11:52 p.m.
iptablesContext holds only 4 pairs of iptables
(table, chain) and there's no need to pass
it around.
This is a first step towards separating bridge_driver.c
in platform-specific parts.
---
src/libvirt_private.syms | 2 -
src/network/bridge_driver.c | 253 +++++++++++++++++--------------------------
src/util/viriptables.c | 257 +++++++++++---------------------------------
src/util/viriptables.h | 65 ++++-------
4 files changed, 183 insertions(+), 394 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 795e011..062c7fb 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1417,8 +1417,6 @@ iptablesAddForwardRejectOut;
iptablesAddOutputFixUdpChecksum;
iptablesAddTcpInput;
iptablesAddUdpInput;
-iptablesContextFree;
-iptablesContextNew;
iptablesRemoveForwardAllowCross;
iptablesRemoveForwardAllowIn;
iptablesRemoveForwardAllowOut;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 2cf49bb..062ec85 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -75,7 +75,6 @@ struct network_driver {
virNetworkObjList networks;
- iptablesContext *iptables;
char *networkConfigDir;
char *networkAutostartDir;
char *stateDir;
@@ -106,8 +105,7 @@ static int networkShutdownNetwork(struct network_driver *driver,
static int networkStartNetworkVirtual(struct network_driver *driver,
virNetworkObjPtr network);
-static int networkShutdownNetworkVirtual(struct network_driver *driver,
- virNetworkObjPtr network);
+static int networkShutdownNetworkVirtual(virNetworkObjPtr network);
static int networkStartNetworkExternal(struct network_driver *driver,
virNetworkObjPtr network);
@@ -420,10 +418,6 @@ networkStateInitialize(bool privileged,
}
}
- if (!(driverState->iptables = iptablesContextNew())) {
- goto out_of_memory;
- }
-
/* if this fails now, it will be retried later with dnsmasqCapsRefresh() */
driverState->dnsmasqCaps = dnsmasqCapsNewFromBinary(DNSMASQ);
@@ -531,9 +525,6 @@ networkStateCleanup(void) {
VIR_FREE(driverState->dnsmasqStateDir);
VIR_FREE(driverState->radvdStateDir);
- if (driverState->iptables)
- iptablesContextFree(driverState->iptables);
-
virObjectUnref(driverState->dnsmasqCaps);
networkDriverUnlock(driverState);
@@ -1544,8 +1535,7 @@ networkRefreshDaemons(struct network_driver *driver)
}
static int
-networkAddMasqueradingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkAddMasqueradingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
@@ -1559,8 +1549,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
}
/* allow forwarding packets from the bridge interface */
- if (iptablesAddForwardAllowOut(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
@@ -1573,8 +1562,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
/* allow forwarding packets to the bridge interface if they are
* part of an existing connection
*/
- if (iptablesAddForwardAllowRelatedIn(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowRelatedIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
@@ -1608,8 +1596,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
*/
/* First the generic masquerade rule for other protocols */
- if (iptablesAddForwardMasquerade(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
@@ -1626,8 +1613,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
}
/* UDP with a source port restriction */
- if (iptablesAddForwardMasquerade(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
@@ -1644,8 +1630,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver,
}
/* TCP with a source port restriction */
- if (iptablesAddForwardMasquerade(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
@@ -1664,30 +1649,26 @@ networkAddMasqueradingIptablesRules(struct network_driver
*driver,
return 0;
masqerr5:
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
"udp");
masqerr4:
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
NULL);
masqerr3:
- iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
masqerr2:
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
@@ -1696,43 +1677,37 @@ networkAddMasqueradingIptablesRules(struct network_driver
*driver,
}
static void
-networkRemoveMasqueradingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkRemoveMasqueradingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
if (prefix >= 0) {
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
"tcp");
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
"udp");
- iptablesRemoveForwardMasquerade(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardMasquerade(&ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
NULL);
- iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
@@ -1740,8 +1715,7 @@ networkRemoveMasqueradingIptablesRules(struct network_driver
*driver,
}
static int
-networkAddRoutingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkAddRoutingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
@@ -1755,8 +1729,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
}
/* allow routing packets from the bridge interface */
- if (iptablesAddForwardAllowOut(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
@@ -1767,8 +1740,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
}
/* allow routing packets to the bridge interface */
- if (iptablesAddForwardAllowIn(driver->iptables,
- &ipdef->address,
+ if (iptablesAddForwardAllowIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf) < 0) {
@@ -1781,8 +1753,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver,
return 0;
routeerr2:
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
@@ -1791,22 +1762,19 @@ routeerr1:
}
static void
-networkRemoveRoutingIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkRemoveRoutingIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
if (prefix >= 0) {
- iptablesRemoveForwardAllowIn(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowIn(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
- iptablesRemoveForwardAllowOut(driver->iptables,
- &ipdef->address,
+ iptablesRemoveForwardAllowOut(&ipdef->address,
prefix,
network->def->bridge,
forwardIf);
@@ -1819,8 +1787,7 @@ networkRemoveRoutingIptablesRules(struct network_driver *driver,
* If any IPv6 addresses are defined, then add the rules for regular operation.
