10:37 a.m.
Currently we have three places which interact with the firewall
- util/virebtables - simple MAC filtering used by QEMU driver
- util/viriptables - used by network driver
- nwfilter - general purpose guest filtering
All of these have been hacked to support firewalld by re-directing
them via the 'firewall-cmd' command line tool. Unfortunately talking
to firewalld via this CLI tool is incredibly inefficient.
eg timing the network driver
$ for i in `seq 1 10` ; do virsh net-start default; virsh net-destroy default ; done
Direct iptables: 3 seconds
Via firewall-cmd: 42 seconds
Or timing the nwfilter driver via libvirt-tck/scripts/nwfilter/050-apply-verify-host.t
Direct iptables: 28 seconds
Via firewall-cmd: 479 seconds
IOW it is more than x10 slower to use firewall-cmd.
Testing revealed that this performance penalty is entirely due to the
'firewall-cmd' command line tool. If you talk directly to firewalld
over DBus then the performance is near native.
Unfortunately switching to use the DBus API is non-trivial since all
the code we have for interacting with the firewall is just constructing
virCommand instances directly (viriptables) or constructing gross shell
scripts (nwfilter).
Thus to enable use of the DBus API this series introduces the concept of
a new object and APIs for interacting with the firewall "virFirewall".
This API is designed to be a fairly generic basis for interacting with
any firewall. It just has a concept of a level (ethernet, ipv4 or ipv6)
and lists of rules, where each rule is just a string array of args. The
idea is that the mechanism for interacting with the firewall can be
generic and portable, even though the actual rules will be different on
Linux vs FreeBSD vs other OS.
The initial virFirewall implementation supports direct iptables/ebtables
invocation or the DBus firewalld API. Use of firewall-cmd has been killed
completely.
Adapting code to use virFirewall has been a pretty horrific job, so is
split up into as many patches as is practical. By far the worst/hardest
patch is the one for nwfilter applyNewRules method (patch 23). Fortunately
the libvirt-tck has a large set of XML data files and corresponding
expected iptables/ebtables rules. This series passes the libvirt-tck 100%
before and after, so I'm fairly confident that all the core functionality is
working correctly.
I also introduced new unit tests, that re-use the XML files from the
libvirt-tck to validate the actual iptables/ebtables commands that libvirt
tests. I've run this unit test under valgrind and under the OOM simulator
to identify and fix any crashes / leaks that the refactoring introduced.
With this series applied the performance is vastly improved for firewalld
eg timing the network driver
$ for i in `seq 1 10` ; do virsh net-start default; virsh net-destroy default ; done
Direct iptables: 3 seconds
Via firewall-cmd: 3 seconds
Or timing the nwfilter driver via libvirt-tck/scripts/nwfilter/050-apply-verify-host.t
Direct iptables: 29 seconds
Via firewall-cmd: 37 seconds
IOW firewalld is only marginly slower than direct iptables usage now.
Regards,
Daniel
Daniel P. Berrange (26):
Move virNWFilterTechDriver struct out of nwfilter_conf.h
Remove virDomainNetType parameter from nwfilter drivers
Remove pointless storage of var names in virNWFilterHashTable
Remove nwfilter tech driver 'removeRules' callback
Remove nwfilter tech driver 'displayRuleInstance' callback
Add helper methods for determining what protocol layer is used
Push virNWFilterRuleInstPtr out of (eb|ip)tablesCreateRuleInstance
Merge nwfilter createRuleInstance driver into applyNewRules
Remove two-stage construction of commands in nwfilter
Preserve error when tearing down nwfilter rules
Introduce an object for managing firewall rulesets
Convert bridge driver over to use new firewall APIs
Replace virNetworkObjPtr with virNetworkDefPtr in network platform
APIs
Add test for converting network XML to iptables rules
Convert ebtables code over to use firewall APIs
Convert nwfilter ebiptablesAllTeardown to virFirewall
Convert nwfilter ebiptablesTearOldRules to virFirewall
Convert nwfilter ebtablesRemoveBasicRules to virFirewall
Convert nwfilter ebiptablesTearNewRules to virFirewall
Convert nwfilter ebtablesApplyBasicRules to virFirewall
Convert nwfilter ebtablesApplyDHCPOnlyRules to virFirewall
Convert nwfilter ebtablesApplyDropAllRules to virFirewall
Convert nwfilter ebiptablesApplyNewRules to virFirewall
Convert ebiptablesDriverProbeStateMatch to virFirewall
Remove last trace of direct firewall command exection
Add a test suite for nwfilter ebiptables tech driver
include/libvirt/virterror.h | 1 +
po/POTFILES.in | 1 +
src/Makefile.am | 21 +-
src/conf/nwfilter_conf.c | 49 +-
src/conf/nwfilter_conf.h | 107 +-
src/conf/nwfilter_ipaddrmap.c | 2 +-
src/conf/nwfilter_params.c | 63 +-
src/conf/nwfilter_params.h | 7 +-
src/libvirt_private.syms | 22 +
src/network/bridge_driver.c | 18 +-
src/network/bridge_driver_linux.c | 757 ++--
src/network/bridge_driver_nop.c | 6 +-
src/network/bridge_driver_platform.h | 7 +-
src/nwfilter/nwfilter_dhcpsnoop.c | 6 -
src/nwfilter/nwfilter_dhcpsnoop.h | 3 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 3867 ++++++++------------
src/nwfilter/nwfilter_ebiptables_driver.h | 19 +-
src/nwfilter/nwfilter_gentech_driver.c | 415 +--
src/nwfilter/nwfilter_gentech_driver.h | 2 +-
src/nwfilter/nwfilter_learnipaddr.c | 5 -
src/nwfilter/nwfilter_learnipaddr.h | 3 +-
src/nwfilter/nwfilter_tech_driver.h | 96 +
src/qemu/qemu_command.c | 6 +-
src/util/virebtables.c | 185 +-
src/util/virerror.c | 1 +
src/util/virfirewall.c | 922 +++++
src/util/virfirewall.h | 109 +
src/util/virfirewallpriv.h | 45 +
src/util/viriptables.c | 632 ++--
src/util/viriptables.h | 114 +-
tests/Makefile.am | 42 +-
.../networkxml2firewalldata/nat-default-linux.args | 30 +
tests/networkxml2firewalldata/nat-default.xml | 10 +
tests/networkxml2firewalldata/nat-ipv6-linux.args | 44 +
tests/networkxml2firewalldata/nat-ipv6.xml | 15 +
.../nat-many-ips-linux.args | 58 +
tests/networkxml2firewalldata/nat-many-ips.xml | 12 +
.../networkxml2firewalldata/nat-no-dhcp-linux.args | 42 +
tests/networkxml2firewalldata/nat-no-dhcp.xml | 7 +
tests/networkxml2firewalldata/nat-tftp-linux.args | 32 +
tests/networkxml2firewalldata/nat-tftp.xml | 11 +
.../route-default-linux.args | 20 +
tests/networkxml2firewalldata/route-default.xml | 10 +
tests/networkxml2firewalltest.c | 162 +
tests/nwfilterebiptablestest.c | 548 +++
tests/nwfilterxml2firewalldata/ah-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/ah-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/ah-linux.args | 18 +
tests/nwfilterxml2firewalldata/ah.xml | 18 +
tests/nwfilterxml2firewalldata/all-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/all-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/all-linux.args | 18 +
tests/nwfilterxml2firewalldata/all.xml | 18 +
tests/nwfilterxml2firewalldata/arp-linux.args | 11 +
tests/nwfilterxml2firewalldata/arp.xml | 32 +
tests/nwfilterxml2firewalldata/comment-linux.args | 49 +
tests/nwfilterxml2firewalldata/comment.xml | 71 +
.../nwfilterxml2firewalldata/conntrack-linux.args | 7 +
tests/nwfilterxml2firewalldata/conntrack.xml | 12 +
tests/nwfilterxml2firewalldata/esp-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/esp-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/esp-linux.args | 18 +
tests/nwfilterxml2firewalldata/esp.xml | 18 +
.../nwfilterxml2firewalldata/example-1-linux.args | 13 +
tests/nwfilterxml2firewalldata/example-1.xml | 24 +
.../nwfilterxml2firewalldata/example-2-linux.args | 20 +
tests/nwfilterxml2firewalldata/example-2.xml | 37 +
tests/nwfilterxml2firewalldata/hex-data-linux.args | 28 +
tests/nwfilterxml2firewalldata/hex-data.xml | 56 +
.../icmp-direction-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp-direction.xml | 15 +
.../icmp-direction2-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp-direction2.xml | 15 +
.../icmp-direction3-linux.args | 6 +
tests/nwfilterxml2firewalldata/icmp-direction3.xml | 10 +
tests/nwfilterxml2firewalldata/icmp-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp.xml | 13 +
tests/nwfilterxml2firewalldata/icmpv6-linux.args | 12 +
tests/nwfilterxml2firewalldata/icmpv6.xml | 19 +
tests/nwfilterxml2firewalldata/igmp-linux.args | 18 +
tests/nwfilterxml2firewalldata/igmp.xml | 18 +
tests/nwfilterxml2firewalldata/ip-linux.args | 8 +
tests/nwfilterxml2firewalldata/ip.xml | 28 +
tests/nwfilterxml2firewalldata/ipset-linux.args | 36 +
tests/nwfilterxml2firewalldata/ipset.xml | 25 +
.../ipt-no-macspoof-linux.args | 2 +
tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml | 14 +
tests/nwfilterxml2firewalldata/ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/ipv6.xml | 43 +
tests/nwfilterxml2firewalldata/iter1-linux.args | 18 +
tests/nwfilterxml2firewalldata/iter1.xml | 6 +
tests/nwfilterxml2firewalldata/iter2-linux.args | 342 ++
tests/nwfilterxml2firewalldata/iter2.xml | 23 +
tests/nwfilterxml2firewalldata/iter3-linux.args | 30 +
tests/nwfilterxml2firewalldata/iter3.xml | 13 +
tests/nwfilterxml2firewalldata/mac-linux.args | 8 +
tests/nwfilterxml2firewalldata/mac.xml | 19 +
tests/nwfilterxml2firewalldata/rarp-linux.args | 12 +
tests/nwfilterxml2firewalldata/rarp.xml | 28 +
tests/nwfilterxml2firewalldata/ref-rule.xml | 18 +
tests/nwfilterxml2firewalldata/ref.xml | 4 +
.../nwfilterxml2firewalldata/sctp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/sctp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/sctp-linux.args | 20 +
tests/nwfilterxml2firewalldata/sctp.xml | 22 +
tests/nwfilterxml2firewalldata/stp-linux.args | 18 +
tests/nwfilterxml2firewalldata/stp.xml | 26 +
tests/nwfilterxml2firewalldata/target-linux.args | 75 +
tests/nwfilterxml2firewalldata/target.xml | 66 +
tests/nwfilterxml2firewalldata/target2-linux.args | 13 +
tests/nwfilterxml2firewalldata/target2.xml | 18 +
tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/tcp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/tcp-linux.args | 22 +
tests/nwfilterxml2firewalldata/tcp.xml | 34 +
tests/nwfilterxml2firewalldata/udp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/udp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/udp-linux.args | 20 +
tests/nwfilterxml2firewalldata/udp.xml | 22 +
.../udplite-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/udplite-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/udplite-linux.args | 18 +
tests/nwfilterxml2firewalldata/udplite.xml | 18 +
tests/nwfilterxml2firewalldata/vlan-linux.args | 14 +
tests/nwfilterxml2firewalldata/vlan.xml | 38 +
tests/nwfilterxml2firewalltest.c | 534 +++
tests/testutils.c | 18 +-
tests/virfirewalltest.c | 1186 ++++++
128 files changed, 8637 insertions(+), 3685 deletions(-)
create mode 100644 src/nwfilter/nwfilter_tech_driver.h
create mode 100644 src/util/virfirewall.c
create mode 100644 src/util/virfirewall.h
create mode 100644 src/util/virfirewallpriv.h
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-default.xml
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-ipv6.xml
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-many-ips.xml
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp.xml
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-tftp.xml
create mode 100644 tests/networkxml2firewalldata/route-default-linux.args
create mode 100644 tests/networkxml2firewalldata/route-default.xml
create mode 100644 tests/networkxml2firewalltest.c
create mode 100644 tests/nwfilterebiptablestest.c
create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/ah-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ah.xml
create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/all-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/all.xml
create mode 100644 tests/nwfilterxml2firewalldata/arp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/arp.xml
create mode 100644 tests/nwfilterxml2firewalldata/comment-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/comment.xml
create mode 100644 tests/nwfilterxml2firewalldata/conntrack-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/conntrack.xml
create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/esp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/esp.xml
create mode 100644 tests/nwfilterxml2firewalldata/example-1-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/example-1.xml
create mode 100644 tests/nwfilterxml2firewalldata/example-2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/example-2.xml
create mode 100644 tests/nwfilterxml2firewalldata/hex-data-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/hex-data.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmpv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmpv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/igmp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/igmp.xml
create mode 100644 tests/nwfilterxml2firewalldata/ip-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ip.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipset-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipset.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter1-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter1.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter2.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter3-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter3.xml
create mode 100644 tests/nwfilterxml2firewalldata/mac-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/mac.xml
create mode 100644 tests/nwfilterxml2firewalldata/rarp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/rarp.xml
create mode 100644 tests/nwfilterxml2firewalldata/ref-rule.xml
create mode 100644 tests/nwfilterxml2firewalldata/ref.xml
create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/sctp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/sctp.xml
create mode 100644 tests/nwfilterxml2firewalldata/stp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/stp.xml
create mode 100644 tests/nwfilterxml2firewalldata/target-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/target.xml
create mode 100644 tests/nwfilterxml2firewalldata/target2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/target2.xml
create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/tcp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/tcp.xml
create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/udp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udp.xml
create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/udplite-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udplite.xml
create mode 100644 tests/nwfilterxml2firewalldata/vlan-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/vlan.xml
create mode 100644 tests/nwfilterxml2firewalltest.c
create mode 100644 tests/virfirewalltest.c
--
1.9.0
10:37 a.m.
New subject: [libvirt] [PATCH 01/26] Move virNWFilterTechDriver struct out of nwfilter_conf.h
The virNWFilterTechDriver struct is nothing todo with the nwfilter
XML configuration. It stores data specific to the driver implementation
so should be in a header in the driver directory instead.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/Makefile.am | 1 +
src/conf/nwfilter_conf.h | 86 ----------------------
src/nwfilter/nwfilter_dhcpsnoop.h | 2 +
src/nwfilter/nwfilter_ebiptables_driver.h | 2 +
src/nwfilter/nwfilter_gentech_driver.h | 1 +
src/nwfilter/nwfilter_learnipaddr.h | 1 +
src/nwfilter/nwfilter_tech_driver.h | 115 ++++++++++++++++++++++++++++++
7 files changed, 122 insertions(+), 86 deletions(-)
create mode 100644 src/nwfilter/nwfilter_tech_driver.h
diff --git a/src/Makefile.am b/src/Makefile.am
index 21d56fc..7e9a702 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -858,6 +858,7 @@ UTIL_IO_HELPER_SOURCES = \
# Network filters
NWFILTER_DRIVER_SOURCES = \
nwfilter/nwfilter_driver.h nwfilter/nwfilter_driver.c \
+ nwfilter/nwfilter_tech_driver.h \
nwfilter/nwfilter_gentech_driver.c \
nwfilter/nwfilter_gentech_driver.h \
nwfilter/nwfilter_dhcpsnoop.c \
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 071343e..aded4de 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -567,19 +567,6 @@ struct _virNWFilterDriverState {
};
-typedef struct _virNWFilterTechDriver virNWFilterTechDriver;
-typedef virNWFilterTechDriver *virNWFilterTechDriverPtr;
-
-
-typedef struct _virNWFilterRuleInst virNWFilterRuleInst;
-typedef virNWFilterRuleInst *virNWFilterRuleInstPtr;
-struct _virNWFilterRuleInst {
- size_t ndata;
- void **data;
- virNWFilterTechDriverPtr techdriver;
-};
-
-
enum UpdateStep {
STEP_APPLY_NEW,
STEP_TEAR_NEW,
@@ -594,79 +581,6 @@ struct domUpdateCBStruct {
};
-typedef int (*virNWFilterTechDrvInit)(bool privileged);
-typedef void (*virNWFilterTechDrvShutdown)(void);
-
-enum virDomainNetType;
-
-typedef int (*virNWFilterRuleCreateInstance)(enum virDomainNetType nettype,
- virNWFilterDefPtr filter,
- virNWFilterRuleDefPtr rule,
- const char *ifname,
- virNWFilterHashTablePtr vars,
- virNWFilterRuleInstPtr res);
-
-typedef int (*virNWFilterRuleApplyNewRules)(const char *ifname,
- int nruleInstances,
- void **_inst);
-
-typedef int (*virNWFilterRuleTeardownNewRules)(const char *ifname);
-
-typedef int (*virNWFilterRuleTeardownOldRules)(const char *ifname);
-
-typedef int (*virNWFilterRuleRemoveRules)(const char *ifname,
- int nruleInstances,
- void **_inst);
-
-typedef int (*virNWFilterRuleAllTeardown)(const char *ifname);
-
-typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
-
-typedef int (*virNWFilterRuleDisplayInstanceData)(void *_inst);
-
-typedef int (*virNWFilterCanApplyBasicRules)(void);
-
-typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
- const virMacAddr *macaddr);
-
-typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
- const virMacAddr *macaddr,
- virNWFilterVarValuePtr dhcpsrvs,
- bool leaveTemporary);
-
-typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
-
-typedef int (*virNWFilterDropAllRules)(const char *ifname);
-
-enum techDrvFlags {
- TECHDRV_FLAG_INITIALIZED = (1 << 0),
-};
-
-struct _virNWFilterTechDriver {
- const char *name;
- enum techDrvFlags flags;
-
- virNWFilterTechDrvInit init;
- virNWFilterTechDrvShutdown shutdown;
-
- virNWFilterRuleCreateInstance createRuleInstance;
- virNWFilterRuleApplyNewRules applyNewRules;
- virNWFilterRuleTeardownNewRules tearNewRules;
- virNWFilterRuleTeardownOldRules tearOldRules;
- virNWFilterRuleRemoveRules removeRules;
- virNWFilterRuleAllTeardown allTeardown;
- virNWFilterRuleFreeInstanceData freeRuleInstance;
- virNWFilterRuleDisplayInstanceData displayRuleInstance;
-
- virNWFilterCanApplyBasicRules canApplyBasicRules;
- virNWFilterApplyBasicRules applyBasicRules;
- virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
- virNWFilterDropAllRules applyDropAllRules;
- virNWFilterRemoveBasicRules removeBasicRules;
-};
-
-
-
void virNWFilterRuleDefFree(virNWFilterRuleDefPtr def);
void virNWFilterDefFree(virNWFilterDefPtr def);
diff --git a/src/nwfilter/nwfilter_dhcpsnoop.h b/src/nwfilter/nwfilter_dhcpsnoop.h
index c6b45d1..6e73eb3 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.h
+++ b/src/nwfilter/nwfilter_dhcpsnoop.h
@@ -25,6 +25,8 @@
#ifndef __NWFILTER_DHCPSNOOP_H
# define __NWFILTER_DHCPSNOOP_H
+# include "nwfilter_tech_driver.h"
+
int virNWFilterDHCPSnoopInit(void);
void virNWFilterDHCPSnoopShutdown(void);
int virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.h
b/src/nwfilter/nwfilter_ebiptables_driver.h
index d909abb..8a17452 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.h
+++ b/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -23,6 +23,8 @@
#ifndef VIR_NWFILTER_EBTABLES_DRIVER_H__
# define VIR_NWFILTER_EBTABLES_DRIVER_H__
+# include "nwfilter_tech_driver.h"
+
# define MAX_CHAINNAME_LENGTH 32 /* see linux/netfilter_bridge/ebtables.h */
enum RuleType {
diff --git a/src/nwfilter/nwfilter_gentech_driver.h
b/src/nwfilter/nwfilter_gentech_driver.h
index 52bd1f6..da85508 100644
--- a/src/nwfilter/nwfilter_gentech_driver.h
+++ b/src/nwfilter/nwfilter_gentech_driver.h
@@ -25,6 +25,7 @@
# define __NWFILTER_GENTECH_DRIVER_H
# include "nwfilter_conf.h"
+# include "nwfilter_tech_driver.h"
virNWFilterTechDriverPtr virNWFilterTechDriverForName(const char *name);
diff --git a/src/nwfilter/nwfilter_learnipaddr.h b/src/nwfilter/nwfilter_learnipaddr.h
index 783dc16..0195d10 100644
--- a/src/nwfilter/nwfilter_learnipaddr.h
+++ b/src/nwfilter/nwfilter_learnipaddr.h
@@ -27,6 +27,7 @@
# define __NWFILTER_LEARNIPADDR_H
# include "conf/nwfilter_params.h"
+# include "nwfilter_tech_driver.h"
# include <net/if.h>
enum howDetect {
diff --git a/src/nwfilter/nwfilter_tech_driver.h b/src/nwfilter/nwfilter_tech_driver.h
new file mode 100644
index 0000000..5777757
--- /dev/null
+++ b/src/nwfilter/nwfilter_tech_driver.h
@@ -0,0 +1,115 @@
+/*
+ * nwfilter_tech_driver.h: network filter technology driver interface
+ *
+ * Copyright (C) 2006-2014 Red Hat, Inc.
