10:08 a.m.
Introduce a shell variable 'IBT' to invoke the ip(6)tables command.
Tested with libvirt-tck.
---
v2:
- rebased
---
src/nwfilter/nwfilter_ebiptables_driver.c | 313 ++++++++++++++----------------
1 file changed, 155 insertions(+), 158 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -147,6 +147,10 @@ static const char ebiptables_script_set_
#define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path);
+#define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \
+ virBufferAsprintf(BUFPTR, "IPT=%s\n", iptables_cmd_path);
+#define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \
+ virBufferAsprintf(BUFPTR, "IPT=%s\n", ip6tables_cmd_path);
#define VIRT_IN_CHAIN "libvirt-in"
#define VIRT_OUT_CHAIN "libvirt-out"
@@ -494,66 +498,60 @@ ebtablesHandleEthHdr(virBufferPtr buf,
/************************ iptables support ************************/
-static int iptablesLinkIPTablesBaseChain(const char *iptables_cmd,
- virBufferPtr buf,
+static int iptablesLinkIPTablesBaseChain(virBufferPtr buf,
const char *udchain,
const char *syschain,
unsigned int pos,
int stopOnError)
{
virBufferAsprintf(buf,
- "res=$(%s -L %s -n --line-number | "
+ "res=$($IPT -L %s -n --line-number | "
"%s \" %s \")\n"
"if [ $? -ne 0 ]; then\n"
- " %s -I %s %d -j %s\n"
+ " $IPT -I %s %d -j %s\n"
"else\n"
" r=$(echo $res | %s '{print $1}')\n"
" if [ \"${r}\" != \"%d\" ];
then\n"
- " " CMD_DEF("%s -I %s %d -j %s")
CMD_SEPARATOR
+ " " CMD_DEF("$IPT -I %s %d -j %s")
CMD_SEPARATOR
" " CMD_EXEC
" %s"
" r=$(( $r + 1 ))\n"
- " " CMD_DEF("%s -D %s ${r}") CMD_SEPARATOR
+ " " CMD_DEF("$IPT -D %s ${r}")
CMD_SEPARATOR
" " CMD_EXEC
" %s"
" fi\n"
"fi\n",
- iptables_cmd, syschain,
+ syschain,
grep_cmd_path, udchain,
- iptables_cmd, syschain, pos, udchain,
+ syschain, pos, udchain,
gawk_cmd_path,
pos,
- iptables_cmd, syschain, pos, udchain,
+ syschain, pos, udchain,
CMD_STOPONERR(stopOnError),
- iptables_cmd, syschain,
+ syschain,
CMD_STOPONERR(stopOnError));
return 0;
}
-static int iptablesCreateBaseChains(const char *iptables_cmd,
- virBufferPtr buf)
+static int iptablesCreateBaseChains(virBufferPtr buf)
{
- virBufferAsprintf(buf,"%s -N " VIRT_IN_CHAIN CMD_SEPARATOR
- "%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR
- "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
- "%s -N " HOST_IN_CHAIN CMD_SEPARATOR,
- iptables_cmd,
- iptables_cmd,
- iptables_cmd,
- iptables_cmd);
- iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+ virBufferAddLit(buf, "$IPT -N " VIRT_IN_CHAIN CMD_SEPARATOR
+ "$IPT -N " VIRT_OUT_CHAIN CMD_SEPARATOR
+ "$IPT -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
+ "$IPT -N " HOST_IN_CHAIN CMD_SEPARATOR);
+ iptablesLinkIPTablesBaseChain(buf,
VIRT_IN_CHAIN , "FORWARD", 1, 1);
- iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+ iptablesLinkIPTablesBaseChain(buf,
VIRT_OUT_CHAIN , "FORWARD", 2, 1);
- iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+ iptablesLinkIPTablesBaseChain(buf,
VIRT_IN_POST_CHAIN, "FORWARD", 3, 1);
- iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+ iptablesLinkIPTablesBaseChain(buf,
HOST_IN_CHAIN , "INPUT" , 1, 1);
return 0;
@@ -561,8 +559,7 @@ static int iptablesCreateBaseChains(cons
static int
-iptablesCreateTmpRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesCreateTmpRootChain(virBufferPtr buf,
char prefix,
int incoming, const char *ifname,
int stopOnError)
@@ -577,10 +574,9 @@ iptablesCreateTmpRootChain(const char *i
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf,
- CMD_DEF("%s -N %s") CMD_SEPARATOR
+ CMD_DEF("$IPT -N %s") CMD_SEPARATOR
CMD_EXEC
"%s",
- iptables_cmd,
chain,
CMD_STOPONERR(stopOnError));
@@ -589,20 +585,18 @@ iptablesCreateTmpRootChain(const char *i
static int
-iptablesCreateTmpRootChains(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesCreateTmpRootChains(virBufferPtr buf,
const char *ifname)
{
- iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 0, ifname, 1);
- iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 1, ifname, 1);
- iptablesCreateTmpRootChain(iptables_cmd, buf, 'H', 1, ifname, 1);
+ iptablesCreateTmpRootChain(buf, 'F', 0, ifname, 1);
+ iptablesCreateTmpRootChain(buf, 'F', 1, ifname, 1);
+ iptablesCreateTmpRootChain(buf, 'H', 1, ifname, 1);
return 0;
}
static int
-_iptablesRemoveRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+_iptablesRemoveRootChain(virBufferPtr buf,
char prefix,
int incoming, const char *ifname,
int isTempChain)
@@ -622,66 +616,60 @@ _iptablesRemoveRootChain(const char *ipt
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf,
- "%s -F %s" CMD_SEPARATOR
- "%s -X %s" CMD_SEPARATOR,
- iptables_cmd, chain,
- iptables_cmd, chain);
+ "$IPT -F %s" CMD_SEPARATOR
+ "$IPT -X %s" CMD_SEPARATOR,
+ chain,
+ chain);
return 0;
}
static int
-iptablesRemoveRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesRemoveRootChain(virBufferPtr buf,
char prefix,
int incoming,
const char *ifname)
{
- return _iptablesRemoveRootChain(iptables_cmd,
- buf, prefix, incoming, ifname, 0);
+ return _iptablesRemoveRootChain(buf, prefix, incoming, ifname, 0);
}
static int
-iptablesRemoveTmpRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesRemoveTmpRootChain(virBufferPtr buf,
char prefix,
int incoming,
const char *ifname)
{
- return _iptablesRemoveRootChain(iptables_cmd, buf, prefix,
+ return _iptablesRemoveRootChain(buf, prefix,
incoming, ifname, 1);
}
static int
-iptablesRemoveTmpRootChains(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesRemoveTmpRootChains(virBufferPtr buf,
const char *ifname)
{
- iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 0, ifname);
- iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 1, ifname);
- iptablesRemoveTmpRootChain(iptables_cmd, buf, 'H', 1, ifname);
+ iptablesRemoveTmpRootChain(buf, 'F', 0, ifname);
+ iptablesRemoveTmpRootChain(buf, 'F', 1, ifname);
+ iptablesRemoveTmpRootChain(buf, 'H', 1, ifname);
return 0;
}
static int
-iptablesRemoveRootChains(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesRemoveRootChains(virBufferPtr buf,
const char *ifname)
{
- iptablesRemoveRootChain(iptables_cmd, buf, 'F', 0, ifname);
- iptablesRemoveRootChain(iptables_cmd, buf, 'F', 1, ifname);
- iptablesRemoveRootChain(iptables_cmd, buf, 'H', 1, ifname);
+ iptablesRemoveRootChain(buf, 'F', 0, ifname);
+ iptablesRemoveRootChain(buf, 'F', 1, ifname);
+ iptablesRemoveRootChain(buf, 'H', 1, ifname);
return 0;
}
static int
-iptablesLinkTmpRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesLinkTmpRootChain(virBufferPtr buf,
const char *basechain,
char prefix,
int incoming, const char *ifname,
@@ -699,11 +687,10 @@ iptablesLinkTmpRootChain(const char *ipt
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf,
- CMD_DEF("%s -A %s "
+ CMD_DEF("$IPT -A %s "
"%s %s -g %s") CMD_SEPARATOR
CMD_EXEC
"%s",
- iptables_cmd,
basechain,
match, ifname, chain,
@@ -714,37 +701,33 @@ iptablesLinkTmpRootChain(const char *ipt
static int
-iptablesLinkTmpRootChains(const char *cmd,
- virBufferPtr buf,
+iptablesLinkTmpRootChains(virBufferPtr buf,
const char *ifname)
{
- iptablesLinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1);
- iptablesLinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1);
- iptablesLinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname, 1);
+ iptablesLinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1);
+ iptablesLinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1);
+ iptablesLinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname, 1);
return 0;
}
static int
-iptablesSetupVirtInPost(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesSetupVirtInPost(virBufferPtr buf,
const char *ifname)
{
const char *match = MATCH_PHYSDEV_IN;
virBufferAsprintf(buf,
- "res=$(%s -n -L " VIRT_IN_POST_CHAIN
+ "res=$($IPT -n -L " VIRT_IN_POST_CHAIN
" | grep \"\\%s %s\")\n"
"if [ \"${res}\" = \"\" ]; then "
- CMD_DEF("%s"