*/
static int
-networkAddGeneralIp6tablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkAddGeneralIp6tablesRules(virNetworkObjPtr network)
{
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
@@ -1830,16 +1797,14 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
/* Catch all rules to block forwarding to/from bridges */
- if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to block outbound traffic
from '%s'"),
network->def->bridge);
goto err1;
}
- if (iptablesAddForwardRejectIn(driver->iptables, AF_INET6,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to block inbound traffic to
'%s'"),
network->def->bridge);
@@ -1847,8 +1812,7 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
}
/* Allow traffic between guests on the same bridge */
- if (iptablesAddForwardAllowCross(driver->iptables, AF_INET6,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow cross bridge traffic
on '%s'"),
network->def->bridge);
@@ -1860,24 +1824,21 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
return 0;
/* allow DNS over IPv6 */
- if (iptablesAddTcpInput(driver->iptables, AF_INET6,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DNS requests from
'%s'"),
network->def->bridge);
goto err4;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET6,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DNS requests from
'%s'"),
network->def->bridge);
goto err5;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET6,
- network->def->bridge, 547) < 0) {
+ if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add ip6tables rule to allow DHCP6 requests from
'%s'"),
network->def->bridge);
@@ -1888,44 +1849,42 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
/* unwind in reverse order from the point of failure */
err6:
- iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
+ iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
err5:
- iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
+ iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
err4:
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6,
network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
err3:
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6,
network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
err2:
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6,
network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
err1:
return -1;
}
static void
-networkRemoveGeneralIp6tablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network)
{
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
!network->def->ipv6nogw) {
return;
}
if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
- iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge,
547);
- iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
- iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
+ iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547);
+ iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
+ iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
}
/* the following rules are there if no IPv6 address has been defined
* but network->def->ipv6nogw == true
*/
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6,
network->def->bridge);
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6,
network->def->bridge);
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6,
network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
}
static int
-networkAddGeneralIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkAddGeneralIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipv4def;
@@ -1941,16 +1900,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* allow DHCP requests through to dnsmasq */
- if (iptablesAddTcpInput(driver->iptables, AF_INET,
- network->def->bridge, 67) < 0) {
+ if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from
'%s'"),
network->def->bridge);
goto err1;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET,
- network->def->bridge, 67) < 0) {
+ if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DHCP requests from
'%s'"),
network->def->bridge);
@@ -1964,24 +1921,21 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
*/
if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) &&
- (iptablesAddOutputFixUdpChecksum(driver->iptables,
- network->def->bridge, 68) < 0)) {
+ (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) {
VIR_WARN("Could not add rule to fixup DHCP response checksums "
"on network '%s'.", network->def->name);
VIR_WARN("May need to update iptables package & kernel to support
CHECKSUM rule.");
}
/* allow DNS requests through to dnsmasq */
- if (iptablesAddTcpInput(driver->iptables, AF_INET,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from