+ * Copyright (C) 2006-2008 Daniel P. Berrange
+ *
+ * Copyright (C) 2010 IBM Corporation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Author: Stefan Berger <stefanb(a)us.ibm.com>
+ */
+
+#ifndef __NWFILTER_TECH_DRIVER_H__
+# define __NWFILTER_TECH_DRIVER_H__
+
+# include "nwfilter_conf.h"
+
+typedef struct _virNWFilterTechDriver virNWFilterTechDriver;
+typedef virNWFilterTechDriver *virNWFilterTechDriverPtr;
+
+
+typedef struct _virNWFilterRuleInst virNWFilterRuleInst;
+typedef virNWFilterRuleInst *virNWFilterRuleInstPtr;
+struct _virNWFilterRuleInst {
+ size_t ndata;
+ void **data;
+ virNWFilterTechDriverPtr techdriver;
+};
+
+
+typedef int (*virNWFilterTechDrvInit)(bool privileged);
+typedef void (*virNWFilterTechDrvShutdown)(void);
+
+enum virDomainNetType;
+
+typedef int (*virNWFilterRuleCreateInstance)(enum virDomainNetType nettype,
+ virNWFilterDefPtr filter,
+ virNWFilterRuleDefPtr rule,
+ const char *ifname,
+ virNWFilterHashTablePtr vars,
+ virNWFilterRuleInstPtr res);
+
+typedef int (*virNWFilterRuleApplyNewRules)(const char *ifname,
+ int nruleInstances,
+ void **_inst);
+
+typedef int (*virNWFilterRuleTeardownNewRules)(const char *ifname);
+
+typedef int (*virNWFilterRuleTeardownOldRules)(const char *ifname);
+
+typedef int (*virNWFilterRuleRemoveRules)(const char *ifname,
+ int nruleInstances,
+ void **_inst);
+
+typedef int (*virNWFilterRuleAllTeardown)(const char *ifname);
+
+typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
+
+typedef int (*virNWFilterRuleDisplayInstanceData)(void *_inst);
+
+typedef int (*virNWFilterCanApplyBasicRules)(void);
+
+typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
+ const virMacAddr *macaddr);
+
+typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
+ const virMacAddr *macaddr,
+ virNWFilterVarValuePtr dhcpsrvs,
+ bool leaveTemporary);
+
+typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
+
+typedef int (*virNWFilterDropAllRules)(const char *ifname);
+
+enum techDrvFlags {
+ TECHDRV_FLAG_INITIALIZED = (1 << 0),
+};
+
+struct _virNWFilterTechDriver {
+ const char *name;
+ enum techDrvFlags flags;
+
+ virNWFilterTechDrvInit init;
+ virNWFilterTechDrvShutdown shutdown;
+
+ virNWFilterRuleCreateInstance createRuleInstance;
+ virNWFilterRuleApplyNewRules applyNewRules;
+ virNWFilterRuleTeardownNewRules tearNewRules;
+ virNWFilterRuleTeardownOldRules tearOldRules;
+ virNWFilterRuleRemoveRules removeRules;
+ virNWFilterRuleAllTeardown allTeardown;
+ virNWFilterRuleFreeInstanceData freeRuleInstance;
+ virNWFilterRuleDisplayInstanceData displayRuleInstance;
+
+ virNWFilterCanApplyBasicRules canApplyBasicRules;
+ virNWFilterApplyBasicRules applyBasicRules;
+ virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
+ virNWFilterDropAllRules applyDropAllRules;
+ virNWFilterRemoveBasicRules removeBasicRules;
+};
+
+#endif /* __NWFILTER_TECH_DRIVER_H__ */
--
1.9.0
3:49 p.m.
New subject: [libvirt] [PATCH 01/26] Move virNWFilterTechDriver struct out of nwfilter_conf.h
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
The virNWFilterTechDriver struct is nothing todo with the nwfilter
XML configuration. It stores data specific to the driver implementation
so should be in a header in the driver directory instead.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
This patch looks like a straight forward move.
ACK
3:53 p.m.
New subject: [libvirt] [PATCH 01/26] Move virNWFilterTechDriver struct out of nwfilter_conf.h
On 04/08/2014 09:37 AM, Daniel P. Berrange wrote:
The virNWFilterTechDriver struct is nothing todo with the nwfilter
s/todo/to do/
XML configuration. It stores data specific to the driver
implementation
so should be in a header in the driver directory instead.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/Makefile.am | 1 +
src/conf/nwfilter_conf.h | 86 ----------------------
src/nwfilter/nwfilter_dhcpsnoop.h | 2 +
src/nwfilter/nwfilter_ebiptables_driver.h | 2 +
src/nwfilter/nwfilter_gentech_driver.h | 1 +
src/nwfilter/nwfilter_learnipaddr.h | 1 +
src/nwfilter/nwfilter_tech_driver.h | 115 ++++++++++++++++++++++++++++++
7 files changed, 122 insertions(+), 86 deletions(-)
create mode 100644 src/nwfilter/nwfilter_tech_driver.h
+
+enum virDomainNetType;
Do we still need this forward declaration, or now that it is in a
dedicated header can it just include the correct prereq file?
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10:37 a.m.
New subject: [libvirt] [PATCH 02/26] Remove virDomainNetType parameter from nwfilter drivers
The 'virDomainNetType' is unused in every impl of the
virNWFilterRuleCreateInstance driver method. Remove it
from the code to avoid the dependancy on the external
enum.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_dhcpsnoop.c | 6 ------
src/nwfilter/nwfilter_dhcpsnoop.h | 1 -
src/nwfilter/nwfilter_ebiptables_driver.c | 18 +++++++-----------
src/nwfilter/nwfilter_gentech_driver.c | 17 +++--------------
src/nwfilter/nwfilter_gentech_driver.h | 1 -
src/nwfilter/nwfilter_learnipaddr.c | 5 -----
src/nwfilter/nwfilter_learnipaddr.h | 2 --
src/nwfilter/nwfilter_tech_driver.h | 5 +----
8 files changed, 11 insertions(+), 44 deletions(-)
diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
index df46a72..bfd0553 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
@@ -137,7 +137,6 @@ struct _virNWFilterSnoopReq {
char *ifname;
int ifindex;
char *linkdev;
- enum virDomainNetType nettype;
char ifkey[VIR_IFKEY_LEN];
virMacAddr macaddr;
char *filtername;
@@ -493,7 +492,6 @@ virNWFilterSnoopIPLeaseInstallRule(virNWFilterSnoopIPLeasePtr ipl,
req->ifname,
req->ifindex,
req->linkdev,
- req->nettype,
&req->macaddr,
req->filtername,
req->vars);
@@ -879,7 +877,6 @@ virNWFilterSnoopReqLeaseDel(virNWFilterSnoopReqPtr req,
req->ifname,
req->ifindex,
req->linkdev,
- req->nettype,
&req->macaddr,
req->filtername,
req->vars);
@@ -1592,7 +1589,6 @@ int
virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
const char *ifname,
const char *linkdev,
- enum virDomainNetType nettype,
const unsigned char *vmuuid,
const virMacAddr *macaddr,
const char *filtername,
@@ -1628,7 +1624,6 @@ virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
req->driver = driver;
req->techdriver = techdriver;
tmp = virNetDevGetIndex(ifname, &req->ifindex);
- req->nettype = nettype;
virMacAddrSet(&req->macaddr, macaddr);
req->vars = virNWFilterHashTableCreate(0);
req->linkdev = NULL;
@@ -2230,7 +2225,6 @@ int
virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
const char *ifname ATTRIBUTE_UNUSED,
const char *linkdev ATTRIBUTE_UNUSED,
- enum virDomainNetType nettype ATTRIBUTE_UNUSED,
const unsigned char *vmuuid ATTRIBUTE_UNUSED,
const virMacAddr *macaddr ATTRIBUTE_UNUSED,
const char *filtername ATTRIBUTE_UNUSED,
diff --git a/src/nwfilter/nwfilter_dhcpsnoop.h b/src/nwfilter/nwfilter_dhcpsnoop.h
index 6e73eb3..3ef96fa 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.h
+++ b/src/nwfilter/nwfilter_dhcpsnoop.h
@@ -32,7 +32,6 @@ void virNWFilterDHCPSnoopShutdown(void);
int virNWFilterDHCPSnoopReq(virNWFilterTechDriverPtr techdriver,
const char *ifname,
const char *linkdev,
- enum virDomainNetType nettype,
const unsigned char *vmuuid,
const virMacAddr *macaddr,
const char *filtername,
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index ce0b7e3..4365c1f 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2649,8 +2649,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
* pointed to by res, -1 otherwise
*/
static int
-ebiptablesCreateRuleInstance(enum virDomainNetType nettype ATTRIBUTE_UNUSED,
- virNWFilterDefPtr nwfilter,
+ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
@@ -2740,13 +2739,11 @@ ebiptablesCreateRuleInstance(enum virDomainNetType nettype
ATTRIBUTE_UNUSED,
}
static int
-ebiptablesCreateRuleInstanceIterate(
- enum virDomainNetType nettype ATTRIBUTE_UNUSED,
- virNWFilterDefPtr nwfilter,
- virNWFilterRuleDefPtr rule,
- const char *ifname,
- virNWFilterHashTablePtr vars,
- virNWFilterRuleInstPtr res)
+ebiptablesCreateRuleInstanceIterate(virNWFilterDefPtr nwfilter,
+ virNWFilterRuleDefPtr rule,
+ const char *ifname,
+ virNWFilterHashTablePtr vars,
+ virNWFilterRuleInstPtr res)
{
int rc = 0;
virNWFilterVarCombIterPtr vciter, tmp;
@@ -2761,8 +2758,7 @@ ebiptablesCreateRuleInstanceIterate(
return -1;
do {
- rc = ebiptablesCreateRuleInstance(nettype,
- nwfilter,
+ rc = ebiptablesCreateRuleInstance(nwfilter,
rule,
ifname,
tmp,
diff --git a/src/nwfilter/nwfilter_gentech_driver.c
b/src/nwfilter/nwfilter_gentech_driver.c
index 1ce5e70..82ff628 100644
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -289,7 +289,6 @@ virNWFilterPrintVars(virHashTablePtr vars,
*/
static virNWFilterRuleInstPtr
virNWFilterRuleInstantiate(virNWFilterTechDriverPtr techdriver,
- enum virDomainNetType nettype,
virNWFilterDefPtr filter,
virNWFilterRuleDefPtr rule,
const char *ifname,
@@ -304,7 +303,7 @@ virNWFilterRuleInstantiate(virNWFilterTechDriverPtr techdriver,
ret->techdriver = techdriver;
- rc = techdriver->createRuleInstance(nettype, filter,
+ rc = techdriver->createRuleInstance(filter,
rule, ifname, vars, ret);
if (rc) {
@@ -376,7 +375,6 @@ virNWFilterCreateVarsFrom(virNWFilterHashTablePtr vars1,
*/
static int
_virNWFilterInstantiateRec(virNWFilterTechDriverPtr techdriver,
- enum virDomainNetType nettype,
virNWFilterDefPtr filter,
const char *ifname,
virNWFilterHashTablePtr vars,
@@ -396,7 +394,6 @@ _virNWFilterInstantiateRec(virNWFilterTechDriverPtr techdriver,
virNWFilterIncludeDefPtr inc = filter->filterEntries[i]->include;
if (rule) {
inst = virNWFilterRuleInstantiate(techdriver,
- nettype,
filter,
rule,
ifname,
@@ -449,7 +446,6 @@ _virNWFilterInstantiateRec(virNWFilterTechDriverPtr techdriver,
}
rc = _virNWFilterInstantiateRec(techdriver,
- nettype,
next_filter,
ifname,
tmpvars,
@@ -634,7 +630,6 @@ virNWFilterRuleInstancesToArray(int nEntries,
static int
virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
virNWFilterTechDriverPtr techdriver,
- enum virDomainNetType nettype,
virNWFilterDefPtr filter,
const char *ifname,
int ifindex,
@@ -690,7 +685,7 @@ virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
}
if (STRCASEEQ(learning, "dhcp")) {
rc = virNWFilterDHCPSnoopReq(techdriver, ifname, linkdev,
- nettype, vmuuid, macaddr,
+ vmuuid, macaddr,
filter->name, vars, driver);
goto err_exit;
} else if (STRCASEEQ(learning, "any")) {
@@ -699,7 +694,7 @@ virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
ifname,
ifindex,
linkdev,
- nettype, macaddr,
+ macaddr,
filter->name,
vars, driver,
DETECT_DHCP|DETECT_STATIC);
@@ -723,7 +718,6 @@ virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
}
rc = _virNWFilterInstantiateRec(techdriver,
- nettype,
filter,
ifname,
vars,
@@ -805,7 +799,6 @@ __virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
const char *ifname,
int ifindex,
const char *linkdev,
- enum virDomainNetType nettype,
const virMacAddr *macaddr,
const char *filtername,
virNWFilterHashTablePtr filterparams,
@@ -892,7 +885,6 @@ __virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
rc = virNWFilterInstantiate(vmuuid,
techdriver,
- nettype,
filter,
ifname,
ifindex,
@@ -953,7 +945,6 @@ _virNWFilterInstantiateFilter(virNWFilterDriverStatePtr driver,
net->ifname,
ifindex,
linkdev,
- net->type,
&net->mac,
net->filter,
net->filterparams,
@@ -974,7 +965,6 @@ virNWFilterInstantiateFilterLate(virNWFilterDriverStatePtr driver,
const char *ifname,
int ifindex,
const char *linkdev,
- enum virDomainNetType nettype,
const virMacAddr *macaddr,
const char *filtername,
virNWFilterHashTablePtr filterparams)
@@ -991,7 +981,6 @@ virNWFilterInstantiateFilterLate(virNWFilterDriverStatePtr driver,
ifname,
ifindex,
linkdev,
- nettype,
macaddr,
filtername,
filterparams,
diff --git a/src/nwfilter/nwfilter_gentech_driver.h
b/src/nwfilter/nwfilter_gentech_driver.h
index da85508..8349ab4 100644
--- a/src/nwfilter/nwfilter_gentech_driver.h
+++ b/src/nwfilter/nwfilter_gentech_driver.h
@@ -51,7 +51,6 @@ int virNWFilterInstantiateFilterLate(virNWFilterDriverStatePtr driver,
const char *ifname,
int ifindex,
const char *linkdev,
- enum virDomainNetType nettype,
const virMacAddr *macaddr,
const char *filtername,
virNWFilterHashTablePtr filterparams);
diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c
index a6cdc87..4cea9cf 100644
--- a/src/nwfilter/nwfilter_learnipaddr.c
+++ b/src/nwfilter/nwfilter_learnipaddr.c
@@ -622,7 +622,6 @@ learnIPAddressThread(void *arg)
req->ifname,
req->ifindex,
req->linkdev,
- req->nettype,
&req->macaddr,
req->filtername,
req->filterparams);
@@ -661,7 +660,6 @@ learnIPAddressThread(void *arg)
* @ifindex: the index of the interface
* @linkdev : the name of the link device; currently only used in case of a
* macvtap device
- * @nettype : the type of interface
* @macaddr : the MAC address of the interface
* @filtername : the name of the top-level filter to apply to the interface
* once its IP address has been detected
@@ -681,7 +679,6 @@ virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
const char *ifname,
int ifindex,
const char *linkdev,
- enum virDomainNetType nettype,
const virMacAddr *macaddr,
const char *filtername,
virNWFilterHashTablePtr filterparams,
@@ -733,7 +730,6 @@ virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
}
req->ifindex = ifindex;
- req->nettype = nettype;
virMacAddrSet(&req->macaddr, macaddr);
req->driver = driver;
req->filterparams = ht;
@@ -771,7 +767,6 @@ virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver
ATTRIBUTE_UNUSED,
const char *ifname ATTRIBUTE_UNUSED,
int ifindex ATTRIBUTE_UNUSED,
const char *linkdev ATTRIBUTE_UNUSED,
- enum virDomainNetType nettype ATTRIBUTE_UNUSED,
const virMacAddr *macaddr ATTRIBUTE_UNUSED,
const char *filtername ATTRIBUTE_UNUSED,
virNWFilterHashTablePtr filterparams ATTRIBUTE_UNUSED,
diff --git a/src/nwfilter/nwfilter_learnipaddr.h b/src/nwfilter/nwfilter_learnipaddr.h
index 0195d10..1cc881a 100644
--- a/src/nwfilter/nwfilter_learnipaddr.h
+++ b/src/nwfilter/nwfilter_learnipaddr.h
@@ -42,7 +42,6 @@ struct _virNWFilterIPAddrLearnReq {
char ifname[IF_NAMESIZE];
int ifindex;
char linkdev[IF_NAMESIZE];
- enum virDomainNetType nettype;
virMacAddr macaddr;
char *filtername;
virNWFilterHashTablePtr filterparams;
@@ -58,7 +57,6 @@ int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
const char *ifname,
int ifindex,
const char *linkdev,
- enum virDomainNetType nettype,
const virMacAddr *macaddr,
const char *filtername,
virNWFilterHashTablePtr filterparams,
diff --git a/src/nwfilter/nwfilter_tech_driver.h b/src/nwfilter/nwfilter_tech_driver.h
index 5777757..03588e2 100644
--- a/src/nwfilter/nwfilter_tech_driver.h
+++ b/src/nwfilter/nwfilter_tech_driver.h
@@ -44,10 +44,7 @@ struct _virNWFilterRuleInst {
typedef int (*virNWFilterTechDrvInit)(bool privileged);
typedef void (*virNWFilterTechDrvShutdown)(void);
-enum virDomainNetType;
-
-typedef int (*virNWFilterRuleCreateInstance)(enum virDomainNetType nettype,
- virNWFilterDefPtr filter,
+typedef int (*virNWFilterRuleCreateInstance)(virNWFilterDefPtr filter,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterHashTablePtr vars,
--
1.9.0
3:50 p.m.
New subject: [libvirt] [PATCH 02/26] Remove virDomainNetType parameter from nwfilter drivers
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
The 'virDomainNetType' is unused in every impl of the
virNWFilterRuleCreateInstance driver method. Remove it
from the code to avoid the dependancy on the external
enum.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
I suppose this compiles without problems.
ACK
3:54 p.m.
New subject: [libvirt] [PATCH 02/26] Remove virDomainNetType parameter from nwfilter drivers
On 04/08/2014 09:37 AM, Daniel P. Berrange wrote:
The 'virDomainNetType' is unused in every impl of the
virNWFilterRuleCreateInstance driver method. Remove it
from the code to avoid the dependancy on the external
enum.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
+++ b/src/nwfilter/nwfilter_tech_driver.h
@@ -44,10 +44,7 @@ struct _virNWFilterRuleInst {
typedef int (*virNWFilterTechDrvInit)(bool privileged);
typedef void (*virNWFilterTechDrvShutdown)(void);
-enum virDomainNetType;
-
Ah, this answers my question from 1/26 :)
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10:37 a.m.
New subject: [libvirt] [PATCH 03/26] Remove pointless storage of var names in virNWFilterHashTable
The virNWFilterHashTable struct contains a virHashTable and
then a 'char **names' field which keeps a copy of all the
hash keys. Presumably this was intended to record the ordering
of the hash keys. No code ever uses this and the ordering is
mangled whenever a variable is removed from the hash, because
the last element in the list is copied into the middle of the
list when shrinking the arra.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/conf/nwfilter_ipaddrmap.c | 2 +-
src/conf/nwfilter_params.c | 48 +++++-----------------------------
src/conf/nwfilter_params.h | 6 +----
src/nwfilter/nwfilter_gentech_driver.c | 2 +-
4 files changed, 9 insertions(+), 49 deletions(-)
diff --git a/src/conf/nwfilter_ipaddrmap.c b/src/conf/nwfilter_ipaddrmap.c
index 4bb6775..446f3de 100644
--- a/src/conf/nwfilter_ipaddrmap.c
+++ b/src/conf/nwfilter_ipaddrmap.c
@@ -60,7 +60,7 @@ virNWFilterIPAddrMapAddIPAddr(const char *ifname, char *addr)
val = virNWFilterVarValueCreateSimple(addr);
if (!val)
goto cleanup;
- ret = virNWFilterHashTablePut(ipAddressMap, ifname, val, 1);
+ ret = virNWFilterHashTablePut(ipAddressMap, ifname, val);
goto cleanup;
} else {
if (virNWFilterVarValueAddValue(val, addr) < 0)
diff --git a/src/conf/nwfilter_params.c b/src/conf/nwfilter_params.c
index 3e85bc1..7655033 100644
--- a/src/conf/nwfilter_params.c
+++ b/src/conf/nwfilter_params.c
@@ -631,33 +631,14 @@ hashDataFree(void *payload, const void *name ATTRIBUTE_UNUSED)
int
virNWFilterHashTablePut(virNWFilterHashTablePtr table,
const char *name,
- virNWFilterVarValuePtr val,
- int copyName)
+ virNWFilterVarValuePtr val)
{
if (!virHashLookup(table->hashTable, name)) {
- char *newName;
- if (copyName) {
- if (VIR_STRDUP(newName, name) < 0)
- return -1;
-
- if (VIR_APPEND_ELEMENT_COPY(table->names,
- table->nNames, newName) < 0) {
- VIR_FREE(newName);
- return -1;
- }
- }
-
- if (virHashAddEntry(table->hashTable, name, val) < 0) {
- if (copyName) {
- VIR_FREE(newName);
- table->nNames--;
- }
+ if (virHashAddEntry(table->hashTable, name, val) < 0)
return -1;
- }
} else {
- if (virHashUpdateEntry(table->hashTable, name, val) < 0) {
+ if (virHashUpdateEntry(table->hashTable, name, val) < 0)
return -1;
- }
}
return 0;
}
@@ -675,14 +656,10 @@ virNWFilterHashTablePut(virNWFilterHashTablePtr table,
void
virNWFilterHashTableFree(virNWFilterHashTablePtr table)
{
- size_t i;
if (!table)
return;
virHashFree(table->hashTable);
- for (i = 0; i < table->nNames; i++)
- VIR_FREE(table->names[i]);
- VIR_FREE(table->names);
VIR_FREE(table);
}
@@ -707,20 +684,7 @@ void *
virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr ht,
const char *entry)
{
- size_t i;
- void *value = virHashSteal(ht->hashTable, entry);
-
- if (value) {
- for (i = 0; i < ht->nNames; i++) {
- if (STREQ(ht->names[i], entry)) {
- VIR_FREE(ht->names[i]);
- ht->names[i] = ht->names[--ht->nNames];
- ht->names[ht->nNames] = NULL;
- break;
- }
- }
- }
- return value;
+ return virHashSteal(ht->hashTable, entry);
}
@@ -745,7 +709,7 @@ addToTable(void *payload, const void *name, void *data)
return;
}
- if (virNWFilterHashTablePut(atts->target, (const char *)name, val, 1) < 0){
+ if (virNWFilterHashTablePut(atts->target, (const char *)name, val) < 0){
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Could not put variable '%s' into hashmap"),
(const char *)name);
@@ -850,7 +814,7 @@ virNWFilterParseParamAttributes(xmlNodePtr cur)
value = virNWFilterParseVarValue(val);
if (!value)
goto skip_entry;
- if (virNWFilterHashTablePut(table, nam, value, 1) < 0)
+ if (virNWFilterHashTablePut(table, nam, value) < 0)
goto err_exit;
}
value = NULL;
diff --git a/src/conf/nwfilter_params.h b/src/conf/nwfilter_params.h
index 5e9777b..f9efc42 100644
--- a/src/conf/nwfilter_params.h
+++ b/src/conf/nwfilter_params.h
@@ -66,9 +66,6 @@ typedef struct _virNWFilterHashTable virNWFilterHashTable;
typedef virNWFilterHashTable *virNWFilterHashTablePtr;
struct _virNWFilterHashTable {
virHashTablePtr hashTable;
-
- size_t nNames;
- char **names;
};
@@ -81,8 +78,7 @@ virNWFilterHashTablePtr virNWFilterHashTableCreate(int n);
void virNWFilterHashTableFree(virNWFilterHashTablePtr table);
int virNWFilterHashTablePut(virNWFilterHashTablePtr table,
const char *name,
- virNWFilterVarValuePtr val,
- int freeName);
+ virNWFilterVarValuePtr val);
void *virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr table,
const char *name);
int virNWFilterHashTablePutAll(virNWFilterHashTablePtr src,
diff --git a/src/nwfilter/nwfilter_gentech_driver.c
b/src/nwfilter/nwfilter_gentech_driver.c
index 82ff628..d482f43 100644
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -512,7 +512,7 @@ virNWFilterDetermineMissingVarsRec(virNWFilterDefPtr filter,
varAccess = virBufferContentAndReset(&buf);
virNWFilterHashTablePut(missing_vars, varAccess,
- val, 1);
+ val);
VIR_FREE(varAccess);
}
}
--
1.9.0
4:07 p.m.
