January 2008 - Devel - libvirt List Archives

Re: [Libvir] [patch 1/9] Fix compile error in --with-iptables-dir code
by Daniel P. Berrange 05 Jan '08

05 Jan '08

On Fri, Jan 04, 2008 at 03:57:26PM +0000, Mark McLoughlin wrote: > It seems no-one ever used --with-iptables-dir, since it > doesn't compile :-) ACK. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

1 0

[Libvir] [patch 9/9] Remove --with-iptables-dir
by Mark McLoughlin 05 Jan '08

05 Jan '08

--with-iptables-dir was added to integrate with a proposed system for letting iptables know how to reload our rules. The idea was that we'd save our rules to a file under /etc/sysconfig/iptable.d and the iptables init script would load the rules from there when it was reloading. The proposed system wasn't accepted so, although there might be some theoretical use for this other than the lokkit support, let's just remove it for now. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/configure.in =================================================================== --- libvirt.orig/configure.in 2008-01-04 15:24:39.000000000 +0000 +++ libvirt.orig/configure.in 2008-01-04 15:24:39.000000000 +0000 @@ -183,18 +183,6 @@ AM_CONDITIONAL(LIBVIRT_INIT_SCRIPTS_RED_ AC_MSG_RESULT($with_init_scripts) dnl -dnl also support saving the various chains to files -dnl in e.g. /etc/sysconfig/iptables.d -dnl -AC_ARG_WITH(iptables-dir, - AC_HELP_STRING([--with-iptables-dir=path], - [directory used to save iptables chains, defaults to not saving]), - [IPTABLES_DIR=$withval]) -if test x"$IPTABLES_DIR" != "x"; then - AC_DEFINE_UNQUOTED(IPTABLES_DIR, "$IPTABLES_DIR", [directory used for saving iptables chains]) -fi - -dnl dnl ensure that Fedora's system-config-firewall knows dnl about libvirt's iptables rules dnl Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 15:25:07.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 15:25:07.000000000 +0000 @@ -48,11 +48,6 @@ #define qemudLog(level, msg...) fprintf(stderr, msg) -#ifdef ENABLE_IPTABLES_LOKKIT -#undef IPTABLES_DIR -#define IPTABLES_DIR LOCAL_STATE_DIR "/lib/libvirt/iptables" -#endif - enum { ADD = 0, REMOVE @@ -78,12 +73,12 @@ typedef struct int nrules; iptRule *rules; -#ifdef IPTABLES_DIR +#ifdef ENABLE_IPTABLES_LOKKIT char dir[PATH_MAX]; char path[PATH_MAX]; -#endif /* IPTABLES_DIR */ +#endif /* ENABLE_IPTABLES_LOKKIT */ } iptRules; @@ -137,7 +132,6 @@ iptablesSpawn(int errors, char * const * return (WIFEXITED(status) && WEXITSTATUS(status) == 0) ? 0 : EINVAL; } -#ifdef IPTABLES_DIR #ifdef ENABLE_IPTABLES_LOKKIT static void notifyRulesUpdated(const char *table, @@ -238,7 +232,6 @@ notifyRulesRemoved(const char *table, #undef MAX_FILE_LEN } -#endif /* ENABLE_IPTABLES_LOKKIT */ static int writeRules(const char *path, @@ -286,7 +279,7 @@ writeRules(const char *path, return 0; } -#endif /* IPTABLES_DIR */ +#endif /* ENABLE_IPTABLES_LOKKIT */ static void iptRuleFree(iptRule *rule) @@ -328,7 +321,7 @@ iptRulesAppend(iptRules *rules, rules->nrules++; -#ifdef IPTABLES_DIR +#ifdef ENABLE_IPTABLES_LOKKIT { int err; @@ -339,12 +332,9 @@ iptRulesAppend(iptRules *rules, return err; } -#ifdef ENABLE_IPTABLES_LOKKIT notifyRulesUpdated(rules->table, rules->path); #endif /* ENABLE_IPTABLES_LOKKIT */ -#endif /* IPTABLES_DIR */ - return 0; } @@ -369,7 +359,7 @@ iptRulesRemove(iptRules *rules, rules->nrules--; -#ifdef IPTABLES_DIR +#ifdef ENABLE_IPTABLES_LOKKIT { int err; @@ -377,15 +367,12 @@ iptRulesRemove(iptRules *rules, return err; } -#ifdef ENABLE_IPTABLES_LOKKIT if (rules->nrules > 0) notifyRulesUpdated(rules->table, rules->path); else notifyRulesRemoved(rules->table, rules->path); #endif /* ENABLE_IPTABLES_LOKKIT */ -#endif /* IPTABLES_DIR */ - return 0; } @@ -415,10 +402,10 @@ iptRulesFree(iptRules *rules) rules->nrules = 0; } -#ifdef IPTABLES_DIR +#ifdef ENABLE_IPTABLES_LOKKIT rules->dir[0] = '\0'; rules->path[0] = '\0'; -#endif /* IPTABLES_DIR */ +#endif /* ENABLE_IPTABLES_LOKKIT */ free(rules); } @@ -441,13 +428,14 @@ iptRulesNew(const char *table, rules->rules = NULL; rules->nrules = 0; -#ifdef IPTABLES_DIR - if (virFileBuildPath(IPTABLES_DIR, table, NULL, rules->dir, sizeof(rules->dir)) < 0) +#ifdef ENABLE_IPTABLES_LOKKIT + if (virFileBuildPath(LOCAL_STATE_DIR "/lib/libvirt/iptables", table, NULL, + rules->dir, sizeof(rules->dir)) < 0) goto error; if (virFileBuildPath(rules->dir, chain, ".chain", rules->path, sizeof(rules->path)) < 0) goto error; -#endif /* IPTABLES_DIR */ +#endif /* ENABLE_IPTABLES_LOKKIT */ return rules; --

