iptablesContext no longer contains any state, so we can drop it
* src/util/iptables.c, src/util/iptables.h: drop iptablesContext
* src/network/bridge_driver.c: update callers
* src/libvirt_private.syms: drop context new/free functions
---
src/libvirt_private.syms | 2 -
src/network/bridge_driver.c | 132 ++++++++-----------
src/util/iptables.c | 307 ++++++++++++-------------------------------
src/util/iptables.h | 59 +++------
4 files changed, 153 insertions(+), 347 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index e5ba365..d78142e 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -235,8 +235,6 @@ iptablesAddForwardRejectIn;
iptablesAddForwardRejectOut;
iptablesAddTcpInput;
iptablesAddUdpInput;
-iptablesContextFree;
-iptablesContextNew;
iptablesRemoveForwardAllowCross;
iptablesRemoveForwardAllowIn;
iptablesRemoveForwardAllowOut;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index abee78c..28340a1 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -69,7 +69,6 @@ struct network_driver {
virNetworkObjList networks;
- iptablesContext *iptables;
brControl *brctl;
char *networkConfigDir;
char *networkAutostartDir;
@@ -247,11 +246,6 @@ networkStartup(int privileged) {
goto error;
}
- if (!(driverState->iptables = iptablesContextNew())) {
- goto out_of_memory;
- }
-
-
if (virNetworkLoadAllConfigs(NULL,
&driverState->networks,
driverState->networkConfigDir,
@@ -349,8 +343,6 @@ networkShutdown(void) {
if (driverState->brctl)
brShutdown(driverState->brctl);
- if (driverState->iptables)
- iptablesContextFree(driverState->iptables);
networkDriverUnlock(driverState);
virMutexDestroy(&driverState->lock);
@@ -590,13 +582,11 @@ cleanup:
}
static int
-networkAddMasqueradingIptablesRules(virConnectPtr conn,
- struct network_driver *driver,
- virNetworkObjPtr network) {
+networkAddMasqueradingIptablesRules(virConnectPtr conn, virNetworkObjPtr network)
+{
int err;
/* allow forwarding packets from the bridge interface */
- if ((err = iptablesAddForwardAllowOut(driver->iptables,
- network->def->network,
+ if ((err = iptablesAddForwardAllowOut(network->def->network,
network->def->bridge,
network->def->forwardDev))) {
virReportSystemError(conn, err,
@@ -606,10 +596,9 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
}
/* allow forwarding packets to the bridge interface if they are part of an existing
connection */
- if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables,
- network->def->network,
- network->def->bridge,
- network->def->forwardDev))) {
+ if ((err = iptablesAddForwardAllowRelatedIn(network->def->network,
+ network->def->bridge,
+ network->def->forwardDev))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to allow forwarding to
'%s'"),
network->def->bridge);
@@ -617,8 +606,7 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
}
/* enable masquerading */
- if ((err = iptablesAddForwardMasquerade(driver->iptables,
- network->def->network,
+ if ((err = iptablesAddForwardMasquerade(network->def->network,
network->def->forwardDev))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to enable masquerading
to '%s'\n"),
@@ -629,13 +617,11 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
return 1;
masqerr3:
- iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- network->def->network,
- network->def->bridge,
- network->def->forwardDev);
+ iptablesRemoveForwardAllowRelatedIn(network->def->network,
+ network->def->bridge,
+ network->def->forwardDev);
masqerr2:
- iptablesRemoveForwardAllowOut(driver->iptables,
- network->def->network,
+ iptablesRemoveForwardAllowOut(network->def->network,
network->def->bridge,
network->def->forwardDev);
masqerr1:
@@ -643,13 +629,11 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
}
static int
-networkAddRoutingIptablesRules(virConnectPtr conn,
- struct network_driver *driver,
- virNetworkObjPtr network) {
+networkAddRoutingIptablesRules(virConnectPtr conn, virNetworkObjPtr network)
+{
int err;
/* allow routing packets from the bridge interface */
- if ((err = iptablesAddForwardAllowOut(driver->iptables,
- network->def->network,
+ if ((err = iptablesAddForwardAllowOut(network->def->network,
network->def->bridge,
network->def->forwardDev))) {
virReportSystemError(conn, err,
@@ -659,8 +643,7 @@ networkAddRoutingIptablesRules(virConnectPtr conn,