New subject: [libvirt] [PATCH 03/26] Remove pointless storage of var names in virNWFilterHashTable
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
The virNWFilterHashTable struct contains a virHashTable and
then a 'char **names' field which keeps a copy of all the
hash keys. Presumably this was intended to record the ordering
of the hash keys. No code ever uses this and the ordering is
mangled whenever a variable is removed from the hash, because
the last element in the list is copied into the middle of the
list when shrinking the arra.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
4:24 p.m.
New subject: [libvirt] [PATCH 03/26] Remove pointless storage of var names in virNWFilterHashTable
On 04/08/2014 09:37 AM, Daniel P. Berrange wrote:
The virNWFilterHashTable struct contains a virHashTable and
then a 'char **names' field which keeps a copy of all the
hash keys. Presumably this was intended to record the ordering
of the hash keys. No code ever uses this and the ordering is
mangled whenever a variable is removed from the hash, because
the last element in the list is copied into the middle of the
list when shrinking the arra.
s/arra/array/
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10:37 a.m.
New subject: [libvirt] [PATCH 04/26] Remove nwfilter tech driver 'removeRules' callback
The 'removeRules' callback in the nwfilter tech driver is never
invoked, so can be deleted.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 40 -------------------------------
src/nwfilter/nwfilter_tech_driver.h | 5 ----
2 files changed, 45 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 4365c1f..1dabe52 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -4046,45 +4046,6 @@ ebiptablesTearOldRules(const char *ifname)
/**
- * ebiptablesRemoveRules:
- * @ifname : the name of the interface to which the rules apply
- * @nRuleInstance : the number of given rules
- * @_inst : array of rule instantiation data
- *
- * Remove all rules one after the other
- *
- * Return 0 on success, -1 if execution of one or more cleanup
- * commands failed.
- */
-static int
-ebiptablesRemoveRules(const char *ifname ATTRIBUTE_UNUSED,
- int nruleInstances,
- void **_inst)
-{
- int rc = -1;
- size_t i;
- virBuffer buf = VIR_BUFFER_INITIALIZER;
- ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst;
-
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
-
- for (i = 0; i < nruleInstances; i++)
- ebiptablesInstCommand(&buf,
- inst[i]->commandTemplate,
- 'D', -1,
- false);
-
- if (ebiptablesExecCLI(&buf, true, NULL) < 0)
- goto cleanup;
-
- rc = 0;
-
- cleanup:
- return rc;
-}
-
-
-/**
* ebiptablesAllTeardown:
* @ifname : the name of the interface to which the rules apply
*
@@ -4143,7 +4104,6 @@ virNWFilterTechDriver ebiptables_driver = {
.tearNewRules = ebiptablesTearNewRules,
.tearOldRules = ebiptablesTearOldRules,
.allTeardown = ebiptablesAllTeardown,
- .removeRules = ebiptablesRemoveRules,
.freeRuleInstance = ebiptablesFreeRuleInstance,
.displayRuleInstance = ebiptablesDisplayRuleInstance,
diff --git a/src/nwfilter/nwfilter_tech_driver.h b/src/nwfilter/nwfilter_tech_driver.h
index 03588e2..d1c85b4 100644
--- a/src/nwfilter/nwfilter_tech_driver.h
+++ b/src/nwfilter/nwfilter_tech_driver.h
@@ -58,10 +58,6 @@ typedef int (*virNWFilterRuleTeardownNewRules)(const char *ifname);
typedef int (*virNWFilterRuleTeardownOldRules)(const char *ifname);
-typedef int (*virNWFilterRuleRemoveRules)(const char *ifname,
- int nruleInstances,
- void **_inst);
-
typedef int (*virNWFilterRuleAllTeardown)(const char *ifname);
typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
@@ -97,7 +93,6 @@ struct _virNWFilterTechDriver {
virNWFilterRuleApplyNewRules applyNewRules;
virNWFilterRuleTeardownNewRules tearNewRules;
virNWFilterRuleTeardownOldRules tearOldRules;
- virNWFilterRuleRemoveRules removeRules;
virNWFilterRuleAllTeardown allTeardown;
virNWFilterRuleFreeInstanceData freeRuleInstance;
virNWFilterRuleDisplayInstanceData displayRuleInstance;
--
1.9.0
4:07 p.m.
New subject: [libvirt] [PATCH 04/26] Remove nwfilter tech driver 'removeRules' callback
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
The 'removeRules' callback in the nwfilter tech driver is
never
invoked, so can be deleted.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
10:37 a.m.
New subject: [libvirt] [PATCH 05/26] Remove nwfilter tech driver 'displayRuleInstance' callback
The 'displayRuleInstance' callback in the nwfilter tech driver
is never invoked, so can be deleted.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 12 ------------
src/nwfilter/nwfilter_tech_driver.h | 3 ---
2 files changed, 15 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 1dabe52..0885bb1 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2781,17 +2781,6 @@ ebiptablesFreeRuleInstance(void *_inst)
}
-static int
-ebiptablesDisplayRuleInstance(void *_inst)
-{
- ebiptablesRuleInstPtr inst = (ebiptablesRuleInstPtr)_inst;
- VIR_INFO("Command Template: '%s', Needed protocol: '%s'",
- inst->commandTemplate,
- inst->neededProtocolChain);
- return 0;
-}
-
-
/**
* ebiptablesExecCLI:
* @buf: pointer to virBuffer containing the string with the commands to
@@ -4105,7 +4094,6 @@ virNWFilterTechDriver ebiptables_driver = {
.tearOldRules = ebiptablesTearOldRules,
.allTeardown = ebiptablesAllTeardown,
.freeRuleInstance = ebiptablesFreeRuleInstance,
- .displayRuleInstance = ebiptablesDisplayRuleInstance,
.canApplyBasicRules = ebiptablesCanApplyBasicRules,
.applyBasicRules = ebtablesApplyBasicRules,
diff --git a/src/nwfilter/nwfilter_tech_driver.h b/src/nwfilter/nwfilter_tech_driver.h
index d1c85b4..ed09a67 100644
--- a/src/nwfilter/nwfilter_tech_driver.h
+++ b/src/nwfilter/nwfilter_tech_driver.h
@@ -62,8 +62,6 @@ typedef int (*virNWFilterRuleAllTeardown)(const char *ifname);
typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
-typedef int (*virNWFilterRuleDisplayInstanceData)(void *_inst);
-
typedef int (*virNWFilterCanApplyBasicRules)(void);
typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
@@ -95,7 +93,6 @@ struct _virNWFilterTechDriver {
virNWFilterRuleTeardownOldRules tearOldRules;
virNWFilterRuleAllTeardown allTeardown;
virNWFilterRuleFreeInstanceData freeRuleInstance;
- virNWFilterRuleDisplayInstanceData displayRuleInstance;
virNWFilterCanApplyBasicRules canApplyBasicRules;
virNWFilterApplyBasicRules applyBasicRules;
--
1.9.0
4:08 p.m.
New subject: [libvirt] [PATCH 05/26] Remove nwfilter tech driver 'displayRuleInstance' callback
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
The 'displayRuleInstance' callback in the nwfilter tech
driver
is never invoked, so can be deleted.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
10:37 a.m.
New subject: [libvirt] [PATCH 06/26] Add helper methods for determining what protocol layer is used
Add virNWFilterRuleIsProtocol{Ethernet,IPv4,IPv6} helper methods
to avoid having to write a giant switch statements with many cases.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/conf/nwfilter_conf.c | 27 ++++++++++++++
src/conf/nwfilter_conf.h | 14 ++++++++
src/libvirt_private.syms | 3 ++
src/nwfilter/nwfilter_ebiptables_driver.c | 58 +++++++------------------------
4 files changed, 56 insertions(+), 46 deletions(-)
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index f5a75e4..968e045 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -3484,3 +3484,30 @@ void virNWFilterObjUnlock(virNWFilterObjPtr obj)
{
virMutexUnlock(&obj->lock);
}
+
+
+bool virNWFilterRuleIsProtocolIPv4(virNWFilterRuleDefPtr rule)
+{
+ if (rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_TCP &&
+ rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_ALL)
+ return true;
+ return false;
+}
+
+
+bool virNWFilterRuleIsProtocolIPv6(virNWFilterRuleDefPtr rule)
+{
+ if (rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6 &&
+ rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6)
+ return true;
+ return false;
+}
+
+
+bool virNWFilterRuleIsProtocolEthernet(virNWFilterRuleDefPtr rule)
+{
+ if (rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE &&
+ rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
+ return true;
+ return false;
+}
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index aded4de..9f9deab 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -373,7 +373,13 @@ enum virNWFilterChainPolicyType {
VIR_NWFILTER_CHAIN_POLICY_LAST,
};
+
+/*
+ * If adding protocols be sure to update the
+ * virNWFilterRuleIsProtocolXXXX function impls
+ */
enum virNWFilterRuleProtocolType {
+ /* Ethernet layer protocols */
VIR_NWFILTER_RULE_PROTOCOL_NONE = 0,
VIR_NWFILTER_RULE_PROTOCOL_MAC,
VIR_NWFILTER_RULE_PROTOCOL_VLAN,
@@ -382,6 +388,8 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_RARP,
VIR_NWFILTER_RULE_PROTOCOL_IP,
VIR_NWFILTER_RULE_PROTOCOL_IPV6,
+
+ /* IPv4 layer protocols */
VIR_NWFILTER_RULE_PROTOCOL_TCP,
VIR_NWFILTER_RULE_PROTOCOL_ICMP,
VIR_NWFILTER_RULE_PROTOCOL_IGMP,
@@ -391,6 +399,8 @@ enum virNWFilterRuleProtocolType {
VIR_NWFILTER_RULE_PROTOCOL_AH,
VIR_NWFILTER_RULE_PROTOCOL_SCTP,
VIR_NWFILTER_RULE_PROTOCOL_ALL,
+
+ /* IPv6 layer protocols */
VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6,
VIR_NWFILTER_RULE_PROTOCOL_ICMPV6,
VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6,
@@ -667,6 +677,10 @@ void virNWFilterPrintTCPFlags(virBufferPtr buf, uint8_t mask,
char sep, uint8_t flags);
+bool virNWFilterRuleIsProtocolIPv4(virNWFilterRuleDefPtr rule);
+bool virNWFilterRuleIsProtocolIPv6(virNWFilterRuleDefPtr rule);
+bool virNWFilterRuleIsProtocolEthernet(virNWFilterRuleDefPtr rule);
+
VIR_ENUM_DECL(virNWFilterRuleAction);
VIR_ENUM_DECL(virNWFilterRuleDirection);
VIR_ENUM_DECL(virNWFilterRuleProtocol);
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 55aa586..0c2cf75 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -597,6 +597,9 @@ virNWFilterReadLockFilterUpdates;
virNWFilterRegisterCallbackDriver;
virNWFilterRuleActionTypeToString;
virNWFilterRuleDirectionTypeToString;
+virNWFilterRuleIsProtocolEthernet;
+virNWFilterRuleIsProtocolIPv4;
+virNWFilterRuleIsProtocolIPv6;
virNWFilterRuleProtocolTypeToString;
virNWFilterTestUnassignDef;
virNWFilterUnlockFilterUpdates;
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 0885bb1..410f0e1 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2656,18 +2656,8 @@ ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
virNWFilterRuleInstPtr res)
{
int rc = 0;
- bool isIPv6;
-
- switch (rule->prtclType) {
- case VIR_NWFILTER_RULE_PROTOCOL_IP:
- case VIR_NWFILTER_RULE_PROTOCOL_MAC:
- case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
- case VIR_NWFILTER_RULE_PROTOCOL_STP:
- case VIR_NWFILTER_RULE_PROTOCOL_ARP:
- case VIR_NWFILTER_RULE_PROTOCOL_RARP:
- case VIR_NWFILTER_RULE_PROTOCOL_NONE:
- case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
+ if (virNWFilterRuleIsProtocolEthernet(rule)) {
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
rc = ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP,
@@ -2691,48 +2681,24 @@ ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
res,
false);
}
- break;
-
- case VIR_NWFILTER_RULE_PROTOCOL_TCP:
- case VIR_NWFILTER_RULE_PROTOCOL_UDP:
- case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
- case VIR_NWFILTER_RULE_PROTOCOL_ESP:
- case VIR_NWFILTER_RULE_PROTOCOL_AH:
- case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
- case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
- case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
- case VIR_NWFILTER_RULE_PROTOCOL_ALL:
- isIPv6 = false;
- rc = iptablesCreateRuleInstance(nwfilter,
- rule,
- ifname,
- vars,
- res,
- isIPv6);
- break;
+ } else {
+ bool isIPv6;
+ if (virNWFilterRuleIsProtocolIPv6(rule)) {
+ isIPv6 = true;
+ } else if (virNWFilterRuleIsProtocolIPv4(rule)) {
+ isIPv6 = false;
+ } else {
+ virReportError(VIR_ERR_OPERATION_FAILED,
+ "%s", _("unexpected protocol type"));
+ return -1;
+ }
- case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
- case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
- case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
- case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
- case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
- case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
- case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
- case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
- isIPv6 = true;
rc = iptablesCreateRuleInstance(nwfilter,
rule,
ifname,
vars,
res,
isIPv6);
- break;
-
- case VIR_NWFILTER_RULE_PROTOCOL_LAST:
- virReportError(VIR_ERR_OPERATION_FAILED,
- "%s", _("illegal protocol type"));
- rc = -1;
- break;
}
return rc;
--
1.9.0
4:11 p.m.
New subject: [libvirt] [PATCH 06/26] Add helper methods for determining what protocol layer is used
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
Add virNWFilterRuleIsProtocol{Ethernet,IPv4,IPv6} helper methods
to avoid having to write a giant switch statements with many cases.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
9:06 a.m.
New subject: [libvirt] [PATCH 06/26] Add helper methods for determining what protocol layer is used
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
+bool virNWFilterRuleIsProtocolEthernet(virNWFilterRuleDefPtr rule)
+{
+ if (rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE &&
+ rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
+ return true;
+ return false;
+}
I get a compilation error here. For me this code here works:
if (/* rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE && */
rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
return true;
Stefan
9:30 a.m.
New subject: [libvirt] [PATCH 06/26] Add helper methods for determining what protocol layer is used
On Tue, Apr 15, 2014 at 10:06:22AM -0400, Stefan Berger wrote:
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>+bool virNWFilterRuleIsProtocolEthernet(virNWFilterRuleDefPtr rule)
>+{
>+ if (rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE &&
>+ rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
>+ return true;
>+ return false;
>+}
I get a compilation error here. For me this code here works:
if (/* rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE && */
rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
return true;
What is the actual error you get ?
That constant exists in the header files
$ git grep RULE_PROTOCOL_NONE src/conf/nwfilter_conf.h
src/conf/nwfilter_conf.h: VIR_NWFILTER_RULE_PROTOCOL_NONE = 0,
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
11:05 a.m.
New subject: [libvirt] [PATCH 06/26] Add helper methods for determining what protocol layer is used
On 04/15/2014 10:30 AM, Daniel P. Berrange wrote:
On Tue, Apr 15, 2014 at 10:06:22AM -0400, Stefan Berger wrote:
> On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>> +bool virNWFilterRuleIsProtocolEthernet(virNWFilterRuleDefPtr rule)
>> +{
>> + if (rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE &&
>> + rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
>> + return true;
>> + return false;
>> +}
> I get a compilation error here. For me this code here works:
>
> if (/* rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE && */
> rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
> return true;
What is the actual error you get ?
That constant exists in the header files
$ git grep RULE_PROTOCOL_NONE src/conf/nwfilter_conf.h
src/conf/nwfilter_conf.h: VIR_NWFILTER_RULE_PROTOCOL_NONE = 0,
Related to evaluation of >= 0 on unsigned int always being true.
Stefan
4:03 a.m.
New subject: [libvirt] [PATCH 06/26] Add helper methods for determining what protocol layer is used
On Tue, Apr 15, 2014 at 12:05:46PM -0400, Stefan Berger wrote:
On 04/15/2014 10:30 AM, Daniel P. Berrange wrote:
>On Tue, Apr 15, 2014 at 10:06:22AM -0400, Stefan Berger wrote:
>>On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>>>+bool virNWFilterRuleIsProtocolEthernet(virNWFilterRuleDefPtr rule)
>>>+{
>>>+ if (rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE &&
>>>+ rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
>>>+ return true;
>>>+ return false;
>>>+}
>>I get a compilation error here. For me this code here works:
>>
>> if (/* rule->prtclType >= VIR_NWFILTER_RULE_PROTOCOL_NONE &&
*/
>> rule->prtclType <= VIR_NWFILTER_RULE_PROTOCOL_IPV6)
>> return true;
>What is the actual error you get ?
>
>That constant exists in the header files
>
>$ git grep RULE_PROTOCOL_NONE src/conf/nwfilter_conf.h
>src/conf/nwfilter_conf.h: VIR_NWFILTER_RULE_PROTOCOL_NONE = 0,
Related to evaluation of >= 0 on unsigned int always being true.
Ah, ok, must be a gcc version warning difference. That makes sense
to change
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:37 a.m.
New subject: [libvirt] [PATCH 07/26] Push virNWFilterRuleInstPtr out of (eb|ip)tablesCreateRuleInstance
Later refactoring will change use of the virNWFilterRuleInstPtr struct.
Prepare for this by pushing use of the virNWFilterRuleInstPtr parameter
out of the ebtablesCreateRuleInstance and iptablesCreateRuleInstance
methods. Instead they simply string(s) with the constructed rule data.