1 0

[Libvir] [patch 8/9] Remove --with-iptables-prefix
by Mark McLoughlin 05 Jan '08

05 Jan '08

--with-iptables-prefix was added to integrate with a proposed system for letting iptables know how to reload our rules. The idea was that we'd add our rules to a chain like libvirt-INPUT rather than INPUT, and there'd be a configuration file which would specify whether INPUT should include libvirt-INPUT. The proposed system wasn't accepted so, although there might be some other theoretical use for this, let's just remove it. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/configure.in =================================================================== --- libvirt.orig/configure.in 2008-01-04 14:51:29.000000000 +0000 +++ libvirt.orig/configure.in 2008-01-04 14:51:29.000000000 +0000 @@ -183,16 +183,6 @@ AM_CONDITIONAL(LIBVIRT_INIT_SCRIPTS_RED_ AC_MSG_RESULT($with_init_scripts) dnl -dnl allow the creation of iptables rules in chains with a -dnl specific prefix rather than in the standard toplevel chains -dnl -AC_ARG_WITH(iptables-prefix, - AC_HELP_STRING([--with-iptables-prefix=prefix], - [prefix used for iptables chains, default is to use standard toplevel chains]), - [IPTABLES_PREFIX=$withval]) -AC_DEFINE_UNQUOTED(IPTABLES_PREFIX, "$IPTABLES_PREFIX", [prefix used for iptables chains]) - -dnl dnl also support saving the various chains to files dnl in e.g. /etc/sysconfig/iptables.d dnl Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 15:17:18.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 15:17:18.000000000 +0000 @@ -636,13 +636,13 @@ iptablesContextNew(void) if (!(ctx = calloc(1, sizeof (*ctx)))) return NULL; - if (!(ctx->input_filter = iptRulesNew("filter", IPTABLES_PREFIX "INPUT"))) + if (!(ctx->input_filter = iptRulesNew("filter", "INPUT"))) goto error; - if (!(ctx->forward_filter = iptRulesNew("filter", IPTABLES_PREFIX "FORWARD"))) + if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD"))) goto error; - if (!(ctx->nat_postrouting = iptRulesNew("nat", IPTABLES_PREFIX "POSTROUTING"))) + if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING"))) goto error; return ctx; --