}
/* allow routing packets to the bridge interface */
- if ((err = iptablesAddForwardAllowIn(driver->iptables,
- network->def->network,
+ if ((err = iptablesAddForwardAllowIn(network->def->network,
network->def->bridge,
network->def->forwardDev))) {
virReportSystemError(conn, err,
@@ -673,8 +656,7 @@ networkAddRoutingIptablesRules(virConnectPtr conn,
routeerr2:
- iptablesRemoveForwardAllowOut(driver->iptables,
- network->def->network,
+ iptablesRemoveForwardAllowOut(network->def->network,
network->def->bridge,
network->def->forwardDev);
routeerr1:
@@ -682,20 +664,19 @@ networkAddRoutingIptablesRules(virConnectPtr conn,
}
static int
-networkAddIptablesRules(virConnectPtr conn,
- struct network_driver *driver,
- virNetworkObjPtr network) {
+networkAddIptablesRules(virConnectPtr conn, virNetworkObjPtr network)
+{
int err;
/* allow DHCP requests through to dnsmasq */
- if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 67)))
{
+ if ((err = iptablesAddTcpInput(network->def->bridge, 67))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to allow DHCP requests
from '%s'"),
network->def->bridge);
goto err1;
}
- if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 67)))
{
+ if ((err = iptablesAddUdpInput(network->def->bridge, 67))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to allow DHCP requests
from '%s'"),
network->def->bridge);
@@ -703,14 +684,14 @@ networkAddIptablesRules(virConnectPtr conn,
}
/* allow DNS requests through to dnsmasq */
- if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 53)))
{
+ if ((err = iptablesAddTcpInput(network->def->bridge, 53))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to allow DNS requests
from '%s'"),
network->def->bridge);
goto err3;
}
- if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 53)))
{
+ if ((err = iptablesAddUdpInput(network->def->bridge, 53))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to allow DNS requests
from '%s'"),
network->def->bridge);
@@ -720,14 +701,14 @@ networkAddIptablesRules(virConnectPtr conn,
/* Catch all rules to block forwarding to/from bridges */
- if ((err = iptablesAddForwardRejectOut(driver->iptables,
network->def->bridge))) {
+ if ((err = iptablesAddForwardRejectOut(network->def->bridge))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to block outbound
traffic from '%s'"),
network->def->bridge);
goto err5;
}
- if ((err = iptablesAddForwardRejectIn(driver->iptables,
network->def->bridge))) {
+ if ((err = iptablesAddForwardRejectIn(network->def->bridge))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to block inbound traffic
to '%s'"),
network->def->bridge);
@@ -735,7 +716,7 @@ networkAddIptablesRules(virConnectPtr conn,
}
/* Allow traffic between guests on the same bridge */
- if ((err = iptablesAddForwardAllowCross(driver->iptables,
network->def->bridge))) {
+ if ((err = iptablesAddForwardAllowCross(network->def->bridge))) {
virReportSystemError(conn, err,
_("failed to add iptables rule to allow cross bridge
traffic on '%s'"),
network->def->bridge);
@@ -745,66 +726,59 @@ networkAddIptablesRules(virConnectPtr conn,
/* If masquerading is enabled, set up the rules*/
if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT &&
- !networkAddMasqueradingIptablesRules(conn, driver, network))
+ !networkAddMasqueradingIptablesRules(conn, network))
goto err8;
/* else if routing is enabled, set up the rules*/
else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE &&
- !networkAddRoutingIptablesRules(conn, driver, network))
+ !networkAddRoutingIptablesRules(conn, network))
goto err8;
return 1;
err8:
- iptablesRemoveForwardAllowCross(driver->iptables,
- network->def->bridge);
+ iptablesRemoveForwardAllowCross(network->def->bridge);
err7:
- iptablesRemoveForwardRejectIn(driver->iptables,
- network->def->bridge);
+ iptablesRemoveForwardRejectIn(network->def->bridge);
err6:
- iptablesRemoveForwardRejectOut(driver->iptables,
- network->def->bridge);
+ iptablesRemoveForwardRejectOut(network->def->bridge);
err5:
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
+ iptablesRemoveUdpInput(network->def->bridge, 53);
err4:
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
+ iptablesRemoveTcpInput(network->def->bridge, 53);
err3:
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