The ebiptablesCreateRuleInstance method will make use of the
virNWFilterRuleInstPtr struct instead.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 209 ++++++++++++++++++------------
1 file changed, 125 insertions(+), 84 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 410f0e1..5c876cc 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1277,17 +1277,17 @@ iptablesEnforceDirection(bool directionIn,
/*
* _iptablesCreateRuleInstance:
* @chainPrefix : The prefix to put in front of the name of the chain
- * @nwfilter : The filter
* @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve
- * @res : The data structure to store the result(s) into
* @match : optional string for state match
* @accept_target : where to jump to on accepted traffic, i.e., "RETURN"
* "ACCEPT"
* @isIPv6 : Whether this is an IPv6 rule
* @maySkipICMP : whether this rule may under certain circumstances skip
* the ICMP rule from being created
+ * @templates: pointer to array to store rule template
+ * @ntemplates: pointer to storage rule template count
*
* Convert a single rule into its representation for later instantiation
*
@@ -1297,15 +1297,15 @@ iptablesEnforceDirection(bool directionIn,
static int
_iptablesCreateRuleInstance(bool directionIn,
const char *chainPrefix,
- virNWFilterDefPtr nwfilter,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
- virNWFilterRuleInstPtr res,
const char *match, bool defMatch,
const char *accept_target,
bool isIPv6,
- bool maySkipICMP)
+ bool maySkipICMP,
+ char ***templates,
+ size_t *ntemplates)
{
char chain[MAX_CHAINNAME_LENGTH];
char number[MAX(INT_BUFSIZE_BOUND(uint32_t),
@@ -1322,6 +1322,7 @@ _iptablesCreateRuleInstance(bool directionIn,
bool skipRule = false;
bool skipMatch = false;
bool hasICMPType = false;
+ char *template;
if (!iptables_cmd) {
virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1732,14 +1733,13 @@ _iptablesCreateRuleInstance(bool directionIn,
final = &buf;
- return ebiptablesAddRuleInst(res,
- virBufferContentAndReset(final),
- nwfilter->chainsuffix,
- nwfilter->chainPriority,
- '\0',
- rule->priority,
- (isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
+ template = virBufferContentAndReset(final);
+ if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
+ VIR_FREE(template);
+ return -1;
+ }
+ return 0;
err_exit:
virBufferFreeAndReset(&buf);
@@ -1775,12 +1775,12 @@ printStateMatchFlags(int32_t flags, char **bufptr)
}
static int
-iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
- virNWFilterRuleDefPtr rule,
+iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
- virNWFilterRuleInstPtr res,
- bool isIPv6)
+ bool isIPv6,
+ char ***templates,
+ size_t *ntemplates)
{
int rc;
bool directionIn = false;
@@ -1816,15 +1816,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
if (create) {
rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix,
- nwfilter,
rule,
ifname,
vars,
- res,
matchState, false,
"RETURN",
isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ templates,
+ ntemplates);
VIR_FREE(matchState);
if (rc < 0)
@@ -1848,15 +1848,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
if (create) {
rc = _iptablesCreateRuleInstance(!directionIn,
chainPrefix,
- nwfilter,
rule,
ifname,
vars,
- res,
matchState, false,
"ACCEPT",
isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ templates,
+ ntemplates);
VIR_FREE(matchState);
@@ -1883,15 +1883,15 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix,
- nwfilter,
rule,
ifname,
vars,
- res,
matchState, false,
"RETURN",
isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ templates,
+ ntemplates);
VIR_FREE(matchState);
}
@@ -1900,12 +1900,12 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr nwfilter,
static int
-iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
- virNWFilterRuleDefPtr rule,
+iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
- virNWFilterRuleInstPtr res,
- bool isIPv6)
+ bool isIPv6,
+ char ***templates,
+ size_t *ntemplates)
{
int rc;
bool directionIn = false;
@@ -1916,12 +1916,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
if (!(rule->flags & RULE_FLAG_NO_STATEMATCH) &&
(rule->flags & IPTABLES_STATE_FLAGS)) {
- return iptablesCreateRuleInstanceStateCtrl(nwfilter,
- rule,
+ return iptablesCreateRuleInstanceStateCtrl(rule,
ifname,
vars,
- res,
- isIPv6);
+ isIPv6,
+ templates,
+ ntemplates);
}
if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
@@ -1947,15 +1947,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix,
- nwfilter,
rule,
ifname,
vars,
- res,
matchState, true,
"RETURN",
isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ templates,
+ ntemplates);
if (rc < 0)
return rc;
@@ -1969,15 +1969,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
rc = _iptablesCreateRuleInstance(!directionIn,
chainPrefix,
- nwfilter,
rule,
ifname,
vars,
- res,
matchState, true,
"ACCEPT",
isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ templates,
+ ntemplates);
if (rc < 0)
return rc;
@@ -1991,15 +1991,15 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
rc = _iptablesCreateRuleInstance(directionIn,
chainPrefix,
- nwfilter,
rule,
ifname,
vars,
- res,
matchState, true,
"RETURN",
isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ templates,
+ ntemplates);
return rc;
}
@@ -2010,12 +2010,13 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
/*
* ebtablesCreateRuleInstance:
* @chainPrefix : The prefix to put in front of the name of the chain
- * @nwfilter : The filter
+ * @chainSuffix: The suffix to put on the end of the name of the chain
* @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve
- * @res : The data structure to store the result(s) into
* @reverse : Whether to reverse src and dst attributes
+ * @templates: pointer to array to store rule template
+ * @ntemplates: pointer to storage rule template count
*
* Convert a single rule into its representation for later instantiation
*
@@ -2024,12 +2025,12 @@ iptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
*/
static int
ebtablesCreateRuleInstance(char chainPrefix,
- virNWFilterDefPtr nwfilter,
+ const char *chainSuffix,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
- virNWFilterRuleInstPtr res,
- bool reverse)
+ bool reverse,
+ char **template)
{
char macaddr[VIR_MAC_STRING_BUFLEN],
ipaddr[INET_ADDRSTRLEN],
@@ -2043,6 +2044,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
const char *target;
bool hasMask = false;
+ *template = NULL;
+
if (!ebtables_cmd_path) {
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("cannot create rule since ebtables tool is "
@@ -2050,13 +2053,13 @@ ebtablesCreateRuleInstance(char chainPrefix,
goto err_exit;
}
- if (STREQ(nwfilter->chainsuffix,
+ if (STREQ(chainSuffix,
virNWFilterChainSuffixTypeToString(
VIR_NWFILTER_CHAINSUFFIX_ROOT)))
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
else
PRINT_CHAIN(chain, chainPrefix, ifname,
- nwfilter->chainsuffix);
+ chainSuffix);
switch (rule->prtclType) {
@@ -2620,13 +2623,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
return -1;
}
- return ebiptablesAddRuleInst(res,
- virBufferContentAndReset(&buf),
- nwfilter->chainsuffix,
- nwfilter->chainPriority,
- chainPrefix,
- rule->priority,
- RT_EBTABLES);
+ *template = virBufferContentAndReset(&buf);
+ return 0;
err_exit:
virBufferFreeAndReset(&buf);
@@ -2637,7 +2635,8 @@ ebtablesCreateRuleInstance(char chainPrefix,
/*
* ebiptablesCreateRuleInstance:
- * @nwfilter : The filter
+ * @chainPriority : The priority of the chain
+ * @chainSuffix: The suffix to put on the end of the name of the chain
* @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve
@@ -2649,40 +2648,66 @@ ebtablesCreateRuleInstance(char chainPrefix,
* pointed to by res, -1 otherwise
*/
static int
-ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
+ebiptablesCreateRuleInstance(virNWFilterChainPriority chainPriority,
+ const char *chainSuffix,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
virNWFilterRuleInstPtr res)
{
- int rc = 0;
-
if (virNWFilterRuleIsProtocolEthernet(rule)) {
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
- rc = ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP,
- nwfilter,
- rule,
- ifname,
- vars,
- res,
- rule->tt ==
VIR_NWFILTER_RULE_DIRECTION_INOUT);
- if (rc < 0)
- return rc;
+ char *template;
+ if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP,
+ chainSuffix,
+ rule,
+ ifname,
+ vars,
+ rule->tt ==
VIR_NWFILTER_RULE_DIRECTION_INOUT,
+ &template) < 0)
+ return -1;
+
+ if (ebiptablesAddRuleInst(res,
+ template,
+ chainSuffix,
+ chainPriority,
+ CHAINPREFIX_HOST_IN_TEMP,
+ rule->priority,
+ RT_EBTABLES) < 0) {
+ VIR_FREE(template);
+ return -1;
+ }
}
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
- rc = ebtablesCreateRuleInstance(CHAINPREFIX_HOST_OUT_TEMP,
- nwfilter,
- rule,
- ifname,
- vars,
- res,
- false);
+ char *template;
+ if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_OUT_TEMP,
+ chainSuffix,
+ rule,
+ ifname,
+ vars,
+ false,
+ &template) < 0)
+ return -1;
+
+ if (ebiptablesAddRuleInst(res,
+ template,
+ chainSuffix,
+ chainPriority,
+ CHAINPREFIX_HOST_OUT_TEMP,
+ rule->priority,
+ RT_EBTABLES) < 0) {
+ VIR_FREE(template);
+ return -1;
+ }
}
} else {
bool isIPv6;
+ char **templates = NULL;
+ size_t ntemplates = 0;
+ size_t i, j;
if (virNWFilterRuleIsProtocolIPv6(rule)) {
isIPv6 = true;
} else if (virNWFilterRuleIsProtocolIPv4(rule)) {
@@ -2693,15 +2718,30 @@ ebiptablesCreateRuleInstance(virNWFilterDefPtr nwfilter,
return -1;
}
- rc = iptablesCreateRuleInstance(nwfilter,
- rule,
- ifname,
- vars,
- res,
- isIPv6);
+ if (iptablesCreateRuleInstance(rule,
+ ifname,
+ vars,
+ isIPv6,
+ &templates,
+ &ntemplates) < 0)
+ return -1;
+
+ for (i = 0; i < ntemplates; i++) {
+ if (ebiptablesAddRuleInst(res,
+ templates[i],
+ chainSuffix,
+ chainPriority,
+ '\0',
+ rule->priority,
+ (isIPv6) ? RT_IP6TABLES : RT_IPTABLES) < 0) {
+ for (j = i; j < ntemplates; j++)
+ VIR_FREE(templates[j]);
+ return -1;
+ }
+ }
}
- return rc;
+ return 0;
}
static int
@@ -2724,7 +2764,8 @@ ebiptablesCreateRuleInstanceIterate(virNWFilterDefPtr nwfilter,
return -1;
do {
- rc = ebiptablesCreateRuleInstance(nwfilter,
+ rc = ebiptablesCreateRuleInstance(nwfilter->chainPriority,
+ nwfilter->chainsuffix,
rule,
ifname,
tmp,
--
1.9.0
4:25 p.m.
New subject: [libvirt] [PATCH 07/26] Push virNWFilterRuleInstPtr out of (eb|ip)tablesCreateRuleInstance
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
Later refactoring will change use of the virNWFilterRuleInstPtr
struct.
Prepare for this by pushing use of the virNWFilterRuleInstPtr parameter
out of the ebtablesCreateRuleInstance and iptablesCreateRuleInstance
methods. Instead they simply string(s) with the constructed rule data.
The ebiptablesCreateRuleInstance method will make use of the
virNWFilterRuleInstPtr struct instead.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 08/26] Merge nwfilter createRuleInstance driver into applyNewRules
The current nwfilter tech driver API has a 'createRuleInstance' method
which populates virNWFilterRuleInstPtr with a command line string
containing variable placeholders. The 'applyNewRules' method then
expands the variables and executes the commands. This split of
responsibility won't work when switching to the virFirewallPtr
APIs, since we can't just build up command line strings. This patch
this merges the functionality of 'createRuleInstance' into the
applyNewRules method.
The virNWFilterRuleInstPtr struct is changed from holding an array
of opaque pointers, into holding generic metadata about the rules
to be processed. In essence this is the result of taking a linked
set of virNWFilterDefPtr's and flattening the tree to get a list
of virNWFilterRuleDefPtr's. At the same time we must keep track of
any nested virNWFilterObjPtr instances, so that the locks are held
for the duration of the 'applyNewRules' method.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 371 +++++++++++++++-------------
src/nwfilter/nwfilter_gentech_driver.c | 398 ++++++++++++++----------------
src/nwfilter/nwfilter_tech_driver.h | 22 +-
3 files changed, 390 insertions(+), 401 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 5c876cc..f93158f 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -477,46 +477,6 @@ printCommentVar(virBufferPtr dest, const char *buf)
}
-static void
-ebiptablesRuleInstFree(ebiptablesRuleInstPtr inst)
-{
- if (!inst)
- return;
-
- VIR_FREE(inst->commandTemplate);
- VIR_FREE(inst);
-}
-
-
-static int
-ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
- char *commandTemplate,
- const char *neededChain,
- virNWFilterChainPriority chainPriority,
- char chainprefix,
- virNWFilterRulePriority priority,
- enum RuleType ruleType)
-{
- ebiptablesRuleInstPtr inst;
-
- if (VIR_ALLOC(inst) < 0)
- return -1;
-
- inst->commandTemplate = commandTemplate;
- inst->neededProtocolChain = neededChain;
- inst->chainPriority = chainPriority;
- inst->chainprefix = chainprefix;
- inst->priority = priority;
- inst->ruleType = ruleType;
-
- if (VIR_APPEND_ELEMENT(res->data, res->ndata, inst) < 0) {
- VIR_FREE(inst);
- return -1;
- }
- return 0;
-}
-
-
static int
ebtablesHandleEthHdr(virBufferPtr buf,
virNWFilterVarCombIterPtr vars,
@@ -2648,13 +2608,18 @@ ebtablesCreateRuleInstance(char chainPrefix,
* pointed to by res, -1 otherwise
*/
static int
-ebiptablesCreateRuleInstance(virNWFilterChainPriority chainPriority,
- const char *chainSuffix,
+ebiptablesCreateRuleInstance(const char *chainSuffix,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
- virNWFilterRuleInstPtr res)
+ char ***templates,
+ size_t *ntemplates)
{
+ size_t i;
+
+ *templates = NULL;
+ *ntemplates = 0;
+
if (virNWFilterRuleIsProtocolEthernet(rule)) {
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
@@ -2666,17 +2631,11 @@ ebiptablesCreateRuleInstance(virNWFilterChainPriority
chainPriority,
vars,
rule->tt ==
VIR_NWFILTER_RULE_DIRECTION_INOUT,
&template) < 0)
- return -1;
+ goto error;
- if (ebiptablesAddRuleInst(res,
- template,
- chainSuffix,
- chainPriority,
- CHAINPREFIX_HOST_IN_TEMP,
- rule->priority,
- RT_EBTABLES) < 0) {
+ if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
VIR_FREE(template);
- return -1;
+ goto error;
}
}
@@ -2690,24 +2649,15 @@ ebiptablesCreateRuleInstance(virNWFilterChainPriority
chainPriority,
vars,
false,
&template) < 0)
- return -1;
+ goto error;
- if (ebiptablesAddRuleInst(res,
- template,
- chainSuffix,
- chainPriority,
- CHAINPREFIX_HOST_OUT_TEMP,
- rule->priority,
- RT_EBTABLES) < 0) {
+ if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
VIR_FREE(template);
- return -1;
+ goto error;
}
}
} else {
bool isIPv6;
- char **templates = NULL;
- size_t ntemplates = 0;
- size_t i, j;
if (virNWFilterRuleIsProtocolIPv6(rule)) {
isIPv6 = true;
} else if (virNWFilterRuleIsProtocolIPv4(rule)) {
@@ -2715,76 +2665,27 @@ ebiptablesCreateRuleInstance(virNWFilterChainPriority
chainPriority,
} else {
virReportError(VIR_ERR_OPERATION_FAILED,
"%s", _("unexpected protocol type"));
- return -1;
+ goto error;
}
if (iptablesCreateRuleInstance(rule,
ifname,
vars,
isIPv6,
- &templates,
- &ntemplates) < 0)
- return -1;
-
- for (i = 0; i < ntemplates; i++) {
- if (ebiptablesAddRuleInst(res,
- templates[i],
- chainSuffix,
- chainPriority,
- '\0',
- rule->priority,
- (isIPv6) ? RT_IP6TABLES : RT_IPTABLES) < 0) {
- for (j = i; j < ntemplates; j++)
- VIR_FREE(templates[j]);
- return -1;
- }
- }
+ templates,
+ ntemplates) < 0)
+ goto error;
}
return 0;
-}
-static int
-ebiptablesCreateRuleInstanceIterate(virNWFilterDefPtr nwfilter,
- virNWFilterRuleDefPtr rule,
- const char *ifname,
- virNWFilterHashTablePtr vars,
- virNWFilterRuleInstPtr res)
-{
- int rc = 0;
- virNWFilterVarCombIterPtr vciter, tmp;
-
- /* rule->vars holds all the variables names that this rule will access.
- * iterate over all combinations of the variables' values and instantiate
- * the filtering rule with each combination.
- */
- tmp = vciter = virNWFilterVarCombIterCreate(vars,
- rule->varAccess,
rule->nVarAccess);
- if (!vciter)
- return -1;
-
- do {
- rc = ebiptablesCreateRuleInstance(nwfilter->chainPriority,
- nwfilter->chainsuffix,
- rule,
- ifname,
- tmp,
- res);
- if (rc < 0)
- break;
- tmp = virNWFilterVarCombIterNext(tmp);
- } while (tmp != NULL);
-
- virNWFilterVarCombIterFree(vciter);
-
- return rc;
-}
-
-static int
-ebiptablesFreeRuleInstance(void *_inst)
-{
- ebiptablesRuleInstFree((ebiptablesRuleInstPtr)_inst);
- return 0;
+ error:
+ for (i = 0; i < *ntemplates; i++)
+ VIR_FREE((*templates)[i]);
+ VIR_FREE(*templates);
+ *templates = NULL;
+ *ntemplates = 0;
+ return -1;
}
@@ -3562,12 +3463,40 @@ ebiptablesRuleOrderSort(const void *a, const void *b)
return insta->priority - instb->priority;
}
+
+static int
+virNWFilterRuleInstSort(const void *a, const void *b)
+{
+ const virNWFilterRuleInst *insta = a;
+ const virNWFilterRuleInst *instb = b;
+ const char *root = virNWFilterChainSuffixTypeToString(
+ VIR_NWFILTER_CHAINSUFFIX_ROOT);
+ bool root_a = STREQ(insta->chainSuffix, root);
+ bool root_b = STREQ(instb->chainSuffix, root);
+
+ /* ensure root chain commands appear before all others since
+ we will need them to create the child chains */
+ if (root_a) {
+ if (root_b) {
+ goto normal;
+ }
+ return -1; /* a before b */
+ }
+ if (root_b) {
+ return 1; /* b before a */
+ }
+ normal:
+ /* priorities are limited to range [-1000, 1000] */
+ return insta->priority - instb->priority;
+}
+
+
static int
-ebiptablesRuleOrderSortPtr(const void *a, const void *b)
+virNWFilterRuleInstSortPtr(const void *a, const void *b)
{
- ebiptablesRuleInst * const *insta = a;
- ebiptablesRuleInst * const *instb = b;
- return ebiptablesRuleOrderSort(*insta, *instb);
+ virNWFilterRuleInst * const *insta = a;
+ virNWFilterRuleInst * const *instb = b;
+ return virNWFilterRuleInstSort(*insta, *instb);
}
static int
@@ -3673,13 +3602,106 @@ ebtablesCreateTmpRootAndSubChains(virBufferPtr buf,
return rc;
}
+
+static int
+iptablesRuleInstCommand(virBufferPtr buf,
+ const char *ifname,
+ virNWFilterRuleInstPtr rule,
+ char cmd, int pos)
+{
+ virNWFilterVarCombIterPtr vciter, tmp;
+ char **templates = NULL;
+ size_t ntemplates = 0;
+ size_t i;
+ int ret = -1;
+
+ /* rule->vars holds all the variables names that this rule will access.
+ * iterate over all combinations of the variables' values and instantiate
+ * the filtering rule with each combination.
+ */
+ tmp = vciter = virNWFilterVarCombIterCreate(rule->vars,
+ rule->def->varAccess,
+ rule->def->nVarAccess);
+ if (!vciter)
+ return -1;
+
+ do {
+ if (ebiptablesCreateRuleInstance(rule->chainSuffix,
+ rule->def,
+ ifname,
+ tmp,
+ &templates,
+ &ntemplates) < 0)
+ goto cleanup;
+ tmp = virNWFilterVarCombIterNext(tmp);
+ } while (tmp != NULL);
+
+ for (i = 0; i < ntemplates; i++)
+ iptablesInstCommand(buf, templates[i], cmd, pos);
+
+ ret = 0;
+ cleanup:
+ for (i = 0; i < ntemplates; i++)
+ VIR_FREE(templates[i]);
+ VIR_FREE(templates);
+ virNWFilterVarCombIterFree(vciter);
+ return ret;
+}
+
+
+static int
+ebtablesRuleInstCommand(virBufferPtr buf,
+ const char *ifname,
+ virNWFilterRuleInstPtr rule,
+ char cmd, int pos,
+ bool stopOnError)
+{
+ virNWFilterVarCombIterPtr vciter, tmp;
+ char **templates = NULL;
+ size_t ntemplates = 0;
+ size_t i;
+ int ret = -1;
+
+ /* rule->vars holds all the variables names that this rule will access.
+ * iterate over all combinations of the variables' values and instantiate
+ * the filtering rule with each combination.
+ */
+ tmp = vciter = virNWFilterVarCombIterCreate(rule->vars,
+ rule->def->varAccess,
+ rule->def->nVarAccess);
+ if (!vciter)
+ return -1;
+
+ do {
+ if (ebiptablesCreateRuleInstance(rule->chainSuffix,
+ rule->def,
+ ifname,
+ tmp,
+ &templates,
+ &ntemplates) < 0)
+ goto cleanup;
+ tmp = virNWFilterVarCombIterNext(tmp);
+ } while (tmp != NULL);
+
+ for (i = 0; i < ntemplates; i++)
+ ebiptablesInstCommand(buf, templates[i], cmd, pos, stopOnError);
+
+ ret = 0;
+ cleanup:
+ for (i = 0; i < ntemplates; i++)
+ VIR_FREE(templates[i]);
+ VIR_FREE(templates);
+ virNWFilterVarCombIterFree(vciter);
+ return ret;
+}
+
+
static int
ebiptablesApplyNewRules(const char *ifname,
- int nruleInstances,
- void **_inst)
+ virNWFilterRuleInstPtr *rules,
+ size_t nrules)
{
size_t i, j;
- ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst;
virBuffer buf = VIR_BUFFER_INITIALIZER;
virHashTablePtr chains_in_set = virHashCreate(10, NULL);
virHashTablePtr chains_out_set = virHashCreate(10, NULL);
@@ -3689,28 +3711,27 @@ ebiptablesApplyNewRules(const char *ifname,
int nEbtChains = 0;
char *errmsg = NULL;
- if (inst == NULL)
- nruleInstances = 0;
-
if (!chains_in_set || !chains_out_set)
goto exit_free_sets;
- if (nruleInstances > 1 && inst)
- qsort(inst, nruleInstances, sizeof(inst[0]),
- ebiptablesRuleOrderSortPtr);
+ if (nrules)
+ qsort(rules, nrules, sizeof(rules[0]),
+ virNWFilterRuleInstSortPtr);
/* scan the rules to see which chains need to be created */
- for (i = 0; i < nruleInstances; i++) {
- sa_assert(inst);
- if (inst[i]->ruleType == RT_EBTABLES) {
- const char *name = inst[i]->neededProtocolChain;
- if (inst[i]->chainprefix == CHAINPREFIX_HOST_IN_TEMP) {
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
+ const char *name = rules[i]->chainSuffix;
+ if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
+ rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
if (virHashUpdateEntry(chains_in_set, name,
- &inst[i]->chainPriority) < 0)
+ &rules[i]->chainPriority) < 0)
goto exit_free_sets;
- } else {
+ }
+ if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
+ rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
if (virHashUpdateEntry(chains_out_set, name,
- &inst[i]->chainPriority) < 0)
+ &rules[i]->chainPriority) < 0)
goto exit_free_sets;
}
}
@@ -3759,37 +3780,34 @@ ebiptablesApplyNewRules(const char *ifname,
* priority -500 and the chain with priority -500 will
* then be created before it.