+ CMD_DEF("$IPT"
" -A " VIRT_IN_POST_CHAIN
" %s %s -j ACCEPT") CMD_SEPARATOR
CMD_EXEC
"%s"
"fi\n",
- iptables_cmd,
PHYSDEV_IN, ifname,
- iptables_cmd,
match, ifname,
CMD_STOPONERR(1));
return 0;
@@ -752,22 +735,19 @@ iptablesSetupVirtInPost(const char *ipta
static int
-iptablesClearVirtInPost(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesClearVirtInPost(virBufferPtr buf,
const char *ifname)
{
const char *match = MATCH_PHYSDEV_IN;
virBufferAsprintf(buf,
- "%s -D " VIRT_IN_POST_CHAIN
+ "$IPT -D " VIRT_IN_POST_CHAIN
" %s %s -j ACCEPT" CMD_SEPARATOR,
- iptables_cmd,
match, ifname);
return 0;
}
static int
-_iptablesUnlinkRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+_iptablesUnlinkRootChain(virBufferPtr buf,
const char *basechain,
char prefix,
int incoming, const char *ifname,
@@ -789,9 +769,8 @@ _iptablesUnlinkRootChain(const char *ipt
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
virBufferAsprintf(buf,
- "%s -D %s "
+ "$IPT -D %s "
"%s %s -g %s" CMD_SEPARATOR,
- iptables_cmd,
basechain,
match, ifname, chain);
@@ -800,57 +779,52 @@ _iptablesUnlinkRootChain(const char *ipt
static int
-iptablesUnlinkRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesUnlinkRootChain(virBufferPtr buf,
const char *basechain,
char prefix,
int incoming, const char *ifname)
{
- return _iptablesUnlinkRootChain(iptables_cmd, buf,
+ return _iptablesUnlinkRootChain(buf,
basechain, prefix, incoming, ifname, 0);
}
static int
-iptablesUnlinkTmpRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesUnlinkTmpRootChain(virBufferPtr buf,
const char *basechain,
char prefix,
int incoming, const char *ifname)
{
- return _iptablesUnlinkRootChain(iptables_cmd, buf,
+ return _iptablesUnlinkRootChain(buf,
basechain, prefix, incoming, ifname, 1);
}
static int
-iptablesUnlinkRootChains(const char *cmd,
- virBufferPtr buf,
+iptablesUnlinkRootChains(virBufferPtr buf,
const char *ifname)
{
- iptablesUnlinkRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname);
- iptablesUnlinkRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname);
- iptablesUnlinkRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname);
+ iptablesUnlinkRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname);
+ iptablesUnlinkRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname);
+ iptablesUnlinkRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname);
return 0;
}
static int
-iptablesUnlinkTmpRootChains(const char *cmd,
- virBufferPtr buf,
+iptablesUnlinkTmpRootChains(virBufferPtr buf,
const char *ifname)
{
- iptablesUnlinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname);
- iptablesUnlinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname);
- iptablesUnlinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname);
+ iptablesUnlinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname);
+ iptablesUnlinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname);
+ iptablesUnlinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname);
return 0;
}
static int
-iptablesRenameTmpRootChain(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesRenameTmpRootChain(virBufferPtr buf,
char prefix,
int incoming,
const char *ifname)
@@ -871,8 +845,7 @@ iptablesRenameTmpRootChain(const char *i
PRINT_IPT_ROOT_CHAIN( chain, chainPrefix, ifname);
virBufferAsprintf(buf,
- "%s -E %s %s" CMD_SEPARATOR,
- iptables_cmd,
+ "$IPT -E %s %s" CMD_SEPARATOR,
tmpchain,
chain);
return 0;
@@ -880,13 +853,12 @@ iptablesRenameTmpRootChain(const char *i
static int
-iptablesRenameTmpRootChains(const char *iptables_cmd,
- virBufferPtr buf,
+iptablesRenameTmpRootChains(virBufferPtr buf,
const char *ifname)
{
- iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 0, ifname);
- iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 1, ifname);
- iptablesRenameTmpRootChain(iptables_cmd, buf, 'H', 1, ifname);
+ iptablesRenameTmpRootChain(buf, 'F', 0, ifname);
+ iptablesRenameTmpRootChain(buf, 'F', 1, ifname);
