On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
The current nwfilter tech driver API has a
'createRuleInstance' method
which populates virNWFilterRuleInstPtr with a command line string
containing variable placeholders. The 'applyNewRules' method then
expands the variables and executes the commands. This split of
responsibility won't work when switching to the virFirewallPtr
APIs, since we can't just build up command line strings. This patch
this merges the functionality of 'createRuleInstance' into the
applyNewRules method.
The virNWFilterRuleInstPtr struct is changed from holding an array
of opaque pointers, into holding generic metadata about the rules
to be processed. In essence this is the result of taking a linked
set of virNWFilterDefPtr's and flattening the tree to get a list
of virNWFilterRuleDefPtr's. At the same time we must keep track of
any nested virNWFilterObjPtr instances, so that the locks are held
for the duration of the 'applyNewRules' method.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
Some parts are difficult to read in the patch, especially where you
split the contents of _virNWFilterInstantiateRec into two functions. But
I find that the pieces appear again in the new functions.
/* process ebtables commands; interleave commands from filters with
commands for creating and connecting ebtables chains */
j = 0;
- for (i = 0; i < nruleInstances; i++) {
- sa_assert(inst);
- switch (inst[i]->ruleType) {
- case RT_EBTABLES:
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
while (j < nEbtChains &&
- ebtChains[j].priority <= inst[i]->priority) {
+ ebtChains[j].priority <= rules[i]->priority) {
ebiptablesInstCommand(&buf,
ebtChains[j++].commandTemplate,
'A', -1, true);
}
- ebiptablesInstCommand(&buf,
- inst[i]->commandTemplate,
- 'A', -1, true);
- break;
- case RT_IPTABLES:
- haveIptables = true;
- break;
- case RT_IP6TABLES:
- haveIp6tables = true;
- break;
+ ebtablesRuleInstCommand(&buf,
+ ifname,
+ rules[i],
+ 'A', -1, true);
+ } else {
+ if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIptables = true;
+ else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIp6tables = true;
Here's that typo. If you were to change this, the TCK test suite will
probably pass after each step of applying the patches incrementally.
ACK
Stefan