'%s'"),
network->def->bridge);
goto err3;
}
- if (iptablesAddUdpInput(driver->iptables, AF_INET,
- network->def->bridge, 53) < 0) {
+ if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow DNS requests from
'%s'"),
network->def->bridge);
@@ -1990,8 +1944,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* allow TFTP requests through to dnsmasq if necessary */
if (ipv4def && ipv4def->tftproot &&
- iptablesAddUdpInput(driver->iptables, AF_INET,
- network->def->bridge, 69) < 0) {
+ iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow TFTP requests from
'%s'"),
network->def->bridge);
@@ -2000,16 +1953,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* Catch all rules to block forwarding to/from bridges */
- if (iptablesAddForwardRejectOut(driver->iptables, AF_INET,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block outbound traffic from
'%s'"),
network->def->bridge);
goto err6;
}
- if (iptablesAddForwardRejectIn(driver->iptables, AF_INET,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to block inbound traffic to
'%s'"),
network->def->bridge);
@@ -2017,8 +1968,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
}
/* Allow traffic between guests on the same bridge */
- if (iptablesAddForwardAllowCross(driver->iptables, AF_INET,
- network->def->bridge) < 0) {
+ if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("failed to add iptables rule to allow cross bridge traffic
on '%s'"),
network->def->bridge);
@@ -2026,7 +1976,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
}
/* add IPv6 general rules, if needed */
- if (networkAddGeneralIp6tablesRules(driver, network) < 0) {
+ if (networkAddGeneralIp6tablesRules(network) < 0) {
goto err9;
}
@@ -2034,35 +1984,34 @@ networkAddGeneralIptablesRules(struct network_driver *driver,
/* unwind in reverse order from the point of failure */
err9:
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET,
network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
err8:
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET,
network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
err7:
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET,
network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
err6:
if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge,
69);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
}
err5:
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge,
53);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
err4:
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge,
53);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
err3:
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge,
67);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
err2:
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge,
67);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
err1:
return -1;
}
static void
-networkRemoveGeneralIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkRemoveGeneralIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipv4def;
- networkRemoveGeneralIp6tablesRules(driver, network);
+ networkRemoveGeneralIp6tablesRules(network);
for (ii = 0;
(ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, ii));
@@ -2071,25 +2020,23 @@ networkRemoveGeneralIptablesRules(struct network_driver *driver,
break;
}
- iptablesRemoveForwardAllowCross(driver->iptables, AF_INET,
network->def->bridge);
- iptablesRemoveForwardRejectIn(driver->iptables, AF_INET,
network->def->bridge);
- iptablesRemoveForwardRejectOut(driver->iptables, AF_INET,
network->def->bridge);
+ iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
+ iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge,
69);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
}
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge,
53);
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge,
53);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) {
- iptablesRemoveOutputFixUdpChecksum(driver->iptables,
- network->def->bridge, 68);
+ iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68);
}
- iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge,
67);
- iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge,
67);
+ iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
+ iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
}
static int
-networkAddIpSpecificIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkAddIpSpecificIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
/* NB: in the case of IPv6, routing rules are added when the
@@ -2098,48 +2045,46 @@ networkAddIpSpecificIptablesRules(struct network_driver *driver,