+ iptablesRemoveUdpInput(network->def->bridge, 67);
err2:
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
+ iptablesRemoveTcpInput(network->def->bridge, 67);
err1:
return 0;
}
static void
-networkRemoveIptablesRules(struct network_driver *driver,
- virNetworkObjPtr network) {
+networkRemoveIptablesRules(virNetworkObjPtr network)
+{
if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) {
- iptablesRemoveForwardMasquerade(driver->iptables,
- network->def->network,
- network->def->forwardDev);
- iptablesRemoveForwardAllowRelatedIn(driver->iptables,
- network->def->network,
+ iptablesRemoveForwardMasquerade(network->def->network,
+ network->def->forwardDev);
+ iptablesRemoveForwardAllowRelatedIn(network->def->network,
network->def->bridge,
network->def->forwardDev);
} else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)
- iptablesRemoveForwardAllowIn(driver->iptables,
- network->def->network,
+ iptablesRemoveForwardAllowIn(network->def->network,
network->def->bridge,
network->def->forwardDev);
- iptablesRemoveForwardAllowOut(driver->iptables,
- network->def->network,
+ iptablesRemoveForwardAllowOut(network->def->network,
network->def->bridge,
network->def->forwardDev);
}
- iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge);
- iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge);
- iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge);
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
- iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
- iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
+ iptablesRemoveForwardAllowCross(network->def->bridge);
+ iptablesRemoveForwardRejectIn(network->def->bridge);
+ iptablesRemoveForwardRejectOut(network->def->bridge);
+ iptablesRemoveUdpInput(network->def->bridge, 53);
+ iptablesRemoveTcpInput(network->def->bridge, 53);
+ iptablesRemoveUdpInput(network->def->bridge, 67);
+ iptablesRemoveTcpInput(network->def->bridge, 67);
}
static void
@@ -818,8 +792,8 @@ networkReloadIptablesRules(struct network_driver *driver)
virNetworkObjLock(driver->networks.objs[i]);
if (virNetworkObjIsActive(driver->networks.objs[i])) {
- networkRemoveIptablesRules(driver, driver->networks.objs[i]);
- if (!networkAddIptablesRules(NULL, driver, driver->networks.objs[i])) {
+ networkRemoveIptablesRules(driver->networks.objs[i]);
+ if (!networkAddIptablesRules(NULL, driver->networks.objs[i])) {
/* failed to add but already logged */
}
}
@@ -940,7 +914,7 @@ static int networkStartNetworkDaemon(virConnectPtr conn,
goto err_delbr;
}
- if (!networkAddIptablesRules(conn, driver, network))
+ if (!networkAddIptablesRules(conn, network))
goto err_delbr1;
if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE &&
@@ -972,7 +946,7 @@ static int networkStartNetworkDaemon(virConnectPtr conn,
}
err_delbr2:
- networkRemoveIptablesRules(driver, network);
+ networkRemoveIptablesRules(network);
err_delbr1:
if ((err = brSetInterfaceUp(driver->brctl, network->def->bridge, 0))) {
@@ -1013,7 +987,7 @@ static int networkShutdownNetworkDaemon(virConnectPtr conn,
if (network->dnsmasqPid > 0)
kill(network->dnsmasqPid, SIGTERM);
- networkRemoveIptablesRules(driver, network);
+ networkRemoveIptablesRules(network);
char ebuf[1024];
if ((err = brSetInterfaceUp(driver->brctl, network->def->bridge, 0))) {
diff --git a/src/util/iptables.c b/src/util/iptables.c
index 3c02ea6..de75a24 100644
--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -52,51 +52,9 @@ enum {
REMOVE
};
-typedef struct
-{
- char *table;
- char *chain;
-} iptRules;
-
-struct _iptablesContext
-{
- iptRules *input_filter;
- iptRules *forward_filter;
- iptRules *nat_postrouting;
-};
-
-static void
-iptRulesFree(iptRules *rules)
-{
- VIR_FREE(rules->table);
- VIR_FREE(rules->chain);
- VIR_FREE(rules);
-}
-
-static iptRules *
-iptRulesNew(const char *table,
- const char *chain)
-{
- iptRules *rules;
-
- if (VIR_ALLOC(rules) < 0)
- return NULL;
-
- if (!(rules->table = strdup(table)))
- goto error;
-
- if (!(rules->chain = strdup(chain)))
- goto error;
-
- return rules;
-
- error:
- iptRulesFree(rules);
- return NULL;
-}
-
static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
+iptablesAddRemoveRule(const char *table, const char *chain,
+ int action, const char *arg, ...)
