7:52 a.m.
Most of the iptables APIs share code for the add/delete paths, but a
couple were separated. Merge the remaining APIs to facilitate future
changes.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/util/viriptables.c | 73 ++++++++++++++++++++++++------------------
1 file changed, 42 insertions(+), 31 deletions(-)
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 5dbea8cf57..f379844d28 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
}
+static void
+iptablesForwardAllowCross(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int action)
+{
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--in-interface", iface,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
+}
+
/**
* iptablesAddForwardAllowCross:
* @ctx: pointer to the IP table context
@@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--insert", "FORWARD",
- "--in-interface", iface,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ iptablesForwardAllowCross(fw, layer, iface, ADD);
}
/**
@@ -535,13 +544,21 @@ void
iptablesRemoveForwardAllowCross(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
+{
+ iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+}
+
+static void
+iptablesForwardRejectOut(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- "--delete", "FORWARD",
+ action == ADD ? "--insert" : "delete",
"FORWARD",
"--in-interface", iface,
- "--out-interface", iface,
- "--jump", "ACCEPT",
+ "--jump", "REJECT",
NULL);
}
@@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--insert", "FORWARD",
- "--in-interface", iface,
- "--jump", "REJECT",
- NULL);
+ iptablesForwardRejectOut(fw, layer, iface, ADD);
}
/**
@@ -582,16 +594,25 @@ void
iptablesRemoveForwardRejectOut(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
+{
+ iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+}
+
+
+static void
+iptablesForwardRejectIn(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *iface,
+ int action)
{
virFirewallAddRule(fw, layer,
"--table", "filter",
- "--delete", "FORWARD",
- "--in-interface", iface,
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--out-interface", iface,
"--jump", "REJECT",
NULL);
}
-
/**
* iptablesAddForwardRejectIn:
* @ctx: pointer to the IP table context
@@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--insert", "FORWARD",
- "--out-interface", iface,
- "--jump", "REJECT",
- NULL);
+ iptablesForwardRejectIn(fw, layer, iface, ADD);
}
/**
@@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
virFirewallLayer layer,
const char *iface)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- "--delete", "FORWARD",
- "--out-interface", iface,
- "--jump", "REJECT",
- NULL);
+ iptablesForwardRejectIn(fw, layer, iface, REMOVE);
}
--
2.19.1