+ iptablesRenameTmpRootChain(buf, 'H', 1, ifname);
return 0;
}
@@ -1260,8 +1232,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p tcp");
@@ -1316,8 +1287,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_UDP:
case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p udp");
@@ -1350,8 +1320,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p udplite");
@@ -1379,8 +1348,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_ESP:
case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p esp");
@@ -1408,8 +1376,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p ah");
@@ -1437,8 +1404,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p sctp");
@@ -1471,8 +1437,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
@@ -1537,8 +1502,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p igmp");
@@ -1566,8 +1530,7 @@ _iptablesCreateRuleInstance(int directio
case VIR_NWFILTER_RULE_PROTOCOL_ALL:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "%s -%%c %s %%s",
- iptables_cmd,
+ CMD_DEF_PRE "$IPT -%%c %s %%s",
chain);
virBufferAddLit(&buf, " -p all");
@@ -3692,24 +3655,32 @@ ebiptablesApplyNewRules(virConnectPtr co
goto tear_down_tmpebchains;
if (haveIptables) {
- iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname);
- iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkTmpRootChains(&buf, ifname);
+ iptablesRemoveTmpRootChains(&buf, ifname);
- iptablesCreateBaseChains(iptables_cmd_path, &buf);
+ iptablesCreateBaseChains(&buf);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpebchains;
- iptablesCreateTmpRootChains(iptables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ iptablesCreateTmpRootChains(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpiptchains;
- iptablesLinkTmpRootChains(iptables_cmd_path, &buf, ifname);
- iptablesSetupVirtInPost(iptables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ iptablesLinkTmpRootChains(&buf, ifname);
+ iptablesSetupVirtInPost(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpiptchains;
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
for (i = 0; i < nruleInstances; i++) {
sa_assert (inst);
if (inst[i]->ruleType == RT_IPTABLES)
@@ -3725,24 +3696,32 @@ ebiptablesApplyNewRules(virConnectPtr co
}
if (haveIp6tables) {
- iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname);
- iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkTmpRootChains(&buf, ifname);
+ iptablesRemoveTmpRootChains(&buf, ifname);
- iptablesCreateBaseChains(ip6tables_cmd_path, &buf);
+ iptablesCreateBaseChains(&buf);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpiptchains;
- iptablesCreateTmpRootChains(ip6tables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
+ iptablesCreateTmpRootChains(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpip6tchains;
- iptablesLinkTmpRootChains(ip6tables_cmd_path, &buf, ifname);
- iptablesSetupVirtInPost(ip6tables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
+ iptablesLinkTmpRootChains(&buf, ifname);
+ iptablesSetupVirtInPost(&buf, ifname);
if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0)
goto tear_down_tmpip6tchains;
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
for (i = 0; i < nruleInstances; i++) {
if (inst[i]->ruleType == RT_IP6TABLES)
iptablesInstCommand(&buf,
@@ -3787,14 +3766,18 @@ tear_down_ebsubchains_and_unlink:
tear_down_tmpip6tchains:
if (haveIp6tables) {
- iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname);
- iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkTmpRootChains(&buf, ifname);
+ iptablesRemoveTmpRootChains(&buf, ifname);
}
tear_down_tmpiptchains:
if (haveIptables) {
- iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname);
- iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkTmpRootChains(&buf, ifname);
+ iptablesRemoveTmpRootChains(&buf, ifname);
}
tear_down_tmpebchains:
@@ -3837,13 +3820,17 @@ ebiptablesTearNewRules(virConnectPtr con
virBuffer buf = VIR_BUFFER_INITIALIZER;