1 0

[Libvir] [patch 7/9] Add support for lokkit
by Mark McLoughlin 05 Jan '08

05 Jan '08

Add support for integrating our iptables support with Fedora's iptables configuration using the lokkit --custom-rules command. Basically, we write out our rules to /var/lib/libvirt/iptables and run lokkit --custom-rules so that if e.g. iptables is restarted or the user edits their firewall configuration, then libvirt's rules get reloaded. The slightly nasty bit is that rather than running something like lokkit --remove-custom-rules, we have to grub around in /etc/sysconfig/system-config-firewall to remove our rules files. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/configure.in =================================================================== --- libvirt.orig/configure.in 2008-01-04 14:48:49.000000000 +0000 +++ libvirt.orig/configure.in 2008-01-04 14:48:49.000000000 +0000 @@ -204,6 +204,20 @@ if test x"$IPTABLES_DIR" != "x"; then AC_DEFINE_UNQUOTED(IPTABLES_DIR, "$IPTABLES_DIR", [directory used for saving iptables chains]) fi +dnl +dnl ensure that Fedora's system-config-firewall knows +dnl about libvirt's iptables rules +dnl +AC_ARG_ENABLE(iptables-lokkit, + AC_HELP_STRING([--enable-iptables-lokkit=no/yes], + [enable registering libvirt's iptables rules with Fedora's lokkit]), + [],[enable_iptables_lokkit=no]) +if test x"$enable_iptables_lokkit" = x"yes"; then + AC_DEFINE(ENABLE_IPTABLES_LOKKIT, [], [whether support for Fedora's lokkit is enabled]) + AC_PATH_PROG(LOKKIT_PATH, lokkit, /usr/sbin/lokkit) + AC_DEFINE_UNQUOTED(LOKKIT_PATH, "$LOKKIT_PATH", [path to lokkit binary]) +fi + AC_PATH_PROG(IPTABLES_PATH, iptables, /sbin/iptables) AC_DEFINE_UNQUOTED(IPTABLES_PATH, "$IPTABLES_PATH", [path to iptables binary]) Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 14:51:29.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 14:51:29.000000000 +0000 @@ -48,6 +48,11 @@ #define qemudLog(level, msg...) fprintf(stderr, msg) +#ifdef ENABLE_IPTABLES_LOKKIT +#undef IPTABLES_DIR +#define IPTABLES_DIR LOCAL_STATE_DIR "/lib/libvirt/iptables" +#endif + enum { ADD = 0, REMOVE @@ -133,6 +138,108 @@ iptablesSpawn(int errors, char * const * } #ifdef IPTABLES_DIR +#ifdef ENABLE_IPTABLES_LOKKIT +static void +notifyRulesUpdated(const char *table, + const char *path) +{ + char arg[PATH_MAX]; + char *argv[4]; + int retval; + + snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); + + argv[0] = (char *) LOKKIT_PATH; + argv[1] = (char *) "--nostart"; + argv[2] = arg; + argv[3] = NULL; + + if ((retval = iptablesSpawn(WITH_ERRORS, argv))) + qemudLog(QEMUD_WARN, "Failed to run '" LOKKIT_PATH " %s' : %s", + arg, strerror(retval)); +} + +static int +stripLine(char *str, int len, const char *line) +{ + char *s, *p; + int changed; + + changed = 0; + s = str; + + while ((p = strchr(s, '\n'))) { + if (p == s || strncmp(s, line, p - s) != 0) { + s = ++p; + continue; + } + + ++p; + memmove(s, p, len - (p - str) + 1); + len -= p - s; + changed = 1; + } + + if (strcmp(s, line) == 0) { + *s = '\0'; + changed = 1; + } + + return changed; +} + +static void +notifyRulesRemoved(const char *table, + const char *path) +{ +/* 10 MB limit on config file size as a sanity check */ +#define MAX_FILE_LEN (1024*1024*10) + + char arg[PATH_MAX]; + char *content; + int len; + FILE *f = NULL; + + len = virFileReadAll(SYSCONF_DIR "/sysconfig/system-config-firewall", + MAX_FILE_LEN, &content); + if (len < 0) { + qemudLog(QEMUD_WARN, "Failed to read " SYSCONF_DIR "/sysconfig/system-config-firewall"); + return; + } + + snprintf(arg, sizeof(arg), "--custom-rules=ipv4:%s:%s", table, path); + + if (!stripLine(content, len, arg)) { + free(content); + return; + } + + if (!(f = fopen(SYSCONF_DIR "/sysconfig/system-config-firewall", "w"))) + goto write_error; + + if (fputs(content, f) == EOF) + goto write_error; + + if (fclose(f) == EOF) { + f = NULL; + goto write_error; + } + + free(content); + + return; + + write_error: + qemudLog(QEMUD_WARN, "Failed to write to " SYSCONF_DIR "/sysconfig/system-config-firewall : %s", + strerror(errno)); + if (f) + fclose(f); + free(content); + +#undef MAX_FILE_LEN +} +#endif /* ENABLE_IPTABLES_LOKKIT */ + static int writeRules(const char *path, const iptRule *rules, @@ -231,6 +338,11 @@ iptRulesAppend(iptRules *rules, if ((err = writeRules(rules->path, rules->rules, rules->nrules))) return err; } + +#ifdef ENABLE_IPTABLES_LOKKIT + notifyRulesUpdated(rules->table, rules->path); +#endif /* ENABLE_IPTABLES_LOKKIT */ + #endif /* IPTABLES_DIR */ return 0; @@ -264,6 +376,14 @@ iptRulesRemove(iptRules *rules, if ((err = writeRules(rules->path, rules->rules, rules->nrules))) return err; } + +#ifdef ENABLE_IPTABLES_LOKKIT + if (rules->nrules > 0) + notifyRulesUpdated(rules->table, rules->path); + else + notifyRulesRemoved(rules->table, rules->path); +#endif /* ENABLE_IPTABLES_LOKKIT */ + #endif /* IPTABLES_DIR */ return 0; --