{
va_list args;
int retval = ENOMEM;
@@ -126,13 +84,13 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg,
...)
if (!(argv[n++] = strdup("--table")))
goto error;
- if (!(argv[n++] = strdup(rules->table)))
+ if (!(argv[n++] = strdup(table)))
goto error;
if (!(argv[n++] = strdup(action == ADD ? "--insert" :
"--delete")))
goto error;
- if (!(argv[n++] = strdup(rules->chain)))
+ if (!(argv[n++] = strdup(chain)))
goto error;
if (!(argv[n++] = strdup(arg)))
@@ -164,58 +122,8 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg,
...)
return retval;
}
-/**
- * iptablesContextNew:
- *
- * Create a new IPtable context
- *
- * Returns a pointer to the new structure or NULL in case of error
- */
-iptablesContext *
-iptablesContextNew(void)
-{
- iptablesContext *ctx;
-
- if (VIR_ALLOC(ctx) < 0)
- return NULL;
-
- if (!(ctx->input_filter = iptRulesNew("filter", "INPUT")))
- goto error;
-
- if (!(ctx->forward_filter = iptRulesNew("filter",
"FORWARD")))
- goto error;
-
- if (!(ctx->nat_postrouting = iptRulesNew("nat",
"POSTROUTING")))
- goto error;
-
- return ctx;
-
- error:
- iptablesContextFree(ctx);
- return NULL;
-}
-
-/**
- * iptablesContextFree:
- * @ctx: pointer to the IP table context
- *
- * Free the resources associated with an IP table context
- */
-void
-iptablesContextFree(iptablesContext *ctx)
-{
- if (ctx->input_filter)
- iptRulesFree(ctx->input_filter);
- if (ctx->forward_filter)
- iptRulesFree(ctx->forward_filter);
- if (ctx->nat_postrouting)
- iptRulesFree(ctx->nat_postrouting);
- VIR_FREE(ctx);
-}
-
static int
-iptablesInput(iptablesContext *ctx,
- const char *iface,
+iptablesInput(const char *iface,
int port,
int action,
int tcp)
@@ -225,7 +133,7 @@ iptablesInput(iptablesContext *ctx,
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule(ctx->input_filter,
+ return iptablesAddRemoveRule("filter", "INPUT",
action,
"--in-interface", iface,
"--protocol", tcp ? "tcp" :
"udp",
@@ -236,7 +144,6 @@ iptablesInput(iptablesContext *ctx,
/**
* iptablesAddTcpInput:
- * @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the TCP port to add
*
@@ -247,16 +154,13 @@ iptablesInput(iptablesContext *ctx,
*/
int
-iptablesAddTcpInput(iptablesContext *ctx,
- const char *iface,
- int port)
+iptablesAddTcpInput(const char *iface, int port)
{
- return iptablesInput(ctx, iface, port, ADD, 1);
+ return iptablesInput(iface, port, ADD, 1);
}
/**
* iptablesRemoveTcpInput:
- * @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the TCP port to remove
*
@@ -266,16 +170,13 @@ iptablesAddTcpInput(iptablesContext *ctx,
* Returns 0 in case of success or an error code in case of error
*/
int
-iptablesRemoveTcpInput(iptablesContext *ctx,
- const char *iface,
- int port)
+iptablesRemoveTcpInput(const char *iface, int port)
{
- return iptablesInput(ctx, iface, port, REMOVE, 1);
+ return iptablesInput(iface, port, REMOVE, 1);
}
/**
* iptablesAddUdpInput:
- * @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to add
*
@@ -286,16 +187,13 @@ iptablesRemoveTcpInput(iptablesContext *ctx,
*/
int
-iptablesAddUdpInput(iptablesContext *ctx,
- const char *iface,
- int port)
+iptablesAddUdpInput(const char *iface, int port)
{
- return iptablesInput(ctx, iface, port, ADD, 0);
+ return iptablesInput(iface, port, ADD, 0);
}
/**
* iptablesRemoveUdpInput:
- * @ctx: pointer to the IP table context
* @iface: the interface name
* @port: the UDP port to remove
*
@@ -305,11 +203,9 @@ iptablesAddUdpInput(iptablesContext *ctx,
* Returns 0 in case of success or an error code in case of error
*/
int
-iptablesRemoveUdpInput(iptablesContext *ctx,
- const char *iface,
- int port)
+iptablesRemoveUdpInput(const char *iface, int port)
{
- return iptablesInput(ctx, iface, port, REMOVE, 0);
+ return iptablesInput(iface, port, REMOVE, 0);
}
@@ -317,14 +213,13 @@ iptablesRemoveUdpInput(iptablesContext *ctx,
* to proceed to WAN
*/
static int
-iptablesForwardAllowOut(iptablesContext *ctx,
- const char *network,