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- return networkAddMasqueradingIptablesRules(driver, network, ipdef);
+ return networkAddMasqueradingIptablesRules(network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- return networkAddRoutingIptablesRules(driver, network, ipdef);
+ return networkAddRoutingIptablesRules(network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- return networkAddRoutingIptablesRules(driver, network, ipdef);
+ return networkAddRoutingIptablesRules(network, ipdef);
}
return 0;
}
static void
-networkRemoveIpSpecificIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network,
+networkRemoveIpSpecificIptablesRules(virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- networkRemoveMasqueradingIptablesRules(driver, network, ipdef);
+ networkRemoveMasqueradingIptablesRules(network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- networkRemoveRoutingIptablesRules(driver, network, ipdef);
+ networkRemoveRoutingIptablesRules(network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- networkRemoveRoutingIptablesRules(driver, network, ipdef);
+ networkRemoveRoutingIptablesRules(network, ipdef);
}
}
/* Add all rules for all ip addresses (and general rules) on a network */
static int
-networkAddIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkAddIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipdef;
virErrorPtr orig_error;
/* Add "once per network" rules */
- if (networkAddGeneralIptablesRules(driver, network) < 0)
+ if (networkAddGeneralIptablesRules(network) < 0)
return -1;
for (ii = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii));
ii++) {
/* Add address-specific iptables rules */
- if (networkAddIpSpecificIptablesRules(driver, network, ipdef) < 0) {
+ if (networkAddIpSpecificIptablesRules(network, ipdef) < 0) {
goto err;
}
}
@@ -2155,9 +2100,9 @@ err:
*/
while ((--ii >= 0) &&
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii))) {
- networkRemoveIpSpecificIptablesRules(driver, network, ipdef);
+ networkRemoveIpSpecificIptablesRules(network, ipdef);
}
- networkRemoveGeneralIptablesRules(driver, network);
+ networkRemoveGeneralIptablesRules(network);
/* return the original error */
virSetError(orig_error);
@@ -2167,8 +2112,7 @@ err:
/* Remove all rules for all ip addresses (and general rules) on a network */
static void
-networkRemoveIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network)
+networkRemoveIptablesRules(virNetworkObjPtr network)
{
int ii;
virNetworkIpDefPtr ipdef;
@@ -2176,9 +2120,9 @@ networkRemoveIptablesRules(struct network_driver *driver,
for (ii = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii));
ii++) {
- networkRemoveIpSpecificIptablesRules(driver, network, ipdef);
+ networkRemoveIpSpecificIptablesRules(network, ipdef);
}
- networkRemoveGeneralIptablesRules(driver, network);
+ networkRemoveGeneralIptablesRules(network);
}
static void
@@ -2199,8 +2143,8 @@ networkReloadIptablesRules(struct network_driver *driver)
/* Only the three L3 network types that are configured by libvirt
* need to have iptables rules reloaded.
*/
- networkRemoveIptablesRules(driver, network);
- if (networkAddIptablesRules(driver, network) < 0) {
+ networkRemoveIptablesRules(network);
+ if (networkAddIptablesRules(network) < 0) {
/* failed to add but already logged */
}
}
@@ -2526,7 +2470,7 @@ networkStartNetworkVirtual(struct network_driver *driver,
goto err1;
/* Add "once per network" rules */
- if (networkAddIptablesRules(driver, network) < 0)
+ if (networkAddIptablesRules(network) < 0)
goto err1;
for (ii = 0;
@@ -2619,7 +2563,7 @@ networkStartNetworkVirtual(struct network_driver *driver,
err2:
if (!save_err)
save_err = virSaveLastError();
- networkRemoveIptablesRules(driver, network);
+ networkRemoveIptablesRules(network);
err1:
if (!save_err)
@@ -2644,8 +2588,7 @@ networkStartNetworkVirtual(struct network_driver *driver,
return -1;
}
-static int networkShutdownNetworkVirtual(struct network_driver *driver,
- virNetworkObjPtr network)
+static int networkShutdownNetworkVirtual(virNetworkObjPtr network)
{
virNetDevBandwidthClear(network->def->bridge);
@@ -2677,7 +2620,7 @@ static int networkShutdownNetworkVirtual(struct network_driver
*driver,
ignore_value(virNetDevSetOnline(network->def->bridge, 0));
- networkRemoveIptablesRules(driver, network);
+ networkRemoveIptablesRules(network);
ignore_value(virNetDevBridgeDelete(network->def->bridge));
@@ -2802,7 +2745,7 @@ static int networkShutdownNetwork(struct network_driver *driver,
case VIR_NETWORK_FORWARD_NONE:
case VIR_NETWORK_FORWARD_NAT:
case VIR_NETWORK_FORWARD_ROUTE:
- ret = networkShutdownNetworkVirtual(driver, network);
+ ret = networkShutdownNetworkVirtual(network);
break;
case VIR_NETWORK_FORWARD_BRIDGE:
@@ -3490,8 +3433,8 @@ networkUpdate(virNetworkPtr net,
network->def->forward.type == VIR_NETWORK_FORWARD_NAT ||
network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE)) {
/* these could affect the iptables rules */
- networkRemoveIptablesRules(driver, network);
- if (networkAddIptablesRules(driver, network) < 0)
+ networkRemoveIptablesRules(network);
+ if (networkAddIptablesRules(network) < 0)
goto cleanup;
}
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 16fbe9c..63a8031 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -88,52 +88,8 @@ enum {
REMOVE
};
-typedef struct
-{
- char *table;
- char *chain;
-} iptRules;
-
-struct _iptablesContext
-{
- iptRules *input_filter;
- iptRules *forward_filter;
- iptRules *nat_postrouting;
- iptRules *mangle_postrouting;
-};
-
-static void
-iptRulesFree(iptRules *rules)
-{
- VIR_FREE(rules->table);
- VIR_FREE(rules->chain);
- VIR_FREE(rules);
-}
-
-static iptRules *
-iptRulesNew(const char *table,
- const char *chain)
-{
- iptRules *rules;
-
- if (VIR_ALLOC(rules) < 0)
- return NULL;
-
- if (VIR_STRDUP(rules->table, table) < 0)
- goto error;
-
- if (VIR_STRDUP(rules->chain, chain) < 0)
- goto error;
-
- return rules;
-
- error:
- iptRulesFree(rules);
- return NULL;
-}
-
static virCommandPtr
-iptablesCommandNew(iptRules *rules, int family, int action)
+iptablesCommandNew(const char *table, const char *chain, int family, int action)
{
virCommandPtr cmd = NULL;
#if HAVE_FIREWALLD
@@ -150,9 +106,9 @@ iptablesCommandNew(iptRules *rules, int family, int action)
? IP6TABLES_PATH : IPTABLES_PATH);
}
- virCommandAddArgList(cmd, "--table", rules->table,
+ virCommandAddArgList(cmd, "--table", table,
action == ADD ? "--insert" : "--delete",
- rules->chain, NULL);
+ chain, NULL);
return cmd;
}
@@ -166,14 +122,14 @@ iptablesCommandRunAndFree(virCommandPtr cmd)
}
static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(iptRules *rules, int family, int action,
+iptablesAddRemoveRule(const char *table, const char *chain, int family, int action,
const char *arg, ...)
{
va_list args;
virCommandPtr cmd = NULL;
const char *s;
- cmd = iptablesCommandNew(rules, family, action);
+ cmd = iptablesCommandNew(table, chain, family, action);
virCommandAddArg(cmd, arg);
va_start(args, arg);
@@ -184,63 +140,8 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action,
return iptablesCommandRunAndFree(cmd);
}
-/**
- * iptablesContextNew:
- *
- * Create a new IPtable context
- *
- * Returns a pointer to the new structure or NULL in case of error
- */
-iptablesContext *
-iptablesContextNew(void)
-{
- iptablesContext *ctx;
-
- if (VIR_ALLOC(ctx) < 0)
- return NULL;
-
- if (!(ctx->input_filter = iptRulesNew("filter", "INPUT")))
- goto error;
-
- if (!(ctx->forward_filter = iptRulesNew("filter",
"FORWARD")))
- goto error;
-
- if (!(ctx->nat_postrouting = iptRulesNew("nat",
"POSTROUTING")))
- goto error;
-
- if (!(ctx->mangle_postrouting = iptRulesNew("mangle",
"POSTROUTING")))
- goto error;
-
- return ctx;
-
- error:
- iptablesContextFree(ctx);
- return NULL;
-}
-
-/**
- * iptablesContextFree:
- * @ctx: pointer to the IP table context
- *
- * Free the resources associated with an IP table context
- */
-void
-iptablesContextFree(iptablesContext *ctx)
-{
- if (ctx->input_filter)
- iptRulesFree(ctx->input_filter);
- if (ctx->forward_filter)
- iptRulesFree(ctx->forward_filter);
- if (ctx->nat_postrouting)
- iptRulesFree(ctx->nat_postrouting);
- if (ctx->mangle_postrouting)
- iptRulesFree(ctx->mangle_postrouting);
- VIR_FREE(ctx);
-}
-
static int
-iptablesInput(iptablesContext *ctx,
- int family,
+iptablesInput(int family,
const char *iface,
int port,
int action,
@@ -251,7 +152,7 @@ iptablesInput(iptablesContext *ctx,
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule(ctx->input_filter,
+ return iptablesAddRemoveRule("filter", "INPUT",
family,
action,
"--in-interface", iface,
@@ -274,12 +175,11 @@ iptablesInput(iptablesContext *ctx,
*/
int
-iptablesAddTcpInput(iptablesContext *ctx,
- int family,
+iptablesAddTcpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, ADD, 1);
+ return iptablesInput(family, iface, port, ADD, 1);
}
/**
@@ -294,12 +194,11 @@ iptablesAddTcpInput(iptablesContext *ctx,
* Returns 0 in case of success or an error code in case of error
*/
int
-iptablesRemoveTcpInput(iptablesContext *ctx,
- int family,
+iptablesRemoveTcpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, REMOVE, 1);
+ return iptablesInput(family, iface, port, REMOVE, 1);
}
/**