1 0

[Libvir] [patch 6/9] Move iptablesSpawn()
by Mark McLoughlin 05 Jan '08

05 Jan '08

The next patch requires iptablesSpawn() higher up in the file. This patch just moves the code around; there is no functional change. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 11:55:21.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 11:55:21.000000000 +0000 @@ -89,6 +89,49 @@ struct _iptablesContext iptRules *nat_postrouting; }; +static int +iptablesSpawn(int errors, char * const *argv) +{ + pid_t pid, ret; + int status; + int null = -1; + + if (errors == NO_ERRORS && (null = open(_PATH_DEVNULL, O_RDONLY)) < 0) + return errno; + + pid = fork(); + if (pid == -1) { + if (errors == NO_ERRORS) + close(null); + return errno; + } + + if (pid == 0) { /* child */ + if (errors == NO_ERRORS) { + dup2(null, STDIN_FILENO); + dup2(null, STDOUT_FILENO); + dup2(null, STDERR_FILENO); + close(null); + } + + execvp(argv[0], argv); + + _exit (1); + } + + if (errors == NO_ERRORS) + close(null); + + while ((ret = waitpid(pid, &status, 0) == -1) && errno == EINTR); + if (ret == -1) + return errno; + + if (errors == NO_ERRORS) + return 0; + else + return (WIFEXITED(status) && WEXITSTATUS(status) == 0) ? 0 : EINVAL; +} + #ifdef IPTABLES_DIR static int writeRules(const char *path, @@ -294,49 +337,6 @@ iptRulesNew(const char *table, } static int -iptablesSpawn(int errors, char * const *argv) -{ - pid_t pid, ret; - int status; - int null = -1; - - if (errors == NO_ERRORS && (null = open(_PATH_DEVNULL, O_RDONLY)) < 0) - return errno; - - pid = fork(); - if (pid == -1) { - if (errors == NO_ERRORS) - close(null); - return errno; - } - - if (pid == 0) { /* child */ - if (errors == NO_ERRORS) { - dup2(null, STDIN_FILENO); - dup2(null, STDOUT_FILENO); - dup2(null, STDERR_FILENO); - close(null); - } - - execvp(argv[0], argv); - - _exit (1); - } - - if (errors == NO_ERRORS) - close(null); - - while ((ret = waitpid(pid, &status, 0) == -1) && errno == EINTR); - if (ret == -1) - return errno; - - if (errors == NO_ERRORS) - return 0; - else - return (WIFEXITED(status) && WEXITSTATUS(status) == 0) ? 0 : EINVAL; -} - -static int iptablesAddRemoveChain(iptRules *rules, int action) { char **argv; --

1 0

[Libvir] [patch 5/9] Include the iptables command and chain name in the saved rules file
by Mark McLoughlin 05 Jan '08

05 Jan '08

lokkit --custom-rules expects the passed file to include the iptables command and chain name (e.g. "--inset INPUT") rather than just the rest of the arguments. Add both of those to what will be saved to the rules file and simplify the resulting code by splitting out a argvToString() helper function. The one complication is that when we're removing a rule we need to make sure we don't search for it using "--delete" rather than "--insert". For that reason, only change the argument to "--delete" once we've constructed the string we use to search through the existing rules. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 12:09:05.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 12:09:05.000000000 +0000 @@ -380,37 +380,55 @@ iptablesAddRemoveChain(iptRules *rules, return retval; } +static char * +argvToString(char **argv) +{ + int len, i; + char *ret, *p; + + for (len = 1, i = 0; argv[i]; i++) + len += strlen(argv[i]) + 1; + + if (!(p = ret = (char *)malloc(len))) + return NULL; + + for (i = 0; argv[i]; i++) { + if (i != 0) + *(p++) = ' '; + + strcpy(p, argv[i]); + p += strlen(argv[i]); + } + + *p = '\0'; + + return ret; +} + static int iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...) { va_list args; int retval = ENOMEM; char **argv; - char *rule = NULL, *p; + char *rule = NULL; const char *s; - int n, rulelen, command_idx; + int n, command_idx; n = 1 + /* /sbin/iptables */ 2 + /* --table foo */ 2 + /* --insert bar */ 1; /* arg */ - rulelen = strlen(arg) + 1; - va_start(args, arg); - while ((s = va_arg(args, const char *))) { + while ((s = va_arg(args, const char *))) n++; - rulelen += strlen(s) + 1; - } va_end(args); if (!(argv = calloc(n + 1, sizeof(*argv)))) goto error; - if (!(rule = (char *)malloc(rulelen))) - goto error; - n = 0; if (!(argv[n++] = strdup(IPTABLES_PATH))) @@ -424,7 +442,7 @@ iptablesAddRemoveRule(iptRules *rules, i command_idx = n; - if (!(argv[n++] = strdup(action == ADD ? "--insert" : "--delete"))) + if (!(argv[n++] = strdup("--insert"))) goto error; if (!(argv[n++] = strdup(rules->chain))) @@ -433,23 +451,22 @@ iptablesAddRemoveRule(iptRules *rules, i if (!(argv[n++] = strdup(arg))) goto error; - p = strcpy(rule, arg); - p += strlen(arg); - va_start(args, arg); - while ((s = va_arg(args, const char *))) { + while ((s = va_arg(args, const char *))) if (!(argv[n++] = strdup(s))) goto error; - *(p++) = ' '; - strcpy(p, s); - p += strlen(s); - } - va_end(args); - *p = '\0'; + if (!(rule = argvToString(&argv[command_idx]))) + goto error; + + if (action == REMOVE) { + free(argv[command_idx]); + if (!(argv[command_idx] = strdup("--delete"))) + goto error; + } if (action == ADD && (retval = iptablesAddRemoveChain(rules, action))) --