- const char *iface,
- const char *physdev,
- int action)
+iptablesForwardAllowOut(const char *network,
+ const char *iface,
+ const char *physdev,
+ int action)
{
if (physdev && physdev[0]) {
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--source", network,
"--in-interface", iface,
@@ -332,7 +227,7 @@ iptablesForwardAllowOut(iptablesContext *ctx,
"--jump", "ACCEPT",
NULL);
} else {
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--source", network,
"--in-interface", iface,
@@ -343,7 +238,6 @@ iptablesForwardAllowOut(iptablesContext *ctx,
/**
* iptablesAddForwardAllowOut:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the source interface name
* @physdev: the physical output device
@@ -355,17 +249,15 @@ iptablesForwardAllowOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowOut(iptablesContext *ctx,
- const char *network,
- const char *iface,
- const char *physdev)
+iptablesAddForwardAllowOut(const char *network,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowOut(ctx, network, iface, physdev, ADD);
+ return iptablesForwardAllowOut(network, iface, physdev, ADD);
}
/**
* iptablesRemoveForwardAllowOut:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the source interface name
* @physdev: the physical output device
@@ -377,12 +269,11 @@ iptablesAddForwardAllowOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowOut(iptablesContext *ctx,
- const char *network,
- const char *iface,
- const char *physdev)
+iptablesRemoveForwardAllowOut(const char *network,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowOut(ctx, network, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(network, iface, physdev, REMOVE);
}
@@ -390,14 +281,13 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx,
* and associated with an existing connection
*/
static int
-iptablesForwardAllowRelatedIn(iptablesContext *ctx,
- const char *network,
- const char *iface,
- const char *physdev,
- int action)
+iptablesForwardAllowRelatedIn(const char *network,
+ const char *iface,
+ const char *physdev,
+ int action)
{
if (physdev && physdev[0]) {
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--destination", network,
"--in-interface", physdev,
@@ -407,7 +297,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
"--jump", "ACCEPT",
NULL);
} else {
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--destination", network,
"--out-interface", iface,
@@ -420,7 +310,6 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
/**
* iptablesAddForwardAllowRelatedIn:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
@@ -432,17 +321,15 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
- const char *network,
- const char *iface,
- const char *physdev)
+iptablesAddForwardAllowRelatedIn(const char *network,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(network, iface, physdev, ADD);
}
/**
* iptablesRemoveForwardAllowRelatedIn:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
@@ -454,25 +341,23 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
- const char *network,
- const char *iface,
- const char *physdev)
+iptablesRemoveForwardAllowRelatedIn(const char *network,
+ const char *iface,
+ const char *physdev)
{
- return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(network, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
-iptablesForwardAllowIn(iptablesContext *ctx,
- const char *network,
+iptablesForwardAllowIn(const char *network,
const char *iface,
const char *physdev,
int action)
{
if (physdev && physdev[0]) {
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--destination", network,
"--in-interface", physdev,
@@ -480,7 +365,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
"--jump", "ACCEPT",
NULL);
} else {
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--destination", network,
"--out-interface", iface,
@@ -491,7 +376,6 @@ iptablesForwardAllowIn(iptablesContext *ctx,
/**