@@ -315,12 +214,11 @@ iptablesRemoveTcpInput(iptablesContext *ctx,
*/
int
-iptablesAddUdpInput(iptablesContext *ctx,
- int family,
+iptablesAddUdpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, ADD, 0);
+ return iptablesInput(family, iface, port, ADD, 0);
}
/**
@@ -335,12 +233,11 @@ iptablesAddUdpInput(iptablesContext *ctx,
* Returns 0 in case of success or an error code in case of error
*/
int
-iptablesRemoveUdpInput(iptablesContext *ctx,
- int family,
+iptablesRemoveUdpInput(int family,
const char *iface,
int port)
{
- return iptablesInput(ctx, family, iface, port, REMOVE, 0);
+ return iptablesInput(family, iface, port, REMOVE, 0);
}
@@ -381,8 +278,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
* to proceed to WAN
*/
static int
-iptablesForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardAllowOut(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
@@ -395,7 +291,7 @@ iptablesForwardAllowOut(iptablesContext *ctx,
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
- cmd = iptablesCommandNew(ctx->forward_filter,
+ cmd = iptablesCommandNew("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action);
virCommandAddArgList(cmd,
@@ -426,13 +322,12 @@ iptablesForwardAllowOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardAllowOut(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -449,13 +344,12 @@ iptablesAddForwardAllowOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowOut(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardAllowOut(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE);
}
@@ -463,8 +357,7 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx,
* and associated with an existing connection
*/
static int
-iptablesForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
@@ -477,7 +370,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
return -1;
if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
@@ -488,7 +381,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
"--jump", "ACCEPT",
NULL);
} else {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
@@ -516,13 +409,12 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -539,20 +431,18 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
-iptablesForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardAllowIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
@@ -565,7 +455,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
return -1;
if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
@@ -574,7 +464,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
"--jump", "ACCEPT",
NULL);
} else {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
+ ret = iptablesAddRemoveRule("filter", "FORWARD",
VIR_SOCKET_ADDR_FAMILY(netaddr),
action,
"--destination", networkstr,
@@ -600,13 +490,12 @@ iptablesForwardAllowIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardAllowIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -623,13 +512,12 @@ iptablesAddForwardAllowIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardAllowIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE);
}
@@ -637,12 +525,11 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx,
* with a valid network address
*/
static int
-iptablesForwardAllowCross(iptablesContext *ctx,
- int family,
+iptablesForwardAllowCross(int family,
const char *iface,
int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
family,
action,
"--in-interface", iface,
@@ -663,11 +550,10 @@ iptablesForwardAllowCross(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowCross(iptablesContext *ctx,
- int family,
+iptablesAddForwardAllowCross(int family,
const char *iface)
{
- return iptablesForwardAllowCross(ctx, family, iface, ADD);
+ return iptablesForwardAllowCross(family, iface, ADD);
}
/**
@@ -682,11 +568,10 @@ iptablesAddForwardAllowCross(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowCross(iptablesContext *ctx,
- int family,
+iptablesRemoveForwardAllowCross(int family,
const char *iface)
{
- return iptablesForwardAllowCross(ctx, family, iface, REMOVE);
+ return iptablesForwardAllowCross(family, iface, REMOVE);
}
@@ -694,12 +579,11 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx,
* ie the bridge is the in interface
*/
static int
-iptablesForwardRejectOut(iptablesContext *ctx,
- int family,
+iptablesForwardRejectOut(int family,
const char *iface,
int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
family,
action,
"--in-interface", iface,
@@ -718,11 +602,10 @@ iptablesForwardRejectOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardRejectOut(iptablesContext *ctx,
- int family,
+iptablesAddForwardRejectOut(int family,
const char *iface)