*/
- for (i = 0; i < nruleInstances; i++) {
- if (inst[i]->chainPriority > inst[i]->priority &&
- !strstr("root", inst[i]->neededProtocolChain)) {
+ for (i = 0; i < nrules; i++) {
+ if (rules[i]->chainPriority > rules[i]->priority &&
+ !strstr("root", rules[i]->chainSuffix)) {
- inst[i]->priority = inst[i]->chainPriority;
+ rules[i]->priority = rules[i]->chainPriority;
}
}
/* process ebtables commands; interleave commands from filters with
commands for creating and connecting ebtables chains */
j = 0;
- for (i = 0; i < nruleInstances; i++) {
- sa_assert(inst);
- switch (inst[i]->ruleType) {
- case RT_EBTABLES:
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
while (j < nEbtChains &&
- ebtChains[j].priority <= inst[i]->priority) {
+ ebtChains[j].priority <= rules[i]->priority) {
ebiptablesInstCommand(&buf,
ebtChains[j++].commandTemplate,
'A', -1, true);
}
- ebiptablesInstCommand(&buf,
- inst[i]->commandTemplate,
- 'A', -1, true);
- break;
- case RT_IPTABLES:
- haveIptables = true;
- break;
- case RT_IP6TABLES:
- haveIp6tables = true;
- break;
+ ebtablesRuleInstCommand(&buf,
+ ifname,
+ rules[i],
+ 'A', -1, true);
+ } else {
+ if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIptables = true;
+ else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIp6tables = true;
}
}
@@ -3828,12 +3846,12 @@ ebiptablesApplyNewRules(const char *ifname,
NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
- for (i = 0; i < nruleInstances; i++) {
- sa_assert(inst);
- if (inst[i]->ruleType == RT_IPTABLES)
- iptablesInstCommand(&buf,
- inst[i]->commandTemplate,
- 'A', -1);
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ iptablesRuleInstCommand(&buf,
+ ifname,
+ rules[i],
+ 'A', -1);
}
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
@@ -3869,11 +3887,12 @@ ebiptablesApplyNewRules(const char *ifname,
NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
- for (i = 0; i < nruleInstances; i++) {
- if (inst[i]->ruleType == RT_IP6TABLES)
- iptablesInstCommand(&buf,
- inst[i]->commandTemplate,
- 'A', -1);
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolIPv6(rules[i]->def))
+ iptablesRuleInstCommand(&buf,
+ ifname,
+ rules[i],
+ 'A', -1);
}
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
@@ -4095,12 +4114,10 @@ virNWFilterTechDriver ebiptables_driver = {
.init = ebiptablesDriverInit,
.shutdown = ebiptablesDriverShutdown,
- .createRuleInstance = ebiptablesCreateRuleInstanceIterate,
.applyNewRules = ebiptablesApplyNewRules,
.tearNewRules = ebiptablesTearNewRules,
.tearOldRules = ebiptablesTearOldRules,
.allTeardown = ebiptablesAllTeardown,
- .freeRuleInstance = ebiptablesFreeRuleInstance,
.canApplyBasicRules = ebiptablesCanApplyBasicRules,
.applyBasicRules = ebtablesApplyBasicRules,
diff --git a/src/nwfilter/nwfilter_gentech_driver.c
b/src/nwfilter/nwfilter_gentech_driver.c
index d482f43..5bed106 100644
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -119,14 +119,10 @@ virNWFilterTechDriverForName(const char *name)
static void
virNWFilterRuleInstFree(virNWFilterRuleInstPtr inst)
{
- size_t i;
if (!inst)
return;
- for (i = 0; i < inst->ndata; i++)
- inst->techdriver->freeRuleInstance(inst->data[i]);
-
- VIR_FREE(inst->data);
+ virNWFilterHashTableFree(inst->vars);
VIR_FREE(inst);
}
@@ -273,51 +269,6 @@ virNWFilterPrintVars(virHashTablePtr vars,
/**
- * virNWFilterRuleInstantiate:
- * @techdriver: the driver to use for instantiation
- * @filter: The filter the rule is part of
- * @rule : The rule that is to be instantiated
- * @ifname: The name of the interface
- * @vars: map containing variable names and value used for instantiation
- *
- * Returns virNWFilterRuleInst object on success, NULL on error with
- * error reported.
- *
- * Instantiate a single rule. Return a pointer to virNWFilterRuleInst
- * object that will hold an array of driver-specific data resulting
- * from the instantiation. Returns NULL on error with error reported.
- */
-static virNWFilterRuleInstPtr
-virNWFilterRuleInstantiate(virNWFilterTechDriverPtr techdriver,
- virNWFilterDefPtr filter,
- virNWFilterRuleDefPtr rule,
- const char *ifname,
- virNWFilterHashTablePtr vars)
-{
- int rc;
- size_t i;
- virNWFilterRuleInstPtr ret;
-
- if (VIR_ALLOC(ret) < 0)
- return NULL;
-
- ret->techdriver = techdriver;
-
- rc = techdriver->createRuleInstance(filter,
- rule, ifname, vars, ret);
-
- if (rc) {
- for (i = 0; i < ret->ndata; i++)
- techdriver->freeRuleInstance(ret->data[i]);
- VIR_FREE(ret);
- ret = NULL;
- }
-
- return ret;
-}
-
-
-/**
* virNWFilterCreateVarsFrom:
* @vars1: pointer to hash table
* @vars2: pointer to hash table
@@ -350,125 +301,198 @@ virNWFilterCreateVarsFrom(virNWFilterHashTablePtr vars1,
}
-/**
- * _virNWFilterInstantiateRec:
- * @techdriver: The driver to use for instantiation
- * @filter: The filter to instantiate
- * @ifname: The name of the interface to apply the rules to
- * @vars: A map holding variable names and values used for instantiating
- * the filter and its subfilters.
- * @nEntries: number of virNWFilterInst objects collected
- * @insts: pointer to array for virNWFilterIns object pointers
- * @useNewFilter: instruct whether to use a newDef pointer rather than a
- * def ptr which is useful during a filter update
- * @foundNewFilter: pointer to int indivating whether a newDef pointer was
- * ever used; variable expected to be initialized to 0 by caller
- *
- * Returns 0 on success, a value otherwise.
- *
- * Recursively instantiate a filter by instantiating the given filter along
- * with all its subfilters in a depth-first traversal of the tree of
- * referenced filters. The name of the interface to which the rules belong
- * must be provided. Apply the values of variables as needed. Terminate with
- * error when a referenced filter is missing or a variable could not be
- * resolved -- among other reasons.
- */
-static int
-_virNWFilterInstantiateRec(virNWFilterTechDriverPtr techdriver,
- virNWFilterDefPtr filter,
- const char *ifname,
- virNWFilterHashTablePtr vars,
- size_t *nEntries,
- virNWFilterRuleInstPtr **insts,
- enum instCase useNewFilter, bool *foundNewFilter,
- virNWFilterDriverStatePtr driver)
+typedef struct _virNWFilterInst virNWFilterInst;
+typedef virNWFilterInst *virNWFilterInstPtr;
+struct _virNWFilterInst {
+ virNWFilterObjPtr *filters;
+ size_t nfilters;
+ virNWFilterRuleInstPtr *rules;
+ size_t nrules;
+};
+
+
+static void
+virNWFilterInstReset(virNWFilterInstPtr inst)
{
- virNWFilterObjPtr obj;
- int rc = 0;
size_t i;
- virNWFilterRuleInstPtr inst;
- virNWFilterDefPtr next_filter;
- for (i = 0; i < filter->nentries; i++) {
- virNWFilterRuleDefPtr rule = filter->filterEntries[i]->rule;
- virNWFilterIncludeDefPtr inc = filter->filterEntries[i]->include;
- if (rule) {
- inst = virNWFilterRuleInstantiate(techdriver,
- filter,
- rule,
- ifname,
- vars);
- if (!inst) {
- rc = -1;
- break;
- }
+ for (i = 0; i < inst->nfilters; i++)
+ virNWFilterObjUnlock(inst->filters[i]);
+ VIR_FREE(inst->filters);
+ inst->nfilters = 0;
- if (VIR_APPEND_ELEMENT_COPY(*insts, *nEntries, inst) < 0) {
- rc = -1;
- break;
- }
+ for (i = 0; i < inst->nrules; i++)
+ virNWFilterRuleInstFree(inst->rules[i]);
+ VIR_FREE(inst->rules);
+}
- } else if (inc) {
- VIR_DEBUG("Instantiating filter %s", inc->filterref);
- obj = virNWFilterObjFindByName(&driver->nwfilters,
inc->filterref);
- if (obj) {
- if (obj->wantRemoved) {
- virReportError(VIR_ERR_NO_NWFILTER,
- _("Filter '%s' is in use."),
+
+static int
+virNWFilterDefToInst(virNWFilterDriverStatePtr driver,
+ virNWFilterDefPtr def,
+ virNWFilterHashTablePtr vars,
+ enum instCase useNewFilter,
+ bool *foundNewFilter,
+ virNWFilterInstPtr inst);
+
+static int
+virNWFilterRuleDefToRuleInst(virNWFilterDefPtr def,
+ virNWFilterRuleDefPtr rule,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst)
+{
+ virNWFilterRuleInstPtr ruleinst;
+ int ret = -1;
+
+ if (VIR_ALLOC(ruleinst) < 0)
+ goto cleanup;
+
+ ruleinst->chainSuffix = def->chainsuffix;
+ ruleinst->chainPriority = def->chainPriority;
+ ruleinst->def = rule;
+ ruleinst->priority = rule->priority;
+ if (!(ruleinst->vars = virNWFilterHashTableCreate(0)))
+ goto cleanup;
+ if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
+ goto cleanup;
+
+ if (VIR_APPEND_ELEMENT(inst->rules,
+ inst->nrules,
+ ruleinst) < 0)
+ goto cleanup;
+ inst = NULL;
+
+ ret = 0;
+ cleanup:
+ virNWFilterRuleInstFree(ruleinst);
+ return ret;
+}
+
+
+static int
+virNWFilterIncludeDefToRuleInst(virNWFilterDriverStatePtr driver,
+ virNWFilterIncludeDefPtr inc,
+ virNWFilterHashTablePtr vars,
+ enum instCase useNewFilter,
+ bool *foundNewFilter,
+ virNWFilterInstPtr inst)
+{
+ virNWFilterObjPtr obj;
+ virNWFilterHashTablePtr tmpvars = NULL;
+ virNWFilterDefPtr childdef;
+ int ret = -1;
+
+ VIR_DEBUG("Instantiating filter %s", inc->filterref);
+ obj = virNWFilterObjFindByName(&driver->nwfilters,
inc->filterref);
- rc = -1;
- virNWFilterObjUnlock(obj);
- break;
- }
+ if (!obj) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("referenced filter '%s' is missing"),
+ inc->filterref);
+ goto cleanup;
+ }
+ if (obj->wantRemoved) {
+ virReportError(VIR_ERR_NO_NWFILTER,
+ _("Filter '%s' is in use."),
+ inc->filterref);
+ goto cleanup;
+ }
- /* create a temporary hashmap for depth-first tree traversal */
- virNWFilterHashTablePtr tmpvars =
- virNWFilterCreateVarsFrom(inc->params,
- vars);
- if (!tmpvars) {
- rc = -1;
- virNWFilterObjUnlock(obj);
- break;
- }
+ /* create a temporary hashmap for depth-first tree traversal */
+ if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
+ vars)))
+ goto cleanup;
- next_filter = obj->def;
+ childdef = obj->def;
- switch (useNewFilter) {
- case INSTANTIATE_FOLLOW_NEWFILTER:
- if (obj->newDef) {
- next_filter = obj->newDef;
- *foundNewFilter = true;
- }
- break;
- case INSTANTIATE_ALWAYS:
- break;
- }
+ switch (useNewFilter) {
+ case INSTANTIATE_FOLLOW_NEWFILTER:
+ if (obj->newDef) {
+ childdef = obj->newDef;
+ *foundNewFilter = true;
+ }
+ break;
+ case INSTANTIATE_ALWAYS:
+ break;
+ }
- rc = _virNWFilterInstantiateRec(techdriver,
- next_filter,
- ifname,
- tmpvars,
- nEntries, insts,
- useNewFilter,
- foundNewFilter,
- driver);
+ if (VIR_APPEND_ELEMENT(inst->filters,
+ inst->nfilters,
+ obj) < 0)
+ goto cleanup;
+ obj = NULL;
+
+ if (virNWFilterDefToInst(driver,
+ childdef,
+ tmpvars,
+ useNewFilter,
+ foundNewFilter,
+ inst) < 0)
+ goto cleanup;
- virNWFilterHashTableFree(tmpvars);
+ ret = 0;
+ cleanup:
+ if (ret < 0)
+ virNWFilterInstReset(inst);
+ virNWFilterHashTableFree(tmpvars);
+ if (obj)
+ virNWFilterObjUnlock(obj);
+ return ret;
+}
- virNWFilterObjUnlock(obj);
- if (rc < 0)
- break;
- } else {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("referenced filter '%s' is missing"),
- inc->filterref);
- rc = -1;
- break;
- }
+
+/**
+ * virNWFilterDefToInst:
+ * @driver: the driver state pointer
+ * @def: The filter to instantiate
+ * @vars: A map holding variable names and values used for instantiating
+ * the filter and its subfilters.
+ * @useNewFilter: instruct whether to use a newDef pointer rather than a
+ * def ptr which is useful during a filter update
+ * @foundNewFilter: pointer to int indivating whether a newDef pointer was
+ * ever used; variable expected to be initialized to 0 by caller
+ * @rulesout: array to be filled with rule instance
+ * @nrulesout: counter to be filled with number of rule instances
+ *
+ * Recursively expand a nested filter into a flat list of rule instances,
+ * in a depth-first traversal of the tree.
+ *
+ * Returns 0 on success, -1 on error
+ */
+static int
+virNWFilterDefToInst(virNWFilterDriverStatePtr driver,
+ virNWFilterDefPtr def,
+ virNWFilterHashTablePtr vars,
+ enum instCase useNewFilter,
+ bool *foundNewFilter,
+ virNWFilterInstPtr inst)
+{
+ size_t i;
+ int ret = -1;
+
+ for (i = 0; i < def->nentries; i++) {
+ if (def->filterEntries[i]->rule) {
+ if (virNWFilterRuleDefToRuleInst(def,
+ def->filterEntries[i]->rule,
+ vars,
+ inst) < 0)
+ goto cleanup;
+ } else if (def->filterEntries[i]->include) {
+ if (virNWFilterIncludeDefToRuleInst(driver,
+ def->filterEntries[i]->include,
+ vars,
+ useNewFilter, foundNewFilter,
+ inst) < 0)
+ goto cleanup;
}
}
- return rc;
+
+ ret = 0;
+ cleanup:
+ if (ret < 0)
+ virNWFilterInstReset(inst);
+ return ret;
}
@@ -578,35 +602,6 @@ virNWFilterDetermineMissingVarsRec(virNWFilterDefPtr filter,
}
-static int
-virNWFilterRuleInstancesToArray(int nEntries,
- virNWFilterRuleInstPtr *insts,
- void ***ptrs,
- int *nptrs)
-{
- size_t i, j;
-
- *nptrs = 0;
-
- for (j = 0; j < nEntries; j++)
- (*nptrs) += insts[j]->ndata;
-
- if ((*nptrs) == 0)
- return 0;
-
- if (VIR_ALLOC_N((*ptrs), (*nptrs)) < 0)
- return -1;
-
- (*nptrs) = 0;
-
- for (j = 0; j < nEntries; j++)
- for (i = 0; i < insts[j]->ndata; i++)
- (*ptrs)[(*nptrs)++] = insts[j]->data[i];
-
- return 0;
-}
-
-
/**
* virNWFilterInstantiate:
* @vmuuid: The UUID of the VM
@@ -642,11 +637,7 @@ virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
bool forceWithPendingReq)
{
int rc;
- size_t j;
- int nptrs;
- size_t nEntries = 0;
- virNWFilterRuleInstPtr *insts = NULL;
- void **ptrs = NULL;
+ virNWFilterInst inst;
bool instantiate = true;
char *buf;
virNWFilterVarValuePtr lv;
@@ -654,6 +645,9 @@ virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
bool reportIP = false;
virNWFilterHashTablePtr missing_vars = virNWFilterHashTableCreate(0);
+
+ memset(&inst, 0, sizeof(inst));
+
if (!missing_vars) {
rc = -1;
goto err_exit;
@@ -717,13 +711,11 @@ virNWFilterInstantiate(const unsigned char *vmuuid
ATTRIBUTE_UNUSED,
goto err_exit;
}
- rc = _virNWFilterInstantiateRec(techdriver,
- filter,
- ifname,
- vars,
- &nEntries, &insts,
- useNewFilter, foundNewFilter,
- driver);
+ rc = virNWFilterDefToInst(driver,
+ filter,
+ vars,
+ useNewFilter, foundNewFilter,
+ &inst);
if (rc < 0)
goto err_exit;
@@ -738,16 +730,10 @@ virNWFilterInstantiate(const unsigned char *vmuuid
ATTRIBUTE_UNUSED,
}
if (instantiate) {
-
- rc = virNWFilterRuleInstancesToArray(nEntries, insts,
- &ptrs, &nptrs);
- if (rc < 0)
- goto err_exit;
-
if (virNWFilterLockIface(ifname) < 0)
goto err_exit;
- rc = techdriver->applyNewRules(ifname, nptrs, ptrs);
+ rc = techdriver->applyNewRules(ifname, inst.rules, inst.nrules);
if (teardownOld && rc == 0)
techdriver->tearOldRules(ifname);
@@ -763,13 +749,7 @@ virNWFilterInstantiate(const unsigned char *vmuuid ATTRIBUTE_UNUSED,
}
err_exit:
-
- for (j = 0; j < nEntries; j++)
- virNWFilterRuleInstFree(insts[j]);
-
- VIR_FREE(insts);
- VIR_FREE(ptrs);
-
+ virNWFilterInstReset(&inst);
virNWFilterHashTableFree(missing_vars);
return rc;
diff --git a/src/nwfilter/nwfilter_tech_driver.h b/src/nwfilter/nwfilter_tech_driver.h
index ed09a67..7b6f56f 100644
--- a/src/nwfilter/nwfilter_tech_driver.h
+++ b/src/nwfilter/nwfilter_tech_driver.h
@@ -35,24 +35,20 @@ typedef virNWFilterTechDriver *virNWFilterTechDriverPtr;
typedef struct _virNWFilterRuleInst virNWFilterRuleInst;
typedef virNWFilterRuleInst *virNWFilterRuleInstPtr;
struct _virNWFilterRuleInst {
- size_t ndata;
- void **data;
- virNWFilterTechDriverPtr techdriver;
+ const char *chainSuffix;
+ virNWFilterChainPriority chainPriority;
+ virNWFilterRuleDefPtr def;
+ virNWFilterRulePriority priority;
+ virNWFilterHashTablePtr vars;
};
typedef int (*virNWFilterTechDrvInit)(bool privileged);
typedef void (*virNWFilterTechDrvShutdown)(void);
-typedef int (*virNWFilterRuleCreateInstance)(virNWFilterDefPtr filter,
- virNWFilterRuleDefPtr rule,
- const char *ifname,
- virNWFilterHashTablePtr vars,
- virNWFilterRuleInstPtr res);
-
typedef int (*virNWFilterRuleApplyNewRules)(const char *ifname,
- int nruleInstances,
- void **_inst);
+ virNWFilterRuleInstPtr *rules,
+ size_t nrules);
typedef int (*virNWFilterRuleTeardownNewRules)(const char *ifname);
@@ -60,8 +56,6 @@ typedef int (*virNWFilterRuleTeardownOldRules)(const char *ifname);
typedef int (*virNWFilterRuleAllTeardown)(const char *ifname);
-typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
-
typedef int (*virNWFilterCanApplyBasicRules)(void);
typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
@@ -87,12 +81,10 @@ struct _virNWFilterTechDriver {
virNWFilterTechDrvInit init;
virNWFilterTechDrvShutdown shutdown;
- virNWFilterRuleCreateInstance createRuleInstance;
virNWFilterRuleApplyNewRules applyNewRules;
virNWFilterRuleTeardownNewRules tearNewRules;
virNWFilterRuleTeardownOldRules tearOldRules;
virNWFilterRuleAllTeardown allTeardown;
- virNWFilterRuleFreeInstanceData freeRuleInstance;
virNWFilterCanApplyBasicRules canApplyBasicRules;
virNWFilterApplyBasicRules applyBasicRules;
--
1.9.0
3:52 p.m.
New subject: [libvirt] [PATCH 08/26] Merge nwfilter createRuleInstance driver into applyNewRules
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
The current nwfilter tech driver API has a
'createRuleInstance' method
which populates virNWFilterRuleInstPtr with a command line string
containing variable placeholders. The 'applyNewRules' method then
expands the variables and executes the commands. This split of
responsibility won't work when switching to the virFirewallPtr
APIs, since we can't just build up command line strings. This patch
this merges the functionality of 'createRuleInstance' into the
applyNewRules method.
