Re: [PATCH v2 5/6] util: add new "tc" layer for virFirewallCmd objects

On 11/26/24 04:24, Laine Stump wrote:

If the layer of a virFirewallCmd is "tc", then the "tc" utility will be executed using the arguments that had been added to the virFirewallCmd

tc layer doesn't support auto-rollback command creation (any rollback needs to be added manually with virFirewallAddRollbackCmd()), and also tc layer isn't supported by the iptables backend (it would have been straightforward to add, but the iptables backend doesn't need it, and I didn't want to take the chance of causing a regression in that code for no good reason).

Signed-off-by: Laine Stump <laine@redhat.com> --- src/network/network_nftables.c | 1 + src/util/virfirewall.c | 66 +++++++++++++++++++++------------- src/util/virfirewall.h | 1 + src/util/virfirewalld.c | 1 + 4 files changed, 44 insertions(+), 25 deletions(-)

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index f8b5ab665d..b3605bd40e 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -73,6 +73,7 @@ VIR_ENUM_IMPL(nftablesLayer, "", "ip", "ip6", + "", );

diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 811b787ecc..754bc18162 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -47,6 +47,7 @@ VIR_ENUM_IMPL(virFirewallLayer, "ethernet", "ipv4", "ipv6", + "tc", );

typedef struct _virFirewallGroup virFirewallGroup; @@ -57,6 +58,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand, EBTABLES, IPTABLES, IP6TABLES, + TC, );

struct _virFirewallCmd { @@ -591,6 +593,7 @@ virFirewallCmdIptablesApply(virFirewall *firewall, case VIR_FIREWALL_LAYER_IPV6: virCommandAddArg(cmd, "-w"); break; + case VIR_FIREWALL_LAYER_TC: case VIR_FIREWALL_LAYER_LAST: break; } @@ -672,39 +675,52 @@ virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED, size_t i; int status;

- cmd = virCommandNew(NFT); + if (fwCmd->layer == VIR_FIREWALL_LAYER_TC) {

- if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) && - fwCmd->argsLen > 1) { - /* skip any leading options to get to command verb */ - for (i = 0; i < fwCmd->argsLen - 1; i++) { - if (fwCmd->args[i][0] != '-') - break; - } + /* for VIR_FIREWALL_LAYER_TC, we run the 'tc' (traffic control) command with + * the supplied args. + */ + cmd = virCommandNew(TC);

Alignment. Michal