I moving some functions into the interface of the firewall driver and
make them only accessible via the driver's interface. Adapt the code
where needed. One new function is added that checks whether some 'basic'
rules can be applied, which is used by a subsequent patch.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
src/conf/nwfilter_conf.h | 16 ++++++++++++++++
src/nwfilter/nwfilter_ebiptables_driver.c | 24 +++++++++++++++++++++---
src/nwfilter/nwfilter_ebiptables_driver.h | 8 --------
src/nwfilter/nwfilter_gentech_driver.c | 3 ++-
src/nwfilter/nwfilter_learnipaddr.c | 24 ++++++++++++++----------
src/nwfilter/nwfilter_learnipaddr.h | 4 +++-
6 files changed, 56 insertions(+), 23 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -98,6 +98,7 @@ static const char *m_physdev_out_str = "
#define MATCH_PHYSDEV_OUT m_physdev_out_str
+static int ebtablesRemoveBasicRules(const char *ifname);
static int ebiptablesDriverInit(void);
static void ebiptablesDriverShutdown(void);
@@ -2578,6 +2579,18 @@ ebiptablesInstCommand(virBufferPtr buf,
/**
+ * ebiptablesCanApplyBasicRules
+ *
+ * Determine whether this driver can apply the basic rules, meaning
+ * run ebtablesApplyBasicRules and ebtablesApplyDHCPOnlyRules.
+ * In case of this driver we need the ebtables tool available.
+ */
+static int
+ebiptablesCanApplyBasicRules(void) {
+ return (ebtables_cmd_path != NULL);
+}
+
+/**
* ebtablesApplyBasicRules
*
* @conn: virConnect object
@@ -2591,7 +2604,7 @@ ebiptablesInstCommand(virBufferPtr buf,
* - filtering for MAC address spoofing
* - allowing IPv4 & ARP traffic
*/
-int
+static int
ebtablesApplyBasicRules(const char *ifname,
const unsigned char *macaddr)
{
@@ -2685,7 +2698,7 @@ tear_down_tmpebchains:
* Apply filtering rules so that the VM can only send and receive
* DHCP traffic and nothing else.
*/
-int
+static int
ebtablesApplyDHCPOnlyRules(const char *ifname,
const unsigned char *macaddr,
const char *dhcpserver)
@@ -2794,7 +2807,7 @@ tear_down_tmpebchains:
}
-int
+static int
ebtablesRemoveBasicRules(const char *ifname)
{
virBuffer buf = VIR_BUFFER_INITIALIZER;
@@ -3188,6 +3201,11 @@ virNWFilterTechDriver ebiptables_driver
.removeRules = ebiptablesRemoveRules,
.freeRuleInstance = ebiptablesFreeRuleInstance,
.displayRuleInstance = ebiptablesDisplayRuleInstance,
+
+ .canApplyBasicRules = ebiptablesCanApplyBasicRules,
+ .applyBasicRules = ebtablesApplyBasicRules,
+ .applyDHCPOnlyRules = ebtablesApplyDHCPOnlyRules,
+ .removeBasicRules = ebtablesRemoveBasicRules,
};
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.h
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -45,12 +45,4 @@ extern virNWFilterTechDriver ebiptables_
# define EBIPTABLES_DRIVER_ID "ebiptables"
-
-int ebtablesApplyBasicRules(const char *ifname,
- const unsigned char *macaddr);
-int ebtablesApplyDHCPOnlyRules(const char *ifname,
- const unsigned char *macaddr,
- const char *dhcpServer);
-int ebtablesRemoveBasicRules(const char *ifname);
-
#endif
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -487,6 +487,17 @@ typedef int (*virNWFilterRuleFreeInstanc
typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn,
void *_inst);
+typedef int (*virNWFilterCanApplyBasicRules)(void);
+
+typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
+ const unsigned char *macaddr);
+
+typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
+ const unsigned char *macaddr,
+ const char *dhcpserver);
+
+typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
+
enum techDrvFlags {
TECHDRV_FLAG_INITIALIZED = (1 << 0),
};
@@ -506,6 +517,11 @@ struct _virNWFilterTechDriver {