* iptablesAddForwardAllowIn:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
@@ -503,17 +387,15 @@ iptablesForwardAllowIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowIn(iptablesContext *ctx,
- const char *network,
+iptablesAddForwardAllowIn(const char *network,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, network, iface, physdev, ADD);
+ return iptablesForwardAllowIn(network, iface, physdev, ADD);
}
/**
* iptablesRemoveForwardAllowIn:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @iface: the output interface name
* @physdev: the physical input device or NULL
@@ -525,12 +407,11 @@ iptablesAddForwardAllowIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowIn(iptablesContext *ctx,
- const char *network,
+iptablesRemoveForwardAllowIn(const char *network,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(ctx, network, iface, physdev, REMOVE);
+ return iptablesForwardAllowIn(network, iface, physdev, REMOVE);
}
@@ -538,11 +419,9 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx,
* with a valid network address
*/
static int
-iptablesForwardAllowCross(iptablesContext *ctx,
- const char *iface,
- int action)
+iptablesForwardAllowCross(const char *iface, int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--in-interface", iface,
"--out-interface", iface,
@@ -552,7 +431,6 @@ iptablesForwardAllowCross(iptablesContext *ctx,
/**
* iptablesAddForwardAllowCross:
- * @ctx: pointer to the IP table context
* @iface: the input/output interface name
*
* Add rules to the IP table context to allow traffic to cross that
@@ -562,14 +440,13 @@ iptablesForwardAllowCross(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowCross(iptablesContext *ctx,
- const char *iface) {
- return iptablesForwardAllowCross(ctx, iface, ADD);
+iptablesAddForwardAllowCross( const char *iface)
+{
+ return iptablesForwardAllowCross(iface, ADD);
}
/**
* iptablesRemoveForwardAllowCross:
- * @ctx: pointer to the IP table context
* @iface: the input/output interface name
*
* Remove rules to the IP table context to block traffic to cross that
@@ -579,9 +456,9 @@ iptablesAddForwardAllowCross(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowCross(iptablesContext *ctx,
- const char *iface) {
- return iptablesForwardAllowCross(ctx, iface, REMOVE);
+iptablesRemoveForwardAllowCross(const char *iface)
+{
+ return iptablesForwardAllowCross(iface, REMOVE);
}
@@ -589,20 +466,17 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx,
* ie the bridge is the in interface
*/
static int
-iptablesForwardRejectOut(iptablesContext *ctx,
- const char *iface,
- int action)
+iptablesForwardRejectOut(const char *iface, int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
- action,
- "--in-interface", iface,
- "--jump", "REJECT",
- NULL);
+ return iptablesAddRemoveRule("filter", "FORWARD",
+ action,
+ "--in-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
* iptablesAddForwardRejectOut:
- * @ctx: pointer to the IP table context
* @iface: the output interface name
*
* Add rules to the IP table context to forbid all traffic to that
@@ -611,15 +485,13 @@ iptablesForwardRejectOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardRejectOut(iptablesContext *ctx,
- const char *iface)
+iptablesAddForwardRejectOut(const char *iface)
{
- return iptablesForwardRejectOut(ctx, iface, ADD);
+ return iptablesForwardRejectOut(iface, ADD);
}
/**
* iptablesRemoveForwardRejectOut:
- * @ctx: pointer to the IP table context
* @iface: the output interface name
*
* Remove rules from the IP table context forbidding all traffic to that
@@ -628,24 +500,18 @@ iptablesAddForwardRejectOut(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardRejectOut(iptablesContext *ctx,
- const char *iface)
+iptablesRemoveForwardRejectOut(const char *iface)
{
- return iptablesForwardRejectOut(ctx, iface, REMOVE);
+ return iptablesForwardRejectOut(iface, REMOVE);
}
-
-
-
/* Drop all traffic trying to forward to the bridge.