The virNWFilterRuleInstPtr struct is changed from holding an array
of opaque pointers, into holding generic metadata about the rules
to be processed. In essence this is the result of taking a linked
set of virNWFilterDefPtr's and flattening the tree to get a list
of virNWFilterRuleDefPtr's. At the same time we must keep track of
any nested virNWFilterObjPtr instances, so that the locks are held
for the duration of the 'applyNewRules' method.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
Some parts are difficult to read in the patch, especially where you
split the contents of _virNWFilterInstantiateRec into two functions. But
I find that the pieces appear again in the new functions.
/* process ebtables commands; interleave commands from filters with
commands for creating and connecting ebtables chains */
j = 0;
- for (i = 0; i < nruleInstances; i++) {
- sa_assert(inst);
- switch (inst[i]->ruleType) {
- case RT_EBTABLES:
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
while (j < nEbtChains &&
- ebtChains[j].priority <= inst[i]->priority) {
+ ebtChains[j].priority <= rules[i]->priority) {
ebiptablesInstCommand(&buf,
ebtChains[j++].commandTemplate,
'A', -1, true);
}
- ebiptablesInstCommand(&buf,
- inst[i]->commandTemplate,
- 'A', -1, true);
- break;
- case RT_IPTABLES:
- haveIptables = true;
- break;
- case RT_IP6TABLES:
- haveIp6tables = true;
- break;
+ ebtablesRuleInstCommand(&buf,
+ ifname,
+ rules[i],
+ 'A', -1, true);
+ } else {
+ if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIptables = true;
+ else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIp6tables = true;
Here's that typo. If you were to change this, the TCK test suite will
probably pass after each step of applying the patches incrementally.
ACK
Stefan
10:38 a.m.
New subject: [libvirt] [PATCH 09/26] Remove two-stage construction of commands in nwfilter
The nwfilter ebiptables driver will build up commands to run in
two phases. The first phase contains all of the command, except
for the '-A' part. Instead it has a '%c' placeholder, along with
a '%s' placeholder for a position arg. The second phase than
substitutes these placeholders. The only values ever used for
these substitutions though is '-A' and '', so it is entirely
pointless. Remove the second phase entirely, since it will make
it harder to convert to the new firewall APIs
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 109 +++++++++++++-----------------
1 file changed, 47 insertions(+), 62 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index f93158f..0361d99 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -898,12 +898,9 @@ iptablesRenameTmpRootChains(virBufferPtr buf,
static void
iptablesInstCommand(virBufferPtr buf,
- const char *templ, char cmd, int pos)
+ const char *cmdstr)
{
- char position[10] = { 0 };
- if (pos >= 0)
- snprintf(position, sizeof(position), "%d", pos);
- virBufferAsprintf(buf, templ, cmd, position);
+ virBufferAdd(buf, cmdstr, -1);
virBufferAsprintf(buf, CMD_SEPARATOR "%s",
CMD_STOPONERR(true));
}
@@ -1298,7 +1295,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p tcp");
@@ -1353,7 +1350,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_UDP:
case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p udp");
@@ -1386,7 +1383,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p udplite");
@@ -1414,7 +1411,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ESP:
case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p esp");
@@ -1442,7 +1439,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p ah");
@@ -1470,7 +1467,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p sctp");
@@ -1503,7 +1500,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
@@ -1568,7 +1565,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p igmp");
@@ -1596,7 +1593,7 @@ _iptablesCreateRuleInstance(bool directionIn,
case VIR_NWFILTER_RULE_PROTOCOL_ALL:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -%%c %s %%s",
+ CMD_DEF_PRE "$IPT -A %s",
chain);
virBufferAddLit(&buf, " -p all");
@@ -2026,7 +2023,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_MAC:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
+ CMD_DEF_PRE "$EBT -t nat -A %s",
chain);
if (ebtablesHandleEthHdr(&buf,
@@ -2050,7 +2047,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
+ CMD_DEF_PRE "$EBT -t nat -A %s",
chain);
@@ -2117,7 +2114,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
}
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
+ CMD_DEF_PRE "$EBT -t nat -A %s",
chain);
@@ -2155,7 +2152,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_RARP:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
+ CMD_DEF_PRE "$EBT -t nat -A %s",
chain);
if (ebtablesHandleEthHdr(&buf,
@@ -2282,7 +2279,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_IP:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
+ CMD_DEF_PRE "$EBT -t nat -A %s",
chain);
if (ebtablesHandleEthHdr(&buf,
@@ -2424,7 +2421,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
+ CMD_DEF_PRE "$EBT -t nat -A %s",
chain);
if (ebtablesHandleEthHdr(&buf,
@@ -2554,7 +2551,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
case VIR_NWFILTER_RULE_PROTOCOL_NONE:
virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -%%c %s %%s",
+ CMD_DEF_PRE "$EBT -t nat -A %s",
chain);
break;
@@ -2908,7 +2905,7 @@ ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR
CMD_EXEC
"%s"
- CMD_DEF("$EBT -t nat -%%c %s %%s %s-j %s")
+ CMD_DEF("$EBT -t nat -A %s %s-j %s")
CMD_SEPARATOR
CMD_EXEC
"%s",
@@ -3071,15 +3068,11 @@ ebtablesRenameTmpSubAndRootChains(virBufferPtr buf,
static void
ebiptablesInstCommand(virBufferPtr buf,
- const char *templ, char cmd, int pos,
- bool stopOnError)
+ const char *cmdstr)
{
- char position[10] = { 0 };
- if (pos >= 0)
- snprintf(position, sizeof(position), "%d", pos);
- virBufferAsprintf(buf, templ, cmd, position);
+ virBufferAdd(buf, cmdstr, -1);
virBufferAsprintf(buf, CMD_SEPARATOR "%s",
- CMD_STOPONERR(stopOnError));
+ CMD_STOPONERR(true));
}
@@ -3606,12 +3599,11 @@ ebtablesCreateTmpRootAndSubChains(virBufferPtr buf,
static int
iptablesRuleInstCommand(virBufferPtr buf,
const char *ifname,
- virNWFilterRuleInstPtr rule,
- char cmd, int pos)
+ virNWFilterRuleInstPtr rule)
{
virNWFilterVarCombIterPtr vciter, tmp;
- char **templates = NULL;
- size_t ntemplates = 0;
+ char **cmds = NULL;
+ size_t ncmds = 0;
size_t i;
int ret = -1;
@@ -3630,20 +3622,20 @@ iptablesRuleInstCommand(virBufferPtr buf,
rule->def,
ifname,
tmp,
- &templates,
- &ntemplates) < 0)
+ &cmds,
+ &ncmds) < 0)
goto cleanup;
tmp = virNWFilterVarCombIterNext(tmp);
} while (tmp != NULL);
- for (i = 0; i < ntemplates; i++)
- iptablesInstCommand(buf, templates[i], cmd, pos);
+ for (i = 0; i < ncmds; i++)
+ iptablesInstCommand(buf, cmds[i]);
ret = 0;
cleanup:
- for (i = 0; i < ntemplates; i++)
- VIR_FREE(templates[i]);
- VIR_FREE(templates);
+ for (i = 0; i < ncmds; i++)
+ VIR_FREE(cmds[i]);
+ VIR_FREE(cmds);
virNWFilterVarCombIterFree(vciter);
return ret;
}
@@ -3652,13 +3644,11 @@ iptablesRuleInstCommand(virBufferPtr buf,
static int
ebtablesRuleInstCommand(virBufferPtr buf,
const char *ifname,
- virNWFilterRuleInstPtr rule,
- char cmd, int pos,
- bool stopOnError)
+ virNWFilterRuleInstPtr rule)
{
virNWFilterVarCombIterPtr vciter, tmp;
- char **templates = NULL;
- size_t ntemplates = 0;
+ char **cmds = NULL;
+ size_t ncmds = 0;
size_t i;
int ret = -1;
@@ -3677,20 +3667,20 @@ ebtablesRuleInstCommand(virBufferPtr buf,
rule->def,
ifname,
tmp,
- &templates,
- &ntemplates) < 0)
+ &cmds,
+ &ncmds) < 0)
goto cleanup;
tmp = virNWFilterVarCombIterNext(tmp);
} while (tmp != NULL);
- for (i = 0; i < ntemplates; i++)
- ebiptablesInstCommand(buf, templates[i], cmd, pos, stopOnError);
+ for (i = 0; i < ncmds; i++)
+ ebiptablesInstCommand(buf, cmds[i]);
ret = 0;
cleanup:
- for (i = 0; i < ntemplates; i++)
- VIR_FREE(templates[i]);
- VIR_FREE(templates);
+ for (i = 0; i < ncmds; i++)
+ VIR_FREE(cmds[i]);
+ VIR_FREE(cmds);
virNWFilterVarCombIterFree(vciter);
return ret;
}
@@ -3796,13 +3786,11 @@ ebiptablesApplyNewRules(const char *ifname,
while (j < nEbtChains &&
ebtChains[j].priority <= rules[i]->priority) {
ebiptablesInstCommand(&buf,
- ebtChains[j++].commandTemplate,
- 'A', -1, true);
+ ebtChains[j++].commandTemplate);
}
ebtablesRuleInstCommand(&buf,
ifname,
- rules[i],
- 'A', -1, true);
+ rules[i]);
} else {
if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
haveIptables = true;
@@ -3813,8 +3801,7 @@ ebiptablesApplyNewRules(const char *ifname,
while (j < nEbtChains)
ebiptablesInstCommand(&buf,
- ebtChains[j++].commandTemplate,
- 'A', -1, true);
+ ebtChains[j++].commandTemplate);
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
goto tear_down_tmpebchains;
@@ -3850,8 +3837,7 @@ ebiptablesApplyNewRules(const char *ifname,
if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
iptablesRuleInstCommand(&buf,
ifname,
- rules[i],
- 'A', -1);
+ rules[i]);
}
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
@@ -3891,8 +3877,7 @@ ebiptablesApplyNewRules(const char *ifname,
if (virNWFilterRuleIsProtocolIPv6(rules[i]->def))
iptablesRuleInstCommand(&buf,
ifname,
- rules[i],
- 'A', -1);
+ rules[i]);
}
if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
--
1.9.0
12:21 p.m.
New subject: [libvirt] [PATCH 09/26] Remove two-stage construction of commands in nwfilter
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
The nwfilter ebiptables driver will build up commands to run in
two phases. The first phase contains all of the command, except
for the '-A' part. Instead it has a '%c' placeholder, along with
a '%s' placeholder for a position arg. The second phase than
substitutes these placeholders. The only values ever used for
these substitutions though is '-A' and '', so it is entirely
pointless. Remove the second phase entirely, since it will make
it harder to convert to the new firewall APIs
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 10/26] Preserve error when tearing down nwfilter rules
When a VM fails to launch due to error creating nwfilter
rules, we must avoid overwriting the original error when
tearing down the partially created rules.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/qemu/qemu_command.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 379c094..e34e537 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7654,8 +7654,12 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd,
ret = 0;
cleanup:
- if (ret < 0)
+ if (ret < 0) {
+ virErrorPtr saved_err = virSaveLastError();
virDomainConfNWFilterTeardown(net);
+ virSetError(saved_err);
+ virFreeError(saved_err);
+ }
for (i = 0; tapfd && i < tapfdSize && tapfd[i] >= 0; i++) {
if (ret < 0)
VIR_FORCE_CLOSE(tapfd[i]);
--
1.9.0
4:30 p.m.
New subject: [libvirt] [PATCH 10/26] Preserve error when tearing down nwfilter rules
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
When a VM fails to launch due to error creating nwfilter
rules, we must avoid overwriting the original error when
tearing down the partially created rules.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/qemu/qemu_command.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 379c094..e34e537 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7654,8 +7654,12 @@ qemuBuildInterfaceCommandLine(virCommandPtr cmd,
ret = 0;
cleanup:
- if (ret < 0)
+ if (ret < 0) {
+ virErrorPtr saved_err = virSaveLastError();
virDomainConfNWFilterTeardown(net);
+ virSetError(saved_err);
+ virFreeError(saved_err);
+ }
for (i = 0; tapfd && i < tapfdSize && tapfd[i] >= 0; i++) {
if (ret < 0)
VIR_FORCE_CLOSE(tapfd[i]);
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.
This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
include/libvirt/virterror.h | 1 +
po/POTFILES.in | 1 +
src/Makefile.am | 2 +
src/libvirt_private.syms | 17 +
src/util/virerror.c | 1 +
src/util/virfirewall.c | 922 +++++++++++++++++++++++++++++++++
src/util/virfirewall.h | 109 ++++
src/util/virfirewallpriv.h | 45 ++
tests/Makefile.am | 7 +
tests/testutils.c | 18 +-
tests/virfirewalltest.c | 1186 +++++++++++++++++++++++++++++++++++++++++++
11 files changed, 2305 insertions(+), 4 deletions(-)
create mode 100644 src/util/virfirewall.c
create mode 100644 src/util/virfirewall.h
create mode 100644 src/util/virfirewallpriv.h
create mode 100644 tests/virfirewalltest.c
diff --git a/include/libvirt/virterror.h b/include/libvirt/virterror.h
index 495c121..be90797 100644
--- a/include/libvirt/virterror.h
+++ b/include/libvirt/virterror.h
@@ -122,6 +122,7 @@ typedef enum {
VIR_FROM_SYSTEMD = 56, /* Error from systemd code */
VIR_FROM_BHYVE = 57, /* Error from bhyve driver */
VIR_FROM_CRYPTO = 58, /* Error from crypto code */
+ VIR_FROM_FIREWALL = 59, /* Error from firewall */
# ifdef VIR_ENUM_SENTINELS
VIR_ERR_DOMAIN_LAST
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 122b853..e35eb82 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -161,6 +161,7 @@ src/util/virdbus.c
src/util/virdnsmasq.c
src/util/vireventpoll.c
src/util/virfile.c
+src/util/virfirewall.c
src/util/virhash.c
src/util/virhook.c
src/util/virhostdev.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 7e9a702..7615294 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -106,6 +106,8 @@ UTIL_SOURCES = \
util/virevent.c util/virevent.h \
util/vireventpoll.c util/vireventpoll.h \
util/virfile.c util/virfile.h \
+ util/virfirewall.c util/virfirewall.h \
+ util/virfirewallpriv.h \
util/virhash.c util/virhash.h \
util/virhashcode.c util/virhashcode.h \
util/virhook.c util/virhook.h \
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 0c2cf75..18be0e1 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1277,6 +1277,23 @@ virFileWriteStr;
virFindFileInPath;
+# util/virfirewall.h
+virFirewallAddRule;
+virFirewallAddRuleFull;
+virFirewallApply;
+virFirewallFree;
+virFirewallNew;
+virFirewallRemoveRule;
+virFirewallRuleAddArg;
+virFirewallRuleAddArgFormat;
+virFirewallRuleAddArgList;
+virFirewallRuleAddArgSet;
+virFirewallRuleGetArgCount;
+virFirewallSetBackend;
+virFirewallStartRollback;
+virFirewallStartTransaction;
+
+
# util/virhash.h
virHashAddEntry;
virHashCreate;
diff --git a/src/util/virerror.c b/src/util/virerror.c
index cbbaa83..e0bc970 100644
--- a/src/util/virerror.c
+++ b/src/util/virerror.c
@@ -129,6 +129,7 @@ VIR_ENUM_IMPL(virErrorDomain, VIR_ERR_DOMAIN_LAST,
"Systemd",
"Bhyve",
"Crypto",
+ "Firewall",
)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
new file mode 100644
index 0000000..b558d2f
--- /dev/null
+++ b/src/util/virfirewall.c
@@ -0,0 +1,922 @@
+/*
+ * virfirewall.c: integration with firewalls
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Authors:
+ * Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#include <config.h>
+
+#define __VIR_FIREWALL_PRIV_H_ALLOW__
+
+#include <stdarg.h>
+
+#include "viralloc.h"
+#include "virfirewallpriv.h"
+#include "virerror.h"
+#include "virutil.h"
+#include "virstring.h"
+#include "vircommand.h"
+#include "virlog.h"
+#include "virdbus.h"
+#include "virfile.h"
+#include "virthread.h"
+
+#define VIR_FROM_THIS VIR_FROM_FIREWALL
+
+VIR_LOG_INIT("util.firewall");
+
+typedef struct _virFirewallGroup virFirewallGroup;
+typedef virFirewallGroup *virFirewallGroupPtr;
+
+VIR_ENUM_DECL(virFirewallLayerCommand)
+VIR_ENUM_IMPL(virFirewallLayerCommand, VIR_FIREWALL_LAYER_LAST,
+ EBTABLES_PATH,
+ IPTABLES_PATH,
+ IP6TABLES_PATH);
+
+VIR_ENUM_DECL(virFirewallLayerFirewallD)
+VIR_ENUM_IMPL(virFirewallLayerFirewallD, VIR_FIREWALL_LAYER_LAST,
+ "eb", "ipv4", "ipv6")
+
+
+struct _virFirewallRule {
+ virFirewallLayer layer;
+
+ virFirewallQueryCallback queryCB;
+ void *queryOpaque;
+ bool ignoreErrors;
+
+ size_t argsAlloc;
+ size_t argsLen;
+ char **args;
+};
+
+struct _virFirewallGroup {
+ unsigned int actionFlags;
+ unsigned int rollbackFlags;
+
+ size_t naction;
+ virFirewallRulePtr *action;
+
+ size_t nrollback;
+ virFirewallRulePtr *rollback;
+
+ bool addingRollback;
+};
+
+
+struct _virFirewall {
+ int err;
+
+ size_t ngroups;
+ virFirewallGroupPtr *groups;
+ size_t currentGroup;
+};
+
+static virFirewallBackend currentBackend = VIR_FIREWALL_BACKEND_AUTOMATIC;
+static virMutex ruleLock = VIR_MUTEX_INITIALIZER;
+
+static int
+virFirewallValidateBackend(virFirewallBackend backend);
+
+static int
+virFirewallOnceInit(void)
+{
+ return virFirewallValidateBackend(currentBackend);
+}
+
+VIR_ONCE_GLOBAL_INIT(virFirewall)
+
+static int
+virFirewallValidateBackend(virFirewallBackend backend)
+{
+ VIR_DEBUG("Validating backend %d", backend);
+#if WITH_DBUS
+ if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
+ backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
+ VIR_DEBUG("Firewalled is registered ? %d", rv);
+ if (rv < 0) {
+ if (rv == -2) {
+ if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld firewall backend requested, but
service is not running"));
+ return -1;
+ } else {
+ VIR_DEBUG("firewalld service not running, trying direct
backend");
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
+ }
+ } else {
+ return -1;
+ }
+ } else {
+ VIR_DEBUG("firewalld service running, using firewalld backend");
+ backend = VIR_FIREWALL_BACKEND_FIREWALLD;
+ }
+ }
+#else
+ if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC) {
+ VIR_DEBUG("DBus support disabled, trying direct backend");
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
+ } else if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld firewall backend requested, but DBus support
disabled"));
+ return -1;
+ }
+#endif
+
+ if (backend == VIR_FIREWALL_BACKEND_DIRECT) {
+ const char *commands[] = {
+ IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
+ };
+ size_t i;
+ for (i = 0; i < ARRAY_CARDINALITY(commands); i++) {
+ if (!virFileIsExecutable(commands[i])) {
+ virReportSystemError(errno,
+ _("direct firewall backend requested, but %s is
not available"),
+ commands[i]);
+ return -1;
+ }
+ }
+ VIR_DEBUG("found iptables/ip6tables/ebtables, using direct backend");
+ }
+
+ currentBackend = backend;
+ return 0;
+}
+
+int
+virFirewallSetBackend(virFirewallBackend backend)
+{
+ currentBackend = backend;
+
+ if (virFirewallInitialize() < 0)
+ return -1;
+
+ return virFirewallValidateBackend(backend);
+}
+
+static virFirewallGroupPtr
+virFirewallGroupNew(void)
+{
+ virFirewallGroupPtr group;
+
+ if (VIR_ALLOC(group) < 0)
+ return NULL;
+
+ return group;
+}
+
+
+/**
+ * virFirewallNew:
+ *
+ * Creates a new firewall ruleset for changing rules
+ * of @layer. This should be followed by a call to
+ * virFirewallStartTransaction before adding
+ * any rules
+ *
+ * Returns the new firewall ruleset
+ */
+virFirewallPtr virFirewallNew(void)
+{
+ virFirewallPtr firewall;
+
+ if (VIR_ALLOC(firewall) < 0)
+ return NULL;
+
+ return firewall;
+}
+
+
+static void
+virFirewallRuleFree(virFirewallRulePtr rule)
+{
+ size_t i;
+
+ if (!rule)
+ return;
+
+ for (i = 0; i < rule->argsLen; i++)
+ VIR_FREE(rule->args[i]);
+ VIR_FREE(rule->args);
+ VIR_FREE(rule);
+}
+
+
+static void
+virFirewallGroupFree(virFirewallGroupPtr group)
+{
+ size_t i;
+
+ if (!group)
+ return;
+
+ for (i = 0; i < group->naction; i++)
+ virFirewallRuleFree(group->action[i]);
+ VIR_FREE(group->action);
+
+ for (i = 0; i < group->nrollback; i++)
+ virFirewallRuleFree(group->rollback[i]);
+ VIR_FREE(group->rollback);
+
+ VIR_FREE(group);
+}
+
+
+/**
+ * virFirewallFree:
+ *
+ * Release all memory associated with the firewall
+ * ruleset
+ */
+void virFirewallFree(virFirewallPtr firewall)
+{
+ size_t i;
+
+ if (!firewall)
+ return;
+
+ for (i = 0; i < firewall->ngroups; i++)
+ virFirewallGroupFree(firewall->groups[i]);
+ VIR_FREE(firewall->groups);
+
+ VIR_FREE(firewall);
+}
+
+#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
+ if (!firewall || firewall->err) \
+ return;
+
+#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, ruel)\
+ if (!firewall || firewall->err || !rule) \
+ return;
+
+#define VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall) \
+ if (!firewall || firewall->err) \
+ return NULL;
+
+#define ADD_ARG(rule, str) \
+ if (VIR_RESIZE_N(rule->args, \
+ rule->argsAlloc, \
+ rule->argsLen, 1) < 0) \
+ goto no_memory; \
+ \
+ if (VIR_STRDUP(rule->args[rule->argsLen++], str) < 0)\
+ goto no_memory;
+
+static virFirewallRulePtr
+virFirewallAddRuleFullV(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ va_list args)
+{
+ virFirewallGroupPtr group;
+ virFirewallRulePtr rule;
+ char *str;
+
+ VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
+
+ if (firewall->ngroups == 0) {
+ firewall->err = ENODATA;
+ return NULL;
+ }
+ group = firewall->groups[firewall->currentGroup];
+
+
+ if (VIR_ALLOC(rule) < 0)
+ goto no_memory;
+
+ rule->layer = layer;
+ rule->queryCB = cb;
+ rule->queryOpaque = opaque;
+ rule->ignoreErrors = ignoreErrors;
+
+ while ((str = va_arg(args, char *)) != NULL) {
+ ADD_ARG(rule, str);
+ }
+
+ if (group->addingRollback) {
+ if (VIR_APPEND_ELEMENT_COPY(group->rollback,
+ group->nrollback,
+ rule) < 0)
+ goto no_memory;
+ } else {
+ if (VIR_APPEND_ELEMENT_COPY(group->action,
+ group->naction,
+ rule) < 0)
+ goto no_memory;
+ }
+
+
+ return rule;
+
+ no_memory:
+ firewall->err = ENOMEM;
+ virFirewallRuleFree(rule);
+ return NULL;
+}
+
+/**
+ * virFirewallAddRule:
+ * @firewall: firewall ruleset to add to
+ * @layer: the firewall layer to change
+ * @...: NULL terminated list of strings for the rule
+ *
+ * Add any type of rule to the firewall ruleset.