virNWFilterRuleAllTeardown allTeardown;
virNWFilterRuleFreeInstanceData freeRuleInstance;
virNWFilterRuleDisplayInstanceData displayRuleInstance;
+
+ virNWFilterCanApplyBasicRules canApplyBasicRules;
+ virNWFilterApplyBasicRules applyBasicRules;
+ virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
+ virNWFilterRemoveBasicRules removeBasicRules;
};
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.h
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
@@ -33,6 +33,7 @@ enum howDetect {
typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
struct _virNWFilterIPAddrLearnReq {
+ virNWFilterTechDriverPtr techdriver;
char ifname[IF_NAMESIZE];
char linkdev[IF_NAMESIZE];
enum virDomainNetType nettype;
@@ -46,7 +47,8 @@ struct _virNWFilterIPAddrLearnReq {
pthread_t thread;
};
-int virNWFilterLearnIPAddress(const char *ifname,
+int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
+ const char *ifname,
const char *linkdev,
enum virDomainNetType nettype,
const unsigned char *macaddr,
Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
@@ -593,7 +593,8 @@ virNWFilterInstantiate(virConnectPtr con
if (virHashLookup(missing_vars->hashTable,
NWFILTER_STD_VAR_IP) != NULL) {
if (virNWFilterLookupLearnReq(ifname) == NULL) {
- rc = virNWFilterLearnIPAddress(ifname,
+ rc = virNWFilterLearnIPAddress(techdriver,
+ ifname,
linkdev,
nettype, macaddr,
filter->name,
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.c
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
@@ -293,6 +293,7 @@ learnIPAddressThread(void *arg)
char *filter= NULL;
uint16_t etherType;
enum howDetect howDetected = 0;
+ virNWFilterTechDriverPtr techdriver = req->techdriver;
req->status = 0;
@@ -458,7 +459,7 @@ learnIPAddressThread(void *arg)
if (handle)
pcap_close(handle);
- ebtablesRemoveBasicRules(req->ifname);
+ techdriver->removeBasicRules(req->ifname);
if (req->status == 0) {
int ret;
@@ -493,7 +494,7 @@ learnIPAddressThread(void *arg)
/**
* virNWFilterLearnIPAddress
- * @conn: pointer to virConnect object
+ * @techdriver : driver to build firewalls
* @ifname: the name of the interface
* @linkdev : the name of the link device; currently only used in case of a
* macvtap device
@@ -513,7 +514,8 @@ learnIPAddressThread(void *arg)
* firewall rules on the interface.
*/
int
-virNWFilterLearnIPAddress(const char *ifname,
+virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
+ const char *ifname,
const char *linkdev,
enum virDomainNetType nettype,
const unsigned char *macaddr,
@@ -569,6 +571,7 @@ virNWFilterLearnIPAddress(const char *if
req->filterparams = ht;
ht = NULL;
req->howDetect = howDetect;
+ req->techdriver = techdriver;
rc = virNWFilterRegisterLearnReq(req);
@@ -577,14 +580,14 @@ virNWFilterLearnIPAddress(const char *if
switch (howDetect) {
case DETECT_DHCP:
- if (ebtablesApplyDHCPOnlyRules(ifname,
- macaddr,
- NULL))
+ if (techdriver->applyDHCPOnlyRules(ifname,
+ macaddr,
+ NULL))
goto err_free_ht;
break;
default:
- if (ebtablesApplyBasicRules(ifname,
- macaddr))
+ if (techdriver->applyBasicRules(ifname,
+ macaddr))
goto err_free_ht;
}
@@ -598,7 +601,7 @@ virNWFilterLearnIPAddress(const char *if
return 0;
err_remove_rules:
- ebtablesRemoveBasicRules(ifname);
+ techdriver->removeBasicRules(ifname);
err_free_ht:
virNWFilterHashTableFree(ht);
err_no_ht:
@@ -610,7 +613,8 @@ err_no_req:
#else
int
-virNWFilterLearnIPAddress(const char *ifname ATTRIBUTE_UNUSED,
+virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
+ const char *ifname ATTRIBUTE_UNUSED,
const char *linkdev ATTRIBUTE_UNUSED,
enum virDomainNetType nettype ATTRIBUTE_UNUSED,
const unsigned char *macaddr ATTRIBUTE_UNUSED,