We don't use this method of reloading rules anymore, so we can just
kill the code.
This simplifies things a lot because we no longer need to keep a
table of the rules we've added.
* src/util/iptables.c: kill iptablesReloadRules()
---
src/libvirt_private.syms | 1 -
src/util/iptables.c | 155 +---------------------------------------------
src/util/iptables.h | 2 -
3 files changed, 3 insertions(+), 155 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 8d64b15..e5ba365 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -237,7 +237,6 @@ iptablesAddTcpInput;
iptablesAddUdpInput;
iptablesContextFree;
iptablesContextNew;
-iptablesReloadRules;
iptablesRemoveForwardAllowCross;
iptablesRemoveForwardAllowIn;
iptablesRemoveForwardAllowOut;
diff --git a/src/util/iptables.c b/src/util/iptables.c
index 8ac7786..3c02ea6 100644
--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -54,18 +54,8 @@ enum {
typedef struct
{
- char *rule;
- const char **argv;
- int command_idx;
-} iptRule;
-
-typedef struct
-{
char *table;
char *chain;
-
- int nrules;
- iptRule *rules;
} iptRules;
struct _iptablesContext
@@ -76,82 +66,10 @@ struct _iptablesContext
};
static void
-iptRuleFree(iptRule *rule)
-{
- VIR_FREE(rule->rule);
-
- if (rule->argv) {
- int i = 0;
- while (rule->argv[i])
- VIR_FREE(rule->argv[i++]);
- VIR_FREE(rule->argv);
- }
-}
-
-static int
-iptRulesAppend(iptRules *rules,
- char *rule,
- const char **argv,
- int command_idx)
-{
- if (VIR_REALLOC_N(rules->rules, rules->nrules+1) < 0) {
- int i = 0;
- while (argv[i])
- VIR_FREE(argv[i++]);
- VIR_FREE(argv);
- return ENOMEM;
- }
-
- rules->rules[rules->nrules].rule = rule;
- rules->rules[rules->nrules].argv = argv;
- rules->rules[rules->nrules].command_idx = command_idx;
-
- rules->nrules++;
-
- return 0;
-}
-
-static int
-iptRulesRemove(iptRules *rules,
- char *rule)
-{
- int i;
-
- for (i = 0; i < rules->nrules; i++)
- if (STREQ(rules->rules[i].rule, rule))
- break;
-
- if (i >= rules->nrules)
- return EINVAL;
-
- iptRuleFree(&rules->rules[i]);
-
- memmove(&rules->rules[i],
- &rules->rules[i+1],
- (rules->nrules - i - 1) * sizeof (iptRule));
-
- rules->nrules--;
-
- return 0;
-}
-
-static void
iptRulesFree(iptRules *rules)
{
- int i;
-
VIR_FREE(rules->table);
VIR_FREE(rules->chain);
-
- if (rules->rules) {
- for (i = 0; i < rules->nrules; i++)
- iptRuleFree(&rules->rules[i]);
-
- VIR_FREE(rules->rules);
-
- rules->nrules = 0;
- }
-
VIR_FREE(rules);
}
@@ -170,9 +88,6 @@ iptRulesNew(const char *table,
if (!(rules->chain = strdup(chain)))
goto error;
- rules->rules = NULL;
- rules->nrules = 0;
-
return rules;
error:
@@ -186,9 +101,8 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg,
...)
va_list args;
int retval = ENOMEM;
const char **argv;
- char *rule = NULL;
const char *s;
- int n, command_idx;
+ int n;
n = 1 + /* /sbin/iptables */
2 + /* --table foo */
@@ -215,9 +129,7 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg,
...)
if (!(argv[n++] = strdup(rules->table)))
goto error;
- command_idx = n;
-
- if (!(argv[n++] = strdup("--insert")))
+ if (!(argv[n++] = strdup(action == ADD ? "--insert" :
"--delete")))
goto error;
if (!(argv[n++] = strdup(rules->chain)))
@@ -234,31 +146,14 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg,
...)
va_end(args);
- if (!(rule = virArgvToString(&argv[command_idx])))
- goto error;
-
- if (action == REMOVE) {
- VIR_FREE(argv[command_idx]);
- if (!(argv[command_idx] = strdup("--delete")))
- goto error;
- }
-
if (virRun(NULL, argv, NULL) < 0) {
retval = errno;
goto error;
}
- if (action == ADD) {
- retval = iptRulesAppend(rules, rule, argv, command_idx);
- rule = NULL;
- argv = NULL;
- } else {
- retval = iptRulesRemove(rules, rule);
- }
+ retval = 0;
error:
- VIR_FREE(rule);
-
if (argv) {
n = 0;
while (argv[n])
@@ -318,50 +213,6 @@ iptablesContextFree(iptablesContext *ctx)
VIR_FREE(ctx);
}
-static void
-iptRulesReload(iptRules *rules)
-{
- int i;
- char ebuf[1024];
-
- for (i = 0; i < rules->nrules; i++) {
- iptRule *rule = &rules->rules[i];
- const char *orig;
-
- orig = rule->argv[rule->command_idx];
- rule->argv[rule->command_idx] = (char *) "--delete";
-
- if (virRun(NULL, rule->argv, NULL) < 0)
- VIR_WARN(_("Failed to remove iptables rule '%s'"
- " from chain '%s' in table '%s': %s"),
- rule->rule, rules->chain, rules->table,
- virStrerror(errno, ebuf, sizeof ebuf));
-
- rule->argv[rule->command_idx] = orig;
- }
-
- for (i = 0; i < rules->nrules; i++)
- if (virRun(NULL, rules->rules[i].argv, NULL) < 0)
- VIR_WARN(_("Failed to add iptables rule '%s'"
- " to chain '%s' in table '%s': %s"),
- rules->rules[i].rule, rules->chain, rules->table,
- virStrerror(errno, ebuf, sizeof ebuf));
-}
-
-/**
- * iptablesReloadRules:
- * @ctx: pointer to the IP table context
- *
- * Reloads all the IP table rules associated to a context
- */
-void
-iptablesReloadRules(iptablesContext *ctx)
-{
- iptRulesReload(ctx->input_filter);
- iptRulesReload(ctx->forward_filter);
- iptRulesReload(ctx->nat_postrouting);
-}
-
static int
iptablesInput(iptablesContext *ctx,
const char *iface,
diff --git a/src/util/iptables.h b/src/util/iptables.h
index 826f4f8..68d9e0d 100644
--- a/src/util/iptables.h
+++ b/src/util/iptables.h
@@ -27,8 +27,6 @@ typedef struct _iptablesContext iptablesContext;
iptablesContext *iptablesContextNew (void);
void iptablesContextFree (iptablesContext *ctx);
-void iptablesReloadRules (iptablesContext *ctx);
-
int iptablesAddTcpInput (iptablesContext *ctx,
const char *iface,
int port);
--
1.6.5.2