+ *
+ * Returns the new rule
+ */
+virFirewallRulePtr
+virFirewallAddRule(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ ...)
+{
+ virFirewallRulePtr rule;
+ va_list args;
+ va_start(args, layer);
+ rule = virFirewallAddRuleFullV(firewall, layer, false, NULL, NULL, args);
+ va_end(args);
+ return rule;
+}
+
+
+/**
+ * virFirewallAddRuleFull:
+ * @firewall: firewall ruleset to add to
+ * @layer: the firewall layer to change
+ * @ignoreErrors: true to ignore failure of the command
+ * @cb: callback to invoke with result of query
+ * @opaque: data passed into @cb
+ * @...: NULL terminated list of strings for the rule
+ *
+ * Add any type of rule to the firewall ruleset. Any output
+ * generated by the addition will be fed into the query
+ * callback @cb. This callback is permitted to create new
+ * rules by invoking the virFirewallAddRule method, but
+ * is not permitted to start new transactions.
+ *
+ * If @ignoreErrors is set to TRUE, then any failure of
+ * the command is ignored. If it is set to FALSE, then
+ * the behaviour upon failure is determined by the flags
+ * set when the transaction was started.
+ *
+ * Returns the new rule
+ */
+virFirewallRulePtr virFirewallAddRuleFull(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ ...)
+{
+ virFirewallRulePtr rule;
+ va_list args;
+ va_start(args, opaque);
+ rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args);
+ va_end(args);
+ return rule;
+}
+
+
+/**
+ * virFirewallRemoveRule:
+ * @firewall: firewall ruleset to remove from
+ * @rule: the rule to remove
+ *
+ * Remove a rule from the current transaction
+ */
+void virFirewallRemoveRule(virFirewallPtr firewall,
+ virFirewallRulePtr rule)
+{
+ size_t i;
+ virFirewallGroupPtr group;
+
+ /* Explicitly not checking firewall->err too,
+ * because if rule was partially created
+ * before hitting error we must still remove
+ * it to avoid leaking 'rule'
+ */
+ if (!firewall)
+ return;
+
+ if (firewall->ngroups == 0)
+ return;
+ group = firewall->groups[firewall->currentGroup];
+
+ if (group->addingRollback) {
+ for (i = 0; i < group->nrollback; i++) {
+ if (group->rollback[i] == rule) {
+ VIR_DELETE_ELEMENT(group->rollback,
+ i,
+ group->nrollback);
+ virFirewallRuleFree(rule);
+ break;
+ }
+ }
+ } else {
+ for (i = 0; i < group->naction; i++) {
+ if (group->action[i] == rule) {
+ VIR_DELETE_ELEMENT(group->action,
+ i,
+ group->naction);
+ virFirewallRuleFree(rule);
+ return;
+ }
+ }
+ }
+}
+
+
+void virFirewallRuleAddArg(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *arg)
+{
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ ADD_ARG(rule, arg);
+
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+}
+
+
+void virFirewallRuleAddArgFormat(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *fmt, ...)
+{
+ char *arg;
+ va_list list;
+
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ va_start(list, fmt);
+
+ if (virVasprintf(&arg, fmt, list) < 0)
+ goto no_memory;
+
+ ADD_ARG(rule, arg);
+
+ va_end(list);
+
+ VIR_FREE(arg);
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+ va_end(list);
+ VIR_FREE(arg);
+}
+
+
+void virFirewallRuleAddArgSet(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *const *args)
+{
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ while (*args) {
+ ADD_ARG(rule, *args);
+ args++;
+ }
+
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+}
+
+
+void virFirewallRuleAddArgList(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ ...)
+{
+ va_list list;
+ const char *str;
+
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ va_start(list, rule);
+
+ while ((str = va_arg(list, char *)) != NULL) {
+ ADD_ARG(rule, str);
+ }
+
+ va_end(list);
+
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+ va_end(list);
+}
+
+
+size_t virFirewallRuleGetArgCount(virFirewallRulePtr rule)
+{
+ if (!rule)
+ return 0;
+ return rule->argsLen;
+}
+
+
+/**
+ * virFirewallStartTransaction:
+ * @firewall: the firewall ruleset
+ * @flags: bitset of virFirewallTransactionFlags
+ *
+ * Start a new transaction with associated rollback
+ * block.
+ *
+ * Should be followed by calls to add various rules to
+ * the transaction. Then virFirwallStartRollback should
+ * be used to provide rules to rollback upon transaction
+ * failure
+ */
+void virFirewallStartTransaction(virFirewallPtr firewall,
+ unsigned int flags)
+{
+ virFirewallGroupPtr group;
+
+ VIR_FIREWALL_RETURN_IF_ERROR(firewall);
+
+ if (!(group = virFirewallGroupNew())) {
+ firewall->err = ENOMEM;
+ return;
+ }
+ group->actionFlags = flags;
+
+ if (VIR_EXPAND_N(firewall->groups,
+ firewall->ngroups, 1) < 0) {
+ firewall->err = ENOMEM;
+ virFirewallGroupFree(group);
+ return;
+ }
+ firewall->groups[firewall->ngroups - 1] = group;
+ firewall->currentGroup = firewall->ngroups - 1;
+}
+
+/**
+ * virFirewallBeginRollback:
+ * @firewall: the firewall ruleset
+ * @flags: bitset of virFirewallRollbackFlags
+ *
+ * Mark the beginning of a set of rules able to rollback
+ * changes in this and all earlier transactions.
+ *
+ * Should be followed by calls to add various rules needed
+ * to rollback state. Then virFirewallStartTransaction
+ * should be used to indicate the beginning of the next
+ * transactional ruleset.
+ */
+void virFirewallStartRollback(virFirewallPtr firewall,
+ unsigned int flags)
+{
+ virFirewallGroupPtr group;
+
+ VIR_FIREWALL_RETURN_IF_ERROR(firewall);
+
+ if (firewall->ngroups == 0) {
+ firewall->err = ENODATA;
+ return;
+ }
+
+ group = firewall->groups[firewall->ngroups-1];
+ group->rollbackFlags = flags;
+ group->addingRollback = true;
+}
+
+
+static char *
+virFirewallRuleToString(virFirewallRulePtr rule)
+{
+ const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ size_t i;
+
+ virBufferAdd(&buf, bin, -1);
+ for (i = 0; i < rule->argsLen; i++) {
+ virBufferAddLit(&buf, " ");
+ virBufferAdd(&buf, rule->args[i], -1);
+ }
+
+ return virBufferContentAndReset(&buf);
+}
+
+static int
+virFirewallApplyRuleDirect(virFirewallRulePtr rule,
+ bool ignoreErrors,
+ char **output)
+{
+ size_t i;
+ const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
+ virCommandPtr cmd = NULL;
+ int status;
+ int ret = -1;
+ char *error = NULL;
+
+ if (!bin) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unknown firewall layer %d"),
+ rule->layer);
+ goto cleanup;
+ }
+
+ cmd = virCommandNewArgList(bin, NULL);
+
+ for (i = 0; i < rule->argsLen; i++)
+ virCommandAddArg(cmd, rule->args[i]);
+
+ virCommandSetOutputBuffer(cmd, output);
+ virCommandSetErrorBuffer(cmd, &error);
+
+ if (virCommandRun(cmd, &status) < 0)
+ goto cleanup;
+
+ if (status != 0) {
+ if (ignoreErrors) {
+ VIR_DEBUG("Ignoring error running command");
+ } else {
+ char *args = virCommandToString(cmd);
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to apply firewall rules %s: %s"),
+ NULLSTR(args), NULLSTR(error));
+ VIR_FREE(args);
+ VIR_FREE(*output);
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+ cleanup:
+ VIR_FREE(error);
+ virCommandFree(cmd);
+ return ret;
+}
+
+
+#ifdef WITH_DBUS
+static int
+virFirewallApplyRuleFirewallD(virFirewallRulePtr rule,
+ bool ignoreErrors,
+ char **output)
+{
+ const char *ipv = virFirewallLayerFirewallDTypeToString(rule->layer);
+ DBusConnection *sysbus = virDBusGetSystemBus();
+ DBusMessage *reply = NULL;
+ DBusError error;
+ int ret = -1;
+
+ if (!sysbus)
+ return -1;
+
+ dbus_error_init(&error);
+
+ if (!ipv) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unknown firewall layer %d"),
+ rule->layer);
+ goto cleanup;
+ }
+
+ if (virDBusCallMethod(sysbus,
+ &reply,
+ &error,
+ VIR_FIREWALL_FIREWALLD_SERVICE,
+ "/org/fedoraproject/FirewallD1",
+ "org.fedoraproject.FirewallD1.direct",
+ "passthrough",
+ "sa&s",
+ ipv,
+ (int)rule->argsLen,
+ rule->args) < 0)
+ goto cleanup;
+
+ if (dbus_error_is_set(&error)) {
+ /*
+ * As of firewalld-0.3.9.3-1.fc20.noarch the name and
+ * message fields in the error look like
+ *
+ * name="org.freedesktop.DBus.Python.dbus.exceptions.DBusException"
+ * message="COMMAND_FAILED: '/sbin/iptables --table filter --delete
+ * INPUT --in-interface virbr0 --protocol udp --destination-port 53
+ * --jump ACCEPT' failed: iptables: Bad rule (does a matching rule
+ * exist in that chain?)."
+ *
+ * We'd like to only ignore DBus errors precisely related to the failure
+ * of iptables/ebtables commands. A well designed DBus interface would
+ * return specific named exceptions not the top level generic python dbus
+ * exception name. With this current scheme our only option is todo a
+ * sub-string match for 'COMMAND_FAILED' on the message. eg like
+ *
+ * if (ignoreErrors &&
+ * STREQ(error.name,
+ *
"org.freedesktop.DBus.Python.dbus.exceptions.DBusException") &&
+ * STRPREFIX(error.message, "COMMAND_FAILED"))
+ * ...
+ *
+ * But this risks our error detecting code being broken if firewalld changes
+ * ever alter the message string, so we're avoiding doing that.
+ */
+ if (ignoreErrors) {
+ VIR_DEBUG("Ignoring error '%s': '%s'",
+ error.name, error.message);
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unable to apply rule '%s'"),
+ error.message);
+ goto cleanup;
+ }
+ } else {
+ if (virDBusMessageRead(reply, "s", output) < 0)
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ dbus_error_free(&error);
+ if (reply)
+ dbus_message_unref(reply);
+ return ret;
+}
+#endif
+
+static int
+virFirewallApplyRule(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ bool ignoreErrors)
+{
+ char *output = NULL;
+ char **lines = NULL;
+ int ret = -1;
+ char *str = virFirewallRuleToString(rule);
+ VIR_INFO("Applying rule '%s'", NULLSTR(str));
+ VIR_FREE(str);
+
+ if (rule->ignoreErrors)
+ ignoreErrors = rule->ignoreErrors;
+
+ switch (currentBackend) {
+ case VIR_FIREWALL_BACKEND_DIRECT:
+ if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0)
+ return -1;
+ break;
+#if WITH_DBUS
+ case VIR_FIREWALL_BACKEND_FIREWALLD:
+ if (virFirewallApplyRuleFirewallD(rule, ignoreErrors, &output) < 0)
+ return -1;
+ break;
+#endif
+ default:
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Unexpected firewall engine backend"));
+ return -1;
+ }
+
+ if (rule->queryCB && output) {
+ if (!(lines = virStringSplit(output, "\n", -1)))
+ goto cleanup;
+
+ VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB,
output);
+ if (rule->queryCB(firewall, (const char *const *)lines, rule->queryOpaque)
< 0)
+ goto cleanup;
+
+ if (firewall->err == ENOMEM) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ if (firewall->err) {
+ virReportSystemError(firewall->err, "%s",
+ _("Unable to create rule"));
+ goto cleanup;
+ }
+
+ }
+
+ ret = 0;
+ cleanup:
+ virStringFreeList(lines);
+ VIR_FREE(output);
+ return ret;
+}
+
+static int
+virFirewallApplyGroup(virFirewallPtr firewall,
+ size_t idx)
+{
+ virFirewallGroupPtr group = firewall->groups[idx];
+ bool ignoreErrors = (group->actionFlags &
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ size_t i;
+
+ VIR_INFO("Starting transaction for %p flags=%x",
+ group, group->actionFlags);
+ firewall->currentGroup = idx;
+ group->addingRollback = false;
+ for (i = 0; i < group->naction; i++) {
+ if (virFirewallApplyRule(firewall,
+ group->action[i],
+ ignoreErrors) < 0)
+ return -1;
+ }
+ return 0;
+}
+
+
+static void
+virFirewallRollbackGroup(virFirewallPtr firewall,
+ size_t idx)
+{
+ virFirewallGroupPtr group = firewall->groups[idx];
+ size_t i;
+
+ VIR_INFO("Starting rollback for group %p", group);
+ firewall->currentGroup = idx;
+ group->addingRollback = true;
+ for (i = 0; i < group->nrollback; i++) {
+ ignore_value(virFirewallApplyRule(firewall,
+ group->rollback[i],
+ true));
+ }
+}
+
+
+int
+virFirewallApply(virFirewallPtr firewall)
+{
+ size_t i, j;
+ int ret = -1;
+
+ virMutexLock(&ruleLock);
+ if (virFirewallInitialize() < 0)
+ goto cleanup;
+
+ if (!firewall || firewall->err == ENOMEM) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ if (firewall->err) {
+ virReportSystemError(firewall->err, "%s",
+ _("Unable to create rule"));
+ goto cleanup;
+ }
+
+ VIR_DEBUG("Applying groups for %p", firewall);
+ for (i = 0; i < firewall->ngroups; i++) {
+ if (virFirewallApplyGroup(firewall, i) < 0) {
+ VIR_DEBUG("Rolling back groups upto %zu for %p", i, firewall);
+ size_t first = i;
+ virErrorPtr saved_error = virSaveLastError();
+
+ /*
+ * Look at any inheritance markers to figure out
+ * what the first rollback group we need to apply is
+ */
+ for (j = 0; j <= i; j++) {
+ VIR_DEBUG("Checking inheritance of group %zu", i - j);
+ if (firewall->groups[i - j]->rollbackFlags &
+ VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS)
+ first = (i - j) - 1;
+ }
+ /*
+ * Now apply all rollback groups in order
+ */
+ for (j = first; j <= i; j++) {
+ VIR_DEBUG("Rolling back group %zu", j);
+ virFirewallRollbackGroup(firewall, j);
+ }
+
+ virSetError(saved_error);
+ virFreeError(saved_error);
+ VIR_DEBUG("Done rolling back groups for %p", firewall);
+ goto cleanup;
+ }
+ }
+ VIR_DEBUG("Done applying groups for %p", firewall);
+
+ ret = 0;
+ cleanup:
+ virMutexUnlock(&ruleLock);
+ return ret;
+}
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
new file mode 100644
index 0000000..5ca66fa
--- /dev/null
+++ b/src/util/virfirewall.h
@@ -0,0 +1,109 @@
+ /*
+ * virfirewall.h: integration with firewalls
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Authors:
+ * Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#ifndef __VIR_FIREWALL_H__
+# define __VIR_FIREWALL_H__
+
+# include "internal.h"
+
+typedef struct _virFirewall virFirewall;
+typedef virFirewall *virFirewallPtr;
+
+typedef struct _virFirewallRule virFirewallRule;
+typedef virFirewallRule *virFirewallRulePtr;
+
+typedef enum {
+ VIR_FIREWALL_LAYER_ETHERNET,
+ VIR_FIREWALL_LAYER_IPV4,
+ VIR_FIREWALL_LAYER_IPV6,
+
+ VIR_FIREWALL_LAYER_LAST,
+} virFirewallLayer;
+
+virFirewallPtr virFirewallNew(void);
+
+void virFirewallFree(virFirewallPtr firewall);
+
+virFirewallRulePtr virFirewallAddRule(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ ...)
+ ATTRIBUTE_SENTINEL;
+
+typedef int (*virFirewallQueryCallback)(virFirewallPtr firewall,
+ const char *const *lines,
+ void *opaque);
+
+virFirewallRulePtr virFirewallAddRuleFull(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ ...)
+ ATTRIBUTE_NONNULL(3) ATTRIBUTE_SENTINEL;
+
+void virFirewallRemoveRule(virFirewallPtr firewall,
+ virFirewallRulePtr rule);
+
+void virFirewallRuleAddArg(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *arg)
+ ATTRIBUTE_NONNULL(3);
+
+void virFirewallRuleAddArgFormat(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *fmt, ...)
+ ATTRIBUTE_NONNULL(3) ATTRIBUTE_FMT_PRINTF(3, 4);
+
+void virFirewallRuleAddArgSet(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *const *args)
+ ATTRIBUTE_NONNULL(3);
+
+void virFirewallRuleAddArgList(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ ...)