* ie the bridge is the out interface
*/
static int
-iptablesForwardRejectIn(iptablesContext *ctx,
- const char *iface,
- int action)
+iptablesForwardRejectIn(const char *iface, int action)
{
- return iptablesAddRemoveRule(ctx->forward_filter,
+ return iptablesAddRemoveRule("filter", "FORWARD",
action,
"--out-interface", iface,
"--jump", "REJECT",
@@ -654,7 +520,6 @@ iptablesForwardRejectIn(iptablesContext *ctx,
/**
* iptablesAddForwardRejectIn:
- * @ctx: pointer to the IP table context
* @iface: the input interface name
*
* Add rules to the IP table context to forbid all traffic from that
@@ -663,15 +528,13 @@ iptablesForwardRejectIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardRejectIn(iptablesContext *ctx,
- const char *iface)
+iptablesAddForwardRejectIn(const char *iface)
{
- return iptablesForwardRejectIn(ctx, iface, ADD);
+ return iptablesForwardRejectIn(iface, ADD);
}
/**
* iptablesRemoveForwardRejectIn:
- * @ctx: pointer to the IP table context
* @iface: the input interface name
*
* Remove rules from the IP table context forbidding all traffic from that
@@ -680,10 +543,9 @@ iptablesAddForwardRejectIn(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardRejectIn(iptablesContext *ctx,
- const char *iface)
+iptablesRemoveForwardRejectIn(const char *iface)
{
- return iptablesForwardRejectIn(ctx, iface, REMOVE);
+ return iptablesForwardRejectIn(iface, REMOVE);
}
@@ -691,13 +553,12 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx,
* with the bridge
*/
static int
-iptablesForwardMasquerade(iptablesContext *ctx,
- const char *network,
- const char *physdev,
- int action)
+iptablesForwardMasquerade(const char *network,
+ const char *physdev,
+ int action)
{
if (physdev && physdev[0]) {
- return iptablesAddRemoveRule(ctx->nat_postrouting,
+ return iptablesAddRemoveRule("nat", "POSTROUTING",
action,
"--source", network,
"!", "--destination", network,
@@ -705,7 +566,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
"--jump", "MASQUERADE",
NULL);
} else {
- return iptablesAddRemoveRule(ctx->nat_postrouting,
+ return iptablesAddRemoveRule("nat", "POSTROUTING",
action,
"--source", network,
"!", "--destination", network,
@@ -716,7 +577,6 @@ iptablesForwardMasquerade(iptablesContext *ctx,
/**
* iptablesAddForwardMasquerade:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @physdev: the physical input device or NULL
*
@@ -727,16 +587,14 @@ iptablesForwardMasquerade(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardMasquerade(iptablesContext *ctx,
- const char *network,
+iptablesAddForwardMasquerade(const char *network,
const char *physdev)
{
- return iptablesForwardMasquerade(ctx, network, physdev, ADD);
+ return iptablesForwardMasquerade(network, physdev, ADD);
}
/**
* iptablesRemoveForwardMasquerade:
- * @ctx: pointer to the IP table context
* @network: the source network name
* @physdev: the physical input device or NULL
*
@@ -747,9 +605,8 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardMasquerade(iptablesContext *ctx,
- const char *network,
+iptablesRemoveForwardMasquerade(const char *network,
const char *physdev)
{
- return iptablesForwardMasquerade(ctx, network, physdev, REMOVE);
