlock(&execCLIMutex);
+    virFirewallFree(fw);
+    return ret;
 }
 
 
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 75e723f..9547c02 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -268,6 +268,10 @@ endif WITH_STORAGE_SHEEPDOG
 
 test_programs += nwfilterxml2xmltest
 
+if WITH_NWFILTER
+test_programs += nwfilterebiptablestest
+endif WITH_NWFILTER
+
 if WITH_STORAGE
 test_programs += storagevolxml2argvtest
 endif WITH_STORAGE
@@ -687,6 +691,13 @@ nwfilterxml2xmltest_SOURCES = \
 	testutils.c testutils.h
 nwfilterxml2xmltest_LDADD = $(LDADDS)
 
+if WITH_NWFILTER
+nwfilterebiptablestest_SOURCES = \
+	nwfilterebiptablestest.c \
+	testutils.c testutils.h
+nwfilterebiptablestest_LDADD = ../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
+endif WITH_NWFILTER
+
 secretxml2xmltest_SOURCES = \
 	secretxml2xmltest.c \
 	testutils.c testutils.h
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
new file mode 100644
index 0000000..c05682b
--- /dev/null
+++ b/tests/nwfilterebiptablestest.c
@@ -0,0 +1,116 @@
+/*
+ * nwfilterebiptablestest.c: Test {eb,ip,ip6}tables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#include "testutils.h"
+#include "nwfilter/nwfilter_ebiptables_driver.h"
+#include "virbuffer.h"
+
+#define __VIR_FIREWALL_PRIV_H_ALLOW__
+#include "virfirewallpriv.h"
+
+#define __VIR_COMMAND_PRIV_H_ALLOW__
+#include "vircommandpriv.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+static int
+testNWFilterEBIPTablesAllTeardown(const void *opaque ATTRIBUTE_UNUSED)
+{
+    virBuffer buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "/usr/sbin/iptables -F FO-vnet0\n"
+        "/usr/sbin/iptables -X FO-vnet0\n"
+        "/usr/sbin/iptables -F FI-vnet0\n"
+        "/usr/sbin/iptables -X FI-vnet0\n"
+        "/usr/sbin/iptables -F HI-vnet0\n"
+        "/usr/sbin/iptables -X HI-vnet0\n"
+        "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "/usr/sbin/ip6tables -F FO-vnet0\n"
+        "/usr/sbin/ip6tables -X FO-vnet0\n"
+        "/usr/sbin/ip6tables -F FI-vnet0\n"
+        "/usr/sbin/ip6tables -X FI-vnet0\n"
+        "/usr/sbin/ip6tables -F HI-vnet0\n"
+        "/usr/sbin/ip6tables -X HI-vnet0\n"
+        "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+        "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+        "/usr/sbin/ebtables -t nat -L libvirt-I-vnet0\n"
+        "/usr/sbin/ebtables -t nat -L libvirt-O-vnet0\n"
+        "/usr/sbin/ebtables -t nat -F libvirt-I-vnet0\n"
+        "/usr/sbin/ebtables -t nat -X libvirt-I-vnet0\n"
+        "/usr/sbin/ebtables -t nat -F libvirt-O-vnet0\n"
+        "/usr/sbin/ebtables -t nat -X libvirt-O-vnet0\n";
+    const char *actual = NULL;
+    int ret = -1;
+
+    virCommandSetDryRun(&buf, NULL, NULL);
+
+    if (ebiptables_driver.allTeardown("vnet0") < 0)
+        goto cleanup;
+
+    if (virBufferError(&buf))
+        goto cleanup;
+
+    actual = virBufferCurrentContent(&buf);
+
+    if (STRNEQ_NULLABLE(actual, expected)) {
+        virtTestDifference(stderr, actual, expected);
+        goto cleanup;
+    }
+
+    ret = 0;
+ cleanup:
+    virCommandSetDryRun(NULL, NULL, NULL);
+    virBufferFreeAndReset(&buf);
+    return ret;
+}
+
+
+static int
+mymain(void)
+{
+    int ret = 0;
+
+    if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+        ret = -1;
+        goto cleanup;
+    }
+
+    if (virtTestRun("ebiptablesAllTeardown",
+                    testNWFilterEBIPTablesAllTeardown,
+                    NULL) < 0)
+        ret = -1;
+
+ cleanup:
+    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
-- 
1.9.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]