1 0

[Libvir] [patch 4/9] Re-name the "flipflop" variable to "command_idx"
by Mark McLoughlin 05 Jan '08

05 Jan '08

The "flipflop" variable marks the index into argv where the "--insert" is at, so that when we're reloading the rules we can easily change it to "--delete" and back again. It's a rather silly name, and the next patch is going to make more use out of it, so let's use the more sane "command_idx" name. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 10:00:03.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 10:00:03.000000000 +0000 @@ -62,7 +62,7 @@ typedef struct { char *rule; char **argv; - int flipflop; + int command_idx; } iptRule; typedef struct @@ -158,7 +158,7 @@ static int iptRulesAppend(iptRules *rules, char *rule, char **argv, - int flipflop) + int command_idx) { iptRule *r; @@ -172,9 +172,9 @@ iptRulesAppend(iptRules *rules, rules->rules = r; - rules->rules[rules->nrules].rule = rule; - rules->rules[rules->nrules].argv = argv; - rules->rules[rules->nrules].flipflop = flipflop; + rules->rules[rules->nrules].rule = rule; + rules->rules[rules->nrules].argv = argv; + rules->rules[rules->nrules].command_idx = command_idx; rules->nrules++; @@ -388,7 +388,7 @@ iptablesAddRemoveRule(iptRules *rules, i char **argv; char *rule = NULL, *p; const char *s; - int n, rulelen, flipflop; + int n, rulelen, command_idx; n = 1 + /* /sbin/iptables */ 2 + /* --table foo */ @@ -422,7 +422,7 @@ iptablesAddRemoveRule(iptRules *rules, i if (!(argv[n++] = strdup(rules->table))) goto error; - flipflop = n; + command_idx = n; if (!(argv[n++] = strdup(action == ADD ? "--insert" : "--delete"))) goto error; @@ -463,7 +463,7 @@ iptablesAddRemoveRule(iptRules *rules, i goto error; if (action == ADD) { - retval = iptRulesAppend(rules, rule, argv, flipflop); + retval = iptRulesAppend(rules, rule, argv, command_idx); rule = NULL; argv = NULL; } else { @@ -543,14 +543,14 @@ iptRulesReload(iptRules *rules) iptRule *rule = &rules->rules[i]; char *orig; - orig = rule->argv[rule->flipflop]; - rule->argv[rule->flipflop] = (char *) "--delete"; + orig = rule->argv[rule->command_idx]; + rule->argv[rule->command_idx] = (char *) "--delete"; if ((retval = iptablesSpawn(WITH_ERRORS, rule->argv))) qemudLog(QEMUD_WARN, "Failed to remove iptables rule '%s' from chain '%s' in table '%s': %s", rule->rule, rules->chain, rules->table, strerror(retval)); - rule->argv[rule->flipflop] = orig; + rule->argv[rule->command_idx] = orig; } if ((retval = iptablesAddRemoveChain(rules, REMOVE)) || --

1 0

[Libvir] [patch 3/9] Make iptables code use common utils
by Mark McLoughlin 05 Jan '08