+ return iptablesForwardMasquerade(network, physdev, REMOVE);
}
diff --git a/src/util/iptables.h b/src/util/iptables.h
index 68d9e0d..8809d7d 100644
--- a/src/util/iptables.h
+++ b/src/util/iptables.h
@@ -22,72 +22,49 @@
#ifndef __QEMUD_IPTABLES_H__
#define __QEMUD_IPTABLES_H__
-typedef struct _iptablesContext iptablesContext;
-
-iptablesContext *iptablesContextNew (void);
-void iptablesContextFree (iptablesContext *ctx);
-
-int iptablesAddTcpInput (iptablesContext *ctx,
- const char *iface,
+int iptablesAddTcpInput (const char *iface,
int port);
-int iptablesRemoveTcpInput (iptablesContext *ctx,
- const char *iface,
+int iptablesRemoveTcpInput (const char *iface,
int port);
-int iptablesAddUdpInput (iptablesContext *ctx,
- const char *iface,
+int iptablesAddUdpInput (const char *iface,
int port);
-int iptablesRemoveUdpInput (iptablesContext *ctx,
- const char *iface,
+int iptablesRemoveUdpInput (const char *iface,
int port);
-int iptablesAddForwardAllowOut (iptablesContext *ctx,
- const char *network,
+int iptablesAddForwardAllowOut (const char *network,
const char *iface,
const char *physdev);
-int iptablesRemoveForwardAllowOut (iptablesContext *ctx,
- const char *network,
+int iptablesRemoveForwardAllowOut (const char *network,
const char *iface,
const char *physdev);
-int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
- const char *network,
+int iptablesAddForwardAllowRelatedIn(const char *network,
const char *iface,
const char *physdev);
-int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
- const char *network,
+int iptablesRemoveForwardAllowRelatedIn(const char *network,
const char *iface,
const char *physdev);
-int iptablesAddForwardAllowIn (iptablesContext *ctx,
- const char *network,
+int iptablesAddForwardAllowIn (const char *network,
const char *iface,
const char *physdev);
-int iptablesRemoveForwardAllowIn (iptablesContext *ctx,
- const char *network,
+int iptablesRemoveForwardAllowIn (const char *network,
const char *iface,
const char *physdev);
-int iptablesAddForwardAllowCross (iptablesContext *ctx,
- const char *iface);
-int iptablesRemoveForwardAllowCross (iptablesContext *ctx,
- const char *iface);
+int iptablesAddForwardAllowCross (const char *iface);
+int iptablesRemoveForwardAllowCross (const char *iface);
-int iptablesAddForwardRejectOut (iptablesContext *ctx,
- const char *iface);
-int iptablesRemoveForwardRejectOut (iptablesContext *ctx,
- const char *iface);
+int iptablesAddForwardRejectOut (const char *iface);
+int iptablesRemoveForwardRejectOut (const char *iface);
-int iptablesAddForwardRejectIn (iptablesContext *ctx,
- const char *iface);
-int iptablesRemoveForwardRejectIn (iptablesContext *ctx,
- const char *iface);
+int iptablesAddForwardRejectIn (const char *iface);
+int iptablesRemoveForwardRejectIn (const char *iface);
-int iptablesAddForwardMasquerade (iptablesContext *ctx,
- const char *network,
+int iptablesAddForwardMasquerade (const char *network,
const char *physdev);
-int iptablesRemoveForwardMasquerade (iptablesContext *ctx,
- const char *network,
+int iptablesRemoveForwardMasquerade (const char *network,
const char *physdev);
#endif /* __QEMUD_IPTABLES_H__ */
--
1.6.5.2