Re: [PATCH 11/26] Introduce an object for managing firewall rulesets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8.4.2014 17:38, Daniel P. Berrange wrote:
> The network and nwfilter drivers both have a need to update
> firewall rules. The currently share no code for interacting
> with iptables / firewalld. The nwfilter driver is fairly
> tied to the concept of creating shell scripts to execute
> which makes it very hard to port to talk to firewalld via
> DBus APIs.
> 
> This patch introduces a virFirewallPtr object which is able
> to represent a complete sequence of rule changes, with the
> ability to have multiple transactional checkpoints with
> rollbacks. By formally separating the definition of the rules
> to be applied from the mechanism used to apply them, it is
> also possible to write a firewall engine that uses firewalld
> DBus APIs natively instead of via the slow firewalld-cmd.
> 
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> ---
>  include/libvirt/virterror.h |    1 +
>  po/POTFILES.in              |    1 +
>  src/Makefile.am             |    2 +
>  src/libvirt_private.syms    |   17 +
>  src/util/virerror.c         |    1 +
>  src/util/virfirewall.c      |  922 +++++++++++++++++++++++++++++++++
>  src/util/virfirewall.h      |  109 ++++
>  src/util/virfirewallpriv.h  |   45 ++
>  tests/Makefile.am           |    7 +
>  tests/testutils.c           |   18 +-
>  tests/virfirewalltest.c     | 1186 +++++++++++++++++++++++++++++++++++++++++++
>  11 files changed, 2305 insertions(+), 4 deletions(-)
>  create mode 100644 src/util/virfirewall.c
>  create mode 100644 src/util/virfirewall.h
>  create mode 100644 src/util/virfirewallpriv.h
>  create mode 100644 tests/virfirewalltest.c

[...]

> diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
> new file mode 100644
> index 0000000..b558d2f
> --- /dev/null
> +++ b/src/util/virfirewall.c
> @@ -0,0 +1,922 @@

[...]

> +static virFirewallRulePtr
> +virFirewallAddRuleFullV(virFirewallPtr firewall,
> +                        virFirewallLayer layer,
> +                        bool ignoreErrors,
> +                        virFirewallQueryCallback cb,
> +                        void *opaque,
> +                        va_list args)
> +{
> +    virFirewallGroupPtr group;
> +    virFirewallRulePtr rule;
> +    char *str;
> +
> +    VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
> +
> +    if (firewall->ngroups == 0) {
> +        firewall->err = ENODATA;
> +        return NULL;
> +    }
> +    group = firewall->groups[firewall->currentGroup];

[...]

> +void virFirewallStartRollback(virFirewallPtr firewall,
> +                              unsigned int flags)
> +{
> +    virFirewallGroupPtr group;
> +
> +    VIR_FIREWALL_RETURN_IF_ERROR(firewall);
> +
> +    if (firewall->ngroups == 0) {
> +        firewall->err = ENODATA;
> +        return;
> +    }
> +
> +    group = firewall->groups[firewall->ngroups-1];
> +    group->rollbackFlags = flags;
> +    group->addingRollback = true;
> +}

Hi Dan,

The ENODATA error is not defined in freebsd and I'm wondering
whether it should be compiled there? If yes, than we have to
add:

#ifndef ENODATA
# define ENODATA ENOMSG
#endif

into that file.

Pavel

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]