05 Jan '08

utils.c has grown some functions since the iptables code was written - make use of virFileMakePath() and virFileBuildPath(). Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 09:46:19.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 09:46:19.000000000 +0000 @@ -44,6 +44,7 @@ #include "internal.h" #include "iptables.h" +#include "util.h" #define qemudLog(level, msg...) fprintf(stderr, msg) @@ -135,60 +136,6 @@ writeRules(const char *path, return 0; } - -static int -ensureDir(const char *path) -{ - struct stat st; - char parent[PATH_MAX]; - char *p; - int err; - - if (stat(path, &st) >= 0) - return 0; - - strncpy(parent, path, PATH_MAX); - parent[PATH_MAX - 1] = '\0'; - - if (!(p = strrchr(parent, '/'))) - return EINVAL; - - if (p == parent) - return EPERM; - - *p = '\0'; - - if ((err = ensureDir(parent))) - return err; - - if (mkdir(path, 0700) < 0 && errno != EEXIST) - return errno; - - return 0; -} - -static int -buildDir(const char *table, - char *path, - int maxlen) -{ - if (snprintf(path, maxlen, IPTABLES_DIR "/%s", table) >= maxlen) - return EINVAL; - else - return 0; -} - -static int -buildPath(const char *table, - const char *chain, - char *path, - int maxlen) -{ - if (snprintf(path, maxlen, IPTABLES_DIR "/%s/%s.chain", table, chain) >= maxlen) - return EINVAL; - else - return 0; -} #endif /* IPTABLES_DIR */ static void @@ -235,7 +182,7 @@ iptRulesAppend(iptRules *rules, { int err; - if ((err = ensureDir(rules->dir))) + if ((err = virFileMakePath(rules->dir))) return err; if ((err = writeRules(rules->path, rules->rules, rules->nrules))) @@ -332,10 +279,10 @@ iptRulesNew(const char *table, rules->nrules = 0; #ifdef IPTABLES_DIR - if (buildDir(table, rules->dir, sizeof(rules->dir))) + if (virFileBuildPath(IPTABLES_DIR, table, NULL, rules->dir, sizeof(rules->dir)) < 0) goto error; - if (buildPath(table, chain, rules->path, sizeof(rules->path))) + if (virFileBuildPath(rules->dir, chain, ".chain", rules->path, sizeof(rules->path)) < 0) goto error; #endif /* IPTABLES_DIR */ --

1 0

[Libvir] [patch 2/9] Fix minor iptables error logging issue
by Mark McLoughlin 05 Jan '08

05 Jan '08

Fix a minor issue with some error reporting in the iptables code - namely that we use errno after it may have been set to something other than the error reported. Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2008-01-04 11:46:38.000000000 +0000 +++ libvirt.orig/src/iptables.c 2008-01-04 11:46:38.000000000 +0000 @@ -601,7 +601,7 @@ iptRulesReload(iptRules *rules) if ((retval = iptablesSpawn(WITH_ERRORS, rule->argv))) qemudLog(QEMUD_WARN, "Failed to remove iptables rule '%s' from chain '%s' in table '%s': %s", - rule->rule, rules->chain, rules->table, strerror(errno)); + rule->rule, rules->chain, rules->table, strerror(retval)); rule->argv[rule->flipflop] = orig; } --

1 0

[Libvir] [patch 1/9] Fix compile error in --with-iptables-dir code
by Mark McLoughlin 05 Jan '08

05 Jan '08

It seems no-one ever used --with-iptables-dir, since it doesn't compile :-) Signed-off-by: Mark McLoughlin <markmc(a)redhat.com> Index: libvirt/src/iptables.c =================================================================== --- libvirt.orig/src/iptables.c 2007-12-13 09:05:31.000000000 +0000 +++ libvirt.orig/src/iptables.c 2007-12-13 09:05:31.000000000 +0000 @@ -91,7 +91,7 @@ struct _iptablesContext #ifdef IPTABLES_DIR static int writeRules(const char *path, - const iptRules *rules, + const iptRule *rules, int nrules) { char tmp[PATH_MAX]; --

1 0