Use the name of the chain rather than its type index (enum).
This pushes the later enablement of chains with user-given names
into the XML parser. For now we still only allow those names that
are well known ('root', 'arp', 'rarp', 'ipv4' and
'ipv6').
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
src/conf/nwfilter_conf.c | 16 ++++++++++++----
src/conf/nwfilter_conf.h | 2 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 13 +++++++------
src/nwfilter/nwfilter_ebiptables_driver.h | 2 +-
4 files changed, 21 insertions(+), 12 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -309,6 +309,7 @@ virNWFilterDefFree(virNWFilterDefPtr def
virNWFilterEntryFree(def->filterEntries[i]);
VIR_FREE(def->filterEntries);
+ VIR_FREE(def->chainsuffix);
VIR_FREE(def);
}
@@ -2027,21 +2028,28 @@ virNWFilterDefParseXML(xmlXPathContextPt
goto cleanup;
}
- ret->chainsuffix = VIR_NWFILTER_CHAINSUFFIX_ROOT;
chain = virXPathString("string(./@chain)", ctxt);
if (chain) {
- if ((ret->chainsuffix =
- virNWFilterChainSuffixTypeFromString(chain)) < 0) {
+ if (virNWFilterChainSuffixTypeFromString(chain) < 0) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
_("unknown chain suffix '%s'"),
chain);
goto cleanup;
}
+ ret->chainsuffix = chain;
/* assign an implicit priority -- support XML attribute later */
if (!intMapGetByString(chain_priorities, chain, 0,
&ret->chainPriority)) {
ret->chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
NWFILTER_MIN_FILTER_PRIORITY) / 2;
}
+ chain = NULL;
+ } else {
+ ret->chainsuffix = strdup(virNWFilterChainSuffixTypeToString(
+ VIR_NWFILTER_CHAINSUFFIX_ROOT));
+ if (ret->chainsuffix == NULL) {
+ virReportOOMError();
+ goto cleanup;
+ }
}
uuid = virXPathString("string(./uuid)", ctxt);
@@ -2843,7 +2851,7 @@ virNWFilterDefFormat(virNWFilterDefPtr d
virBufferAsprintf(&buf, "<filter name='%s'
chain='%s'",
def->name,
- virNWFilterChainSuffixTypeToString(def->chainsuffix));
+ def->chainsuffix);
virBufferAddLit(&buf, ">\n");
virUUIDFormat(def->uuid, uuid);
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -455,7 +455,7 @@ struct _virNWFilterDef {
char *name;
unsigned char uuid[VIR_UUID_BUFLEN];
- int chainsuffix; /*enum virNWFilterChainSuffixType */
+ char *chainsuffix;
virNWFilterChainPriority chainPriority;
int nentries;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -385,7 +385,7 @@ ebiptablesRuleInstFree(ebiptablesRuleIns
static int
ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
char *commandTemplate,
- enum virNWFilterChainSuffixType neededChain,
+ const char *neededChain,
virNWFilterChainPriority chainPriority,
char chainprefix,
unsigned int priority,
@@ -1961,11 +1961,13 @@ ebtablesCreateRuleInstance(char chainPre
goto err_exit;
}
- if (nwfilter->chainsuffix == VIR_NWFILTER_CHAINSUFFIX_ROOT)
+ if (STREQ(nwfilter->chainsuffix,
+ virNWFilterChainSuffixTypeToString(
+ VIR_NWFILTER_CHAINSUFFIX_ROOT)))
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
else
PRINT_CHAIN(chain, chainPrefix, ifname,
- virNWFilterChainSuffixTypeToString(nwfilter->chainsuffix));
+ nwfilter->chainsuffix);
switch (rule->prtclType) {
@@ -2532,7 +2534,7 @@ ebiptablesDisplayRuleInstance(virConnect
ebiptablesRuleInstPtr inst = (ebiptablesRuleInstPtr)_inst;
VIR_INFO("Command Template: '%s', Needed protocol: '%s'",
inst->commandTemplate,
- virNWFilterChainSuffixTypeToString(inst->neededProtocolChain));
+ inst->neededProtocolChain);
return 0;
}
@@ -3350,8 +3352,7 @@ ebiptablesApplyNewRules(virConnectPtr co
for (i = 0; i < nruleInstances; i++) {
sa_assert (inst);
if (inst[i]->ruleType == RT_EBTABLES) {
- const char *name = virNWFilterChainSuffixTypeToString(
- inst[i]->neededProtocolChain);
+ const char *name = inst[i]->neededProtocolChain;
if (inst[i]->chainprefix == CHAINPREFIX_HOST_IN_TEMP) {
if (virHashUpdateEntry(chains_in_set, name,
&inst[i]->chainPriority)) {
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.h
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -35,7 +35,7 @@ typedef struct _ebiptablesRuleInst ebipt
typedef ebiptablesRuleInst *ebiptablesRuleInstPtr;
struct _ebiptablesRuleInst {
char *commandTemplate;
- enum virNWFilterChainSuffixType neededProtocolChain;
+ const char *neededProtocolChain;
virNWFilterChainPriority chainPriority;
char chainprefix; /* I for incoming, O for outgoing */
unsigned int priority;