{
- return iptablesForwardRejectOut(ctx, family, iface, ADD);
+ return iptablesForwardRejectOut(family, iface, ADD);
}
/**
@@ -736,11 +619,10 @@ iptablesAddForwardRejectOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardRejectOut(iptablesContext *ctx,
- int family,
+iptablesRemoveForwardRejectOut(int family,
const char *iface)
{
- return iptablesForwardRejectOut(ctx, family, iface, REMOVE);
+ return iptablesForwardRejectOut(family, iface, REMOVE);
}
@@ -750,12 +632,11 @@ iptablesRemoveForwardRejectOut(iptablesContext *ctx,
* ie the bridge is the out interface
*/
static int
-iptablesForwardRejectIn(iptablesContext *ctx,
- int family,
+iptablesForwardRejectIn(int family,
const char *iface,
int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
family,
action,
"--out-interface", iface,
@@ -774,11 +655,10 @@ iptablesForwardRejectIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardRejectIn(iptablesContext *ctx,
- int family,
+iptablesAddForwardRejectIn(int family,
const char *iface)
{
- return iptablesForwardRejectIn(ctx, family, iface, ADD);
+ return iptablesForwardRejectIn(family, iface, ADD);
}
/**
@@ -792,11 +672,10 @@ iptablesAddForwardRejectIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardRejectIn(iptablesContext *ctx,
- int family,
+iptablesRemoveForwardRejectIn(int family,
const char *iface)
{
- return iptablesForwardRejectIn(ctx, family, iface, REMOVE);
+ return iptablesForwardRejectIn(family, iface, REMOVE);
}
@@ -804,8 +683,7 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx,
* with the bridge
*/
static int
-iptablesForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesForwardMasquerade(virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
@@ -841,7 +719,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
}
}
- cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action);
+ cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action);
virCommandAddArgList(cmd, "--source", networkstr, NULL);
if (protocol && protocol[0])
@@ -922,15 +800,14 @@ cleanup:
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesAddForwardMasquerade(virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port,
+ return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
protocol, ADD);
}
@@ -948,22 +825,20 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardMasquerade(iptablesContext *ctx,
- virSocketAddr *netaddr,
+iptablesRemoveForwardMasquerade(virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port,
+ return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
protocol, REMOVE);
}
static int
-iptablesOutputFixUdpChecksum(iptablesContext *ctx,
- const char *iface,
+iptablesOutputFixUdpChecksum(const char *iface,
int port,
int action)
{
@@ -972,7 +847,7 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx,
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule(ctx->mangle_postrouting,
+ return iptablesAddRemoveRule("mangle", "POSTROUTING",
AF_INET,
action,
"--out-interface", iface,
@@ -998,11 +873,10 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx,
*/
int
-iptablesAddOutputFixUdpChecksum(iptablesContext *ctx,
- const char *iface,
+iptablesAddOutputFixUdpChecksum(const char *iface,
int port)
{
- return iptablesOutputFixUdpChecksum(ctx, iface, port, ADD);
+ return iptablesOutputFixUdpChecksum(iface, port, ADD);
}
/**
@@ -1019,9 +893,8 @@ iptablesAddOutputFixUdpChecksum(iptablesContext *ctx,
* return an error, which should be ignored)
*/
int
-iptablesRemoveOutputFixUdpChecksum(iptablesContext *ctx,
- const char *iface,
+iptablesRemoveOutputFixUdpChecksum(const char *iface,
int port)
{
- return iptablesOutputFixUdpChecksum(ctx, iface, port, REMOVE);
+ return iptablesOutputFixUdpChecksum(iface, port, REMOVE);
}
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index b7ce59b..447f4a8 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -26,102 +26,77 @@
# include "virsocketaddr.h"
-typedef struct _iptablesContext iptablesContext;
-
-iptablesContext *iptablesContextNew (void);
-void iptablesContextFree (iptablesContext *ctx);
-
-int iptablesAddTcpInput (iptablesContext *ctx,
- int family,
+int iptablesAddTcpInput (int family,
const char *iface,
int port);
-int iptablesRemoveTcpInput (iptablesContext *ctx,
- int family,
+int iptablesRemoveTcpInput (int family,
const char *iface,
int port);
-int iptablesAddUdpInput (iptablesContext *ctx,
- int family,
+int iptablesAddUdpInput (int family,
const char *iface,
int port);
-int iptablesRemoveUdpInput (iptablesContext *ctx,
- int family,
+int iptablesRemoveUdpInput (int family,
const char *iface,
int port);