if (iptables_cmd_path) {
- iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname);
- iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkTmpRootChains(&buf, ifname);
+ iptablesRemoveTmpRootChains(&buf, ifname);
}
if (ip6tables_cmd_path) {
- iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname);
- iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkTmpRootChains(&buf, ifname);
+ iptablesRemoveTmpRootChains(&buf, ifname);
}
if (ebtables_cmd_path) {
@@ -3872,18 +3859,22 @@ ebiptablesTearOldRules(virConnectPtr con
/* switch to new iptables user defined chains */
if (iptables_cmd_path) {
- iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname);
- iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkRootChains(&buf, ifname);
+ iptablesRemoveRootChains(&buf, ifname);
- iptablesRenameTmpRootChains(iptables_cmd_path, &buf, ifname);
+ iptablesRenameTmpRootChains(&buf, ifname);
ebiptablesExecCLI(&buf, &cli_status, NULL);
}
if (ip6tables_cmd_path) {
- iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname);
- iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
- iptablesRenameTmpRootChains(ip6tables_cmd_path, &buf, ifname);
+ iptablesUnlinkRootChains(&buf, ifname);
+ iptablesRemoveRootChains(&buf, ifname);
+
+ iptablesRenameTmpRootChains(&buf, ifname);
ebiptablesExecCLI(&buf, &cli_status, NULL);
}
@@ -3970,15 +3961,19 @@ ebiptablesAllTeardown(const char *ifname
int cli_status;
if (iptables_cmd_path) {
- iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname);
- iptablesClearVirtInPost (iptables_cmd_path, &buf, ifname);
- iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkRootChains(&buf, ifname);
+ iptablesClearVirtInPost (&buf, ifname);
+ iptablesRemoveRootChains(&buf, ifname);
}
if (ip6tables_cmd_path) {
- iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname);
- iptablesClearVirtInPost (ip6tables_cmd_path, &buf, ifname);
- iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname);
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
+ iptablesUnlinkRootChains(&buf, ifname);
+ iptablesClearVirtInPost (&buf, ifname);
+ iptablesRemoveRootChains(&buf, ifname);
}
if (ebtables_cmd_path) {
@@ -4052,11 +4047,12 @@ ebiptablesDriverInit(bool privileged)
iptables_cmd_path = virFindFileInPath("iptables");
if (iptables_cmd_path) {
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
virBufferAsprintf(&buf,
- CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR
+ CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR
CMD_EXEC
"%s",
- iptables_cmd_path,
CMD_STOPONERR(1));
if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
@@ -4065,11 +4061,12 @@ ebiptablesDriverInit(bool privileged)
ip6tables_cmd_path = virFindFileInPath("ip6tables");
if (ip6tables_cmd_path) {
+ NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+
virBufferAsprintf(&buf,
- CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR
+ CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR
CMD_EXEC
"%s",
- ip6tables_cmd_path,
CMD_STOPONERR(1));
if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
2:06 p.m.
On 11/22/2011 09:08 AM, Stefan Berger wrote:
Introduce a shell variable 'IBT' to invoke the ip(6)tables
command.
Tested with libvirt-tck.
---
v2:
- rebased
---
src/nwfilter/nwfilter_ebiptables_driver.c | 313 ++++++++++++++----------------
1 file changed, 155 insertions(+), 158 deletions(-)
ACK.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
2:40 p.m.
On 11/22/2011 03:06 PM, Eric Blake wrote:
On 11/22/2011 09:08 AM, Stefan Berger wrote:
> Introduce a shell variable 'IBT' to invoke the ip(6)tables command.
>
> Tested with libvirt-tck.
>
> ---
> v2:
> - rebased
>
> ---
> src/nwfilter/nwfilter_ebiptables_driver.c | 313 ++++++++++++++----------------
> 1 file changed, 155 insertions(+), 158 deletions(-)
ACK.
I pushed the 2 patches.
4750
days inactive
4750
days old
2 comments
2 participants
participants (2)
-
Eric Blake -
Stefan Berger