-int iptablesAddForwardAllowOut (iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesAddForwardAllowOut (virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev);
-int iptablesRemoveForwardAllowOut (iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesRemoveForwardAllowOut (virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev);
-int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev);
-int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev);
-int iptablesAddForwardAllowIn (iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesAddForwardAllowIn (virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev);
-int iptablesRemoveForwardAllowIn (iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesRemoveForwardAllowIn (virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev);
-int iptablesAddForwardAllowCross (iptablesContext *ctx,
- int family,
+int iptablesAddForwardAllowCross (int family,
const char *iface);
-int iptablesRemoveForwardAllowCross (iptablesContext *ctx,
- int family,
+int iptablesRemoveForwardAllowCross (int family,
const char *iface);
-int iptablesAddForwardRejectOut (iptablesContext *ctx,
- int family,
+int iptablesAddForwardRejectOut (int family,
const char *iface);
-int iptablesRemoveForwardRejectOut (iptablesContext *ctx,
- int family,
+int iptablesRemoveForwardRejectOut (int family,
const char *iface);
-int iptablesAddForwardRejectIn (iptablesContext *ctx,
- int family,
+int iptablesAddForwardRejectIn (int family,
const char *iface);
-int iptablesRemoveForwardRejectIn (iptablesContext *ctx,
- int family,
+int iptablesRemoveForwardRejectIn (int family,
const char *iface);
-int iptablesAddForwardMasquerade (iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesAddForwardMasquerade (virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol);
-int iptablesRemoveForwardMasquerade (iptablesContext *ctx,
- virSocketAddr *netaddr,
+int iptablesRemoveForwardMasquerade (virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol);
-int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx,
- const char *iface,
+int iptablesAddOutputFixUdpChecksum (const char *iface,
int port);
-int iptablesRemoveOutputFixUdpChecksum (iptablesContext *ctx,
- const char *iface,
+int iptablesRemoveOutputFixUdpChecksum (const char *iface,
int port);
#endif /* __QEMUD_IPTABLES_H__ */
--
1.8.1.4
3:29 a.m.
On 06/28/2013 12:52 AM, Roman Bogorodskiy wrote:
iptablesContext holds only 4 pairs of iptables
(table, chain) and there's no need to pass
it around.
This is a first step towards separating bridge_driver.c
in platform-specific parts.
---
src/libvirt_private.syms | 2 -
src/network/bridge_driver.c | 253 +++++++++++++++++--------------------------
src/util/viriptables.c | 257 +++++++++++---------------------------------
src/util/viriptables.h | 65 ++++-------
4 files changed, 183 insertions(+), 394 deletions(-)
Mostly mechanical. Visual/build ACK. I'll run some tests tomorrow, and
push it after 1.1.0 is released.
(It's just amazing how much change was required just to remove that one
thing.
4:14 a.m.
On Fri, Jun 28, 2013 at 12:52:30AM -0400, Roman Bogorodskiy wrote:
iptablesContext holds only 4 pairs of iptables
(table, chain) and there's no need to pass
it around.
This is a first step towards separating bridge_driver.c
in platform-specific parts.
---
src/libvirt_private.syms | 2 -
src/network/bridge_driver.c | 253 +++++++++++++++++--------------------------
src/util/viriptables.c | 257 +++++++++++---------------------------------
src/util/viriptables.h | 65 ++++-------
4 files changed, 183 insertions(+), 394 deletions(-)
ACK
Thanks for doing this - it has been on my death-list for a quite
a while now :-)
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
12:51 p.m.
On 06/28/2013 12:52 AM, Roman Bogorodskiy wrote:
iptablesContext holds only 4 pairs of iptables
(table, chain) and there's no need to pass
it around.
This is a first step towards separating bridge_driver.c
in platform-specific parts.
---
src/libvirt_private.syms | 2 -
src/network/bridge_driver.c | 253 +++++++++++++++++--------------------------
src/util/viriptables.c | 257 +++++++++++---------------------------------
src/util/viriptables.h | 65 ++++-------
4 files changed, 183 insertions(+), 394 deletions(-)
Now that 1.1.0 is released, I verified that this patch doesn't cause any
change in behavior, modified networkShutdownNetworkVirtual() to retain
the "driver" arg with an ATTRIBUTE_UNUSED (so that it's consistent with
other similar functions), and pushed the result.
4161
days inactive
4164
days old
3 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Laine Stump -
Roman Bogorodskiy