+ ATTRIBUTE_SENTINEL;
+
+size_t virFirewallRuleGetArgCount(virFirewallRulePtr rule);
+
+typedef enum {
+ /* Ignore all errors when applying rules, so no
+ * rollback block will be required */
+ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS = (1 << 0),
+} virFirewallTransactionFlags;
+
+void virFirewallStartTransaction(virFirewallPtr firewall,
+ unsigned int flags);
+
+typedef enum {
+ /* Execute previous rollback block before this
+ * one, to chain cleanup */
+ VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS = (1 << 0),
+} virFirewallRollbackFlags;
+
+void virFirewallStartRollback(virFirewallPtr firewall,
+ unsigned int flags);
+
+int virFirewallApply(virFirewallPtr firewall);
+
+#endif /* __VIR_FIREWALL_H__ */
diff --git a/src/util/virfirewallpriv.h b/src/util/virfirewallpriv.h
new file mode 100644
index 0000000..130aaa1
--- /dev/null
+++ b/src/util/virfirewallpriv.h
@@ -0,0 +1,45 @@
+/*
+ * virfirewallpriv.h: integration with firewalls private APIs
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Authors:
+ * Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#ifndef __VIR_FIREWALL_PRIV_H_ALLOW__
+# error "virfirewallpriv.h may only be included by virfirewall.c or test
suites"
+#endif
+
+#ifndef __VIR_FIREWALL_PRIV_H__
+# define __VIR_FIREWALL_PRIV_H__
+
+# include "virfirewall.h"
+
+# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1"
+
+typedef enum {
+ VIR_FIREWALL_BACKEND_AUTOMATIC,
+ VIR_FIREWALL_BACKEND_DIRECT,
+ VIR_FIREWALL_BACKEND_FIREWALLD,
+
+ VIR_FIREWALL_BACKEND_LAST,
+} virFirewallBackend;
+
+int virFirewallSetBackend(virFirewallBackend backend);
+
+#endif /* __VIR_FIREWALL_PRIV_H__ */
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c13cc15..a10919d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -148,6 +148,7 @@ test_programs = virshtest sockettest \
virpcitest \
virendiantest \
virfiletest \
+ virfirewalltest \
viriscsitest \
virkeycodetest \
virlockspacetest \
@@ -998,6 +999,12 @@ virfiletest_SOURCES = \
virfiletest.c testutils.h testutils.c
virfiletest_LDADD = $(LDADDS)
+virfirewalltest_SOURCES = \
+ virfirewalltest.c testutils.h testutils.c
+virfirewalltest_LDADD = $(LDADDS)
+virfirewalltest_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)
+virfirewalltest_LDFLAGS = $(DRIVER_MODULE_LDFLAGS)
+
jsontest_SOURCES = \
jsontest.c testutils.h testutils.c
jsontest_LDADD = $(LDADDS)
diff --git a/tests/testutils.c b/tests/testutils.c
index 9767a78..022d543 100644
--- a/tests/testutils.c
+++ b/tests/testutils.c
@@ -459,10 +459,20 @@ int virtTestDifference(FILE *stream,
const char *expect,
const char *actual)
{
- const char *expectStart = expect;
- const char *expectEnd = expect + (strlen(expect)-1);
- const char *actualStart = actual;
- const char *actualEnd = actual + (strlen(actual)-1);
+ const char *expectStart;
+ const char *expectEnd;
+ const char *actualStart;
+ const char *actualEnd;
+
+ if (!expect)
+ expect = "";
+ if (!actual)
+ actual = "";
+
+ expectStart = expect;
+ expectEnd = expect + (strlen(expect)-1);
+ actualStart = actual;
+ actualEnd = actual + (strlen(actual)-1);
if (!virTestGetDebug())
return 0;
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
new file mode 100644
index 0000000..805fa44
--- /dev/null
+++ b/tests/virfirewalltest.c
@@ -0,0 +1,1186 @@
+/*
+ * Copyright (C) 2013-2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Author: Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#include <config.h>
+
+#define __VIR_FIREWALL_PRIV_H_ALLOW__
+#define __VIR_COMMAND_PRIV_H_ALLOW__
+
+#include "testutils.h"
+#include "virbuffer.h"
+#include "vircommandpriv.h"
+#include "virfirewallpriv.h"
+#include "virmock.h"
+#include "virdbuspriv.h"
+
+#define VIR_FROM_THIS VIR_FROM_FIREWALL
+
+#if WITH_DBUS
+# include <dbus/dbus.h>
+#endif
+
+static bool fwDisabled = true;
+static virBufferPtr fwBuf;
+static bool fwError;
+
+#define TEST_FILTER_TABLE_LIST \
+ "Chain INPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain FORWARD (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain OUTPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n"
+
+#define TEST_NAT_TABLE_LIST \
+ "Chain PREROUTING (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain INPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain OUTPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain POSTROUTING (policy ACCEPT)\n" \
+ "target prot opt source destination\n"
+
+#if WITH_DBUS
+VIR_MOCK_IMPL_RET_ARGS(dbus_connection_send_with_reply_and_block,
+ DBusMessage *,
+ DBusConnection *, connection,
+ DBusMessage *, message,
+ int, timeout_milliseconds,
+ DBusError *, error)
+{
+ DBusMessage *reply = NULL;
+ const char *service = dbus_message_get_destination(message);
+ const char *member = dbus_message_get_member(message);
+ size_t i;
+ size_t nargs = 0;
+ char **args = NULL;
+ char *type = NULL;
+
+ VIR_MOCK_IMPL_INIT_REAL(dbus_connection_send_with_reply_and_block);
+
+ if (STREQ(service, "org.freedesktop.DBus") &&
+ STREQ(member, "ListNames")) {
+ const char *svc1 = "org.foo.bar.wizz";
+ const char *svc2 = VIR_FIREWALL_FIREWALLD_SERVICE;
+ DBusMessageIter iter;
+ DBusMessageIter sub;
+ reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN);
+ dbus_message_iter_init_append(reply, &iter);
+ dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY,
+ "s", &sub);
+
+ if (!dbus_message_iter_append_basic(&sub,
+ DBUS_TYPE_STRING,
+ &svc1))
+ goto error;
+ if (!fwDisabled &&
+ !dbus_message_iter_append_basic(&sub,
+ DBUS_TYPE_STRING,
+ &svc2))
+ goto error;
+ dbus_message_iter_close_container(&iter, &sub);
+ } else if (STREQ(service, VIR_FIREWALL_FIREWALLD_SERVICE) &&
+ STREQ(member, "passthrough")) {
+ bool isAdd = false;
+ bool doError = false;
+
+ if (virDBusMessageDecode(message,
+ "sa&s",
+ &type,
+ &nargs,
+ &args) < 0)
+ goto error;
+
+ for (i = 0; i < nargs; i++) {
+ /* Fake failure on the command with this IP addr */
+ if (STREQ(args[i], "-A")) {
+ isAdd = true;
+ } else if (isAdd && STREQ(args[i], "192.168.122.255")) {
+ doError = true;
+ }
+ }
+
+ if (fwBuf) {
+ if (STREQ(type, "ipv4"))
+ virBufferAddLit(fwBuf, IPTABLES_PATH);
+ else if (STREQ(type, "ipv4"))
+ virBufferAddLit(fwBuf, IP6TABLES_PATH);
+ else
+ virBufferAddLit(fwBuf, EBTABLES_PATH);
+ }
+ for (i = 0; i < nargs; i++) {
+ if (fwBuf) {
+ virBufferAddLit(fwBuf, " ");
+ virBufferEscapeShell(fwBuf, args[i]);
+ }
+ }
+ if (fwBuf)
+ virBufferAddLit(fwBuf, "\n");
+ if (doError) {
+ dbus_set_error_const(error,
+ "org.firewalld.error",
+ "something bad happened");
+ } else {
+ if (nargs == 1 &&
+ STREQ(type, "ipv4") &&
+ STREQ(args[0], "-L")) {
+ if (virDBusCreateReply(&reply,
+ "s", TEST_FILTER_TABLE_LIST) < 0)
+ goto error;
+ } else if (nargs == 3 &&
+ STREQ(type, "ipv4") &&
+ STREQ(args[0], "-t") &&
+ STREQ(args[1], "nat") &&
+ STREQ(args[2], "-L")) {
+ if (virDBusCreateReply(&reply,
+ "s", TEST_NAT_TABLE_LIST) < 0)
+ goto error;
+ } else {
+ if (virDBusCreateReply(&reply,
+ "s", "success") < 0)
+ goto error;
+ }
+ }
+ } else {
+ reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN);
+ }
+
+ cleanup:
+ VIR_FREE(type);
+ for (i = 0; i < nargs; i++)
+ VIR_FREE(args[i]);
+ VIR_FREE(args);
+ return reply;
+
+ error:
+ if (reply)
+ dbus_message_unref(reply);
+ reply = NULL;
+ if (error && !dbus_error_is_set(error))
+ dbus_set_error_const(error,
+ "org.firewalld.error",
+ "something unexpected happened");
+
+ goto cleanup;
+}
+#endif
+
+struct testFirewallData {
+ virFirewallBackend tryBackend;
+ virFirewallBackend expectBackend;
+ bool fwDisabled;
+};
+
+static int
+testFirewallSingleGroup(const void *opaque)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
+ virCommandSetDryRun(&cmdbuf, NULL, NULL);
+ else
+ fwBuf = &cmdbuf;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallRemoveRule(const void *opaque)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+ virFirewallRulePtr fwrule;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
+ virCommandSetDryRun(&cmdbuf, NULL, NULL);
+ else
+ fwBuf = &cmdbuf;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallRuleAddArg(fw, fwrule, "--source-host");
+ virFirewallRemoveRule(fw, fwrule);
+
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallRuleAddArg(fw, fwrule, "--source-host");
+ virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
+ virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallManyGroups(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
+ virCommandSetDryRun(&cmdbuf, NULL, NULL);
+ else
+ fwBuf = &cmdbuf;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
+
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static void
+testFirewallRollbackHook(const char *const*args,
+ const char *const*env ATTRIBUTE_UNUSED,
+ const char *input ATTRIBUTE_UNUSED,
+ char **output ATTRIBUTE_UNUSED,
+ char **error ATTRIBUTE_UNUSED,
+ int *status,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ bool isAdd = false;
+ while (*args) {
+ /* Fake failure on the command with this IP addr */
+ if (STREQ(*args, "-A")) {
+ isAdd = true;
+ } else if (isAdd && STREQ(*args, "192.168.122.255")) {
+ *status = 127;
+ break;
+ }
+ args++;
+ }
+}
+
+static int
+testFirewallIgnoreFailGroup(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
+
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallIgnoreFailRule(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ true, NULL, NULL,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
+
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallNoRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+testFirewallSingleRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwError = true;
+ fwBuf = &cmdbuf;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+testFirewallManyRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+testFirewallChainedRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static const char *expectedLines[] = {
+ "Chain INPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain FORWARD (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain OUTPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain PREROUTING (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain INPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain OUTPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain POSTROUTING (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+};
+static size_t expectedLineNum;
+static bool expectedLineError;
+
+static void
+testFirewallQueryHook(const char *const*args,
+ const char *const*env ATTRIBUTE_UNUSED,
+ const char *input ATTRIBUTE_UNUSED,
+ char **output,
+ char **error ATTRIBUTE_UNUSED,
+ int *status,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ if (STREQ(args[0], IPTABLES_PATH) &&
+ STREQ(args[1], "-L")) {
+ if (VIR_STRDUP(*output, TEST_FILTER_TABLE_LIST) < 0)
+ *status = 127;
+ } else if (STREQ(args[0], IPTABLES_PATH) &&
+ STREQ(args[1], "-t") &&
+ STREQ(args[2], "nat") &&
+ STREQ(args[3], "-L")) {
+ if (VIR_STRDUP(*output, TEST_NAT_TABLE_LIST) < 0)
+ *status = 127;
+ }
+}
+
+
+static int
+testFirewallQueryCallback(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ size_t i;
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.129",
+ "--jump", "REJECT", NULL);
+
+ for (i = 0; lines[i] != NULL; i++) {
+ if (expectedLineNum >= ARRAY_CARDINALITY(expectedLines)) {
+ expectedLineError = true;
+ break;
+ }
+ if (STRNEQ(expectedLines[expectedLineNum], lines[i])) {
+ fprintf(stderr, "Mismatch '%s' vs '%s' at %zu,
%zu\n",
+ expectedLines[expectedLineNum], lines[i],
+ expectedLineNum, i);
+ expectedLineError = true;
+ break;
+ }
+ expectedLineNum++;
+ }
+ return 0;
+}
+
+static int
+testFirewallQuery(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -L\n"
+ IPTABLES_PATH " -t nat -L\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ expectedLineNum = 0;
+ expectedLineError = false;
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallQueryHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
+ "-L", NULL);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
+ "-t", "nat", "-L", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.130",
+ "--jump", "REJECT", NULL);
+
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.128",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (expectedLineError) {
+ fprintf(stderr, "Got some unexpected query data\n");
+ goto cleanup;
+ }
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+#define RUN_TEST_DIRECT(name, method) \
+ do { \
+ struct testFirewallData data; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
+ data.fwDisabled = true; \
+ if (virtTestRun(name " auto direct", method, &data) < 0)
\
+ ret = -1; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_DIRECT; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
+ data.fwDisabled = true; \
+ if (virtTestRun(name " manual direct", method, &data) < 0)
\
+ ret = -1; \
+ } while (0)
+
+#if WITH_DBUS
+# define RUN_TEST_FIREWALLD(name, method) \
+ do { \
+ struct testFirewallData data; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
+ data.fwDisabled = false; \
+ if (virtTestRun(name " auto firewalld", method, &data) < 0)
\
+ ret = -1; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
+ data.fwDisabled = false; \
+ if (virtTestRun(name " manual firewalld", method, &data) < 0)
\
+ ret = -1; \
+ } while (0)
+
+# define RUN_TEST(name, method) \
+ RUN_TEST_DIRECT(name, method); \
+ RUN_TEST_FIREWALLD(name, method)
+#else /* ! WITH_DBUS */
+# define RUN_TEST(name, method) \
+ RUN_TEST_DIRECT(name, method)
+#endif /* ! WITH_DBUS */
+
+ RUN_TEST("single group", testFirewallSingleGroup);
+ RUN_TEST("remove rule", testFirewallRemoveRule);
+ RUN_TEST("many groups", testFirewallManyGroups);
+ RUN_TEST("ignore fail group", testFirewallIgnoreFailGroup);
+ RUN_TEST("ignore fail rule", testFirewallIgnoreFailRule);
+ RUN_TEST("no rollback", testFirewallNoRollback);
+ RUN_TEST("single rollback", testFirewallSingleRollback);
+ RUN_TEST("many rollback", testFirewallManyRollback);
+ RUN_TEST("chained rollback", testFirewallChainedRollback);
+ RUN_TEST("query transaction", testFirewallQuery);
+
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+#if WITH_DBUS
+VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virmockdbus.so")
+#else
+VIRT_TEST_MAIN(mymain)
+#endif
--
1.9.0
4:15 p.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.
This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
[...]
+
# util/virhash.h
virHashAddEntry;
virHashCreate;
diff --git a/src/util/virerror.c b/src/util/virerror.c
index cbbaa83..e0bc970 100644
--- a/src/util/virerror.c
+++ b/src/util/virerror.c
@@ -129,6 +129,7 @@ VIR_ENUM_IMPL(virErrorDomain, VIR_ERR_DOMAIN_LAST,
"Systemd",
"Bhyve",
"Crypto",
+ "Firewall",
)
+static int
+virFirewallValidateBackend(virFirewallBackend backend)
+{
+ VIR_DEBUG("Validating backend %d", backend);
+#if WITH_DBUS
+ if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
+ backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
Nit: empty line after var. decl. ?
+ VIR_DEBUG("Firewalled is registered ? %d", rv);
+ if (rv < 0) {
+ if (rv == -2) {
+ if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld firewall backend requested, but
service is not running"));
+ return -1;
+ } else {
+ VIR_DEBUG("firewalld service not running, trying direct
backend");
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
+ }
+ } else {
+ return -1;
+ }
+ } else {
+ VIR_DEBUG("firewalld service running, using firewalld backend");
+ backend = VIR_FIREWALL_BACKEND_FIREWALLD;
+ }
+ }
+#else
+ if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC) {
+ VIR_DEBUG("DBus support disabled, trying direct backend");
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
+ } else if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld firewall backend requested, but DBus support
disabled"));
+ return -1;
+ }
+#endif
+
+ if (backend == VIR_FIREWALL_BACKEND_DIRECT) {
+ const char *commands[] = {
+ IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
+ };
+ size_t i;
Also here?
+
+#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
+ if (!firewall || firewall->err) \
+ return;
+
+#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, ruel)\
ruel -> rule -- seems unused since it compiles
+
+int
+virFirewallApply(virFirewallPtr firewall)
+{
+ size_t i, j;
+ int ret = -1;
+
+ virMutexLock(&ruleLock);
+ if (virFirewallInitialize() < 0)
+ goto cleanup;
+
+ if (!firewall || firewall->err == ENOMEM) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ if (firewall->err) {
+ virReportSystemError(firewall->err, "%s",
+ _("Unable to create rule"));
+ goto cleanup;
+ }
+
+ VIR_DEBUG("Applying groups for %p", firewall);
+ for (i = 0; i < firewall->ngroups; i++) {
+ if (virFirewallApplyGroup(firewall, i) < 0) {
+ VIR_DEBUG("Rolling back groups upto %zu for %p", i, firewall);
+ size_t first = i;
+ virErrorPtr saved_error = virSaveLastError();
+
+ /*
+ * Look at any inheritance markers to figure out
+ * what the first rollback group we need to apply is
+ */
+ for (j = 0; j <= i; j++) {
+ VIR_DEBUG("Checking inheritance of group %zu", i - j);
+ if (firewall->groups[i - j]->rollbackFlags &
+ VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS)
+ first = (i - j) - 1;
if j = i then first = -1. This doesn't seem right. Limit the loop test
to j < i ?
+ }
+ /*
+ * Now apply all rollback groups in order
+ */
+ for (j = first; j <= i; j++) {
+ VIR_DEBUG("Rolling back group %zu", j);
+ virFirewallRollbackGroup(firewall, j);
+ }
+
+ virSetError(saved_error);
+ virFreeError(saved_error);
+ VIR_DEBUG("Done rolling back groups for %p", firewall);
+ goto cleanup;
+ }
+ }
+ VIR_DEBUG("Done applying groups for %p", firewall);
+
+ ret = 0;
+ cleanup:
+ virMutexUnlock(&ruleLock);
+ return ret;
+}
+
+static int
+testFirewallChainedRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
Hm, wondering why this rule doesn't make it into the expected output...
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
ACK with nits addressed.
5:03 p.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
On Tue, Apr 15, 2014 at 05:15:02PM -0400, Stefan Berger wrote:
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
>The network and nwfilter drivers both have a need to update
>firewall rules. The currently share no code for interacting
>with iptables / firewalld. The nwfilter driver is fairly
>tied to the concept of creating shell scripts to execute
>which makes it very hard to port to talk to firewalld via
>DBus APIs.
>
>This patch introduces a virFirewallPtr object which is able
>to represent a complete sequence of rule changes, with the
>ability to have multiple transactional checkpoints with
>rollbacks. By formally separating the definition of the rules
>to be applied from the mechanism used to apply them, it is
>also possible to write a firewall engine that uses firewalld
>DBus APIs natively instead of via the slow firewalld-cmd.
>
>Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
[...]
>
>+
> # util/virhash.h
> virHashAddEntry;
> virHashCreate;
>diff --git a/src/util/virerror.c b/src/util/virerror.c
>index cbbaa83..e0bc970 100644
>--- a/src/util/virerror.c
>+++ b/src/util/virerror.c
>@@ -129,6 +129,7 @@ VIR_ENUM_IMPL(virErrorDomain, VIR_ERR_DOMAIN_LAST,
> "Systemd",
> "Bhyve",
> "Crypto",
>+ "Firewall",
> )
[ ... ]
+#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
+ if (!firewall || firewall->err) \
+ return;
+
I have a strong prejudice *against* writing statements in a macro *unless* the macro
expands as a SINGLE statement under all possible usage scenarios; otherwise the macro is
just a latent problem waiting to happen.
Consider what happens if I use the macro like this:
1: if (condition)
2: VIR_FIREWALL_RETURN_IF_ERROR(fw)
3: else
4: DO_SOMETHING_ELSE(fw); # test some other condition
I don't get what I expected; the =else= on line 3 matches with the =if= hidden in the
macro on line 2, not with the =if= on line 1!
Please *consider* defining the macro like this:
#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
do { \
if (!firewall || firewall->err) \
return; \
} while (0)
The "do { ... } while (0)" is a single statement that is guaranteed to execute
exactly once. Modern compilers will notice and get rid of the loop, so there is no
overhead. Also note the trailing ";" is omitted. This goes back to a time when
compilers would complain about two semicolons in a row with no intervening statement, but
I don't think that is common these days.
ACK with nits addressed.
Ditto.
-Jeff
8:36 a.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
On 04/08/2014 05:38 PM, Daniel P. Berrange wrote:
The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.
This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
+
+static int
+virFirewallOnceInit(void)
+{
+ return virFirewallValidateBackend(currentBackend);
+}
+
+VIR_ONCE_GLOBAL_INIT(virFirewall)
+
+static int
+virFirewallValidateBackend(virFirewallBackend backend)
+{
+ VIR_DEBUG("Validating backend %d", backend);
+#if WITH_DBUS
+ if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
+ backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
+ VIR_DEBUG("Firewalled is registered ? %d", rv);
s/Firewalled/Firewalld/
+ if (rv < 0) {
+ if (rv == -2) {
+ if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld firewall backend requested, but
service is not running"));
+#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
+ if (!firewall || firewall->err) \
+ return;
+
+#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, ruel)\
s/ruel/rule
+ if (!firewall || firewall->err || !rule) \
+ return;
+
@@ -998,6 +999,12 @@ virfiletest_SOURCES = \
virfiletest.c testutils.h testutils.c
virfiletest_LDADD = $(LDADDS)
+virfirewalltest_SOURCES = \
+ virfirewalltest.c testutils.h testutils.c
+virfirewalltest_LDADD = $(LDADDS)
+virfirewalltest_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)
+virfirewalltest_LDFLAGS = $(DRIVER_MODULE_LDFLAGS)
This breaks the test when built --without-driver-modules. As of commit
844a5c1, omitting the LDFLAGS line should be fine.
+
jsontest_SOURCES = \
jsontest.c testutils.h testutils.c
jsontest_LDADD = $(LDADDS)
Jan
5:34 a.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.
This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
You should add this here:
--- ./po/POTFILES.in
+++ ./po/POTFILES.in
@@ -163,7 +163,6 @@
src/util/virerror.h
src/util/vireventpoll.c
src/util/virfile.c
+src/util/virfirewall.c
src/util/virhash.c
src/util/virhook.c
src/util/virhostdev.c
Regards,
Stefan
10:14 a.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.
This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
include/libvirt/virterror.h | 1 +
po/POTFILES.in | 1 +
src/Makefile.am | 2 +
src/libvirt_private.syms | 17 +
src/util/virerror.c | 1 +
src/util/virfirewall.c | 922 +++++++++++++++++++++++++++++++++
src/util/virfirewall.h | 109 ++++
src/util/virfirewallpriv.h | 45 ++
tests/Makefile.am | 7 +
tests/testutils.c | 18 +-
tests/virfirewalltest.c | 1186 +++++++++++++++++++++++++++++++++++++++++++
11 files changed, 2305 insertions(+), 4 deletions(-)
create mode 100644 src/util/virfirewall.c
create mode 100644 src/util/virfirewall.h
create mode 100644 src/util/virfirewallpriv.h
create mode 100644 tests/virfirewalltest.c
diff --git a/include/libvirt/virterror.h b/include/libvirt/virterror.h
index 495c121..be90797 100644
--- a/include/libvirt/virterror.h
+++ b/include/libvirt/virterror.h
@@ -122,6 +122,7 @@ typedef enum {
VIR_FROM_SYSTEMD = 56, /* Error from systemd code */
VIR_FROM_BHYVE = 57, /* Error from bhyve driver */
VIR_FROM_CRYPTO = 58, /* Error from crypto code */
+ VIR_FROM_FIREWALL = 59, /* Error from firewall */
# ifdef VIR_ENUM_SENTINELS
VIR_ERR_DOMAIN_LAST
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 122b853..e35eb82 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -161,6 +161,7 @@ src/util/virdbus.c
src/util/virdnsmasq.c
src/util/vireventpoll.c
src/util/virfile.c
+src/util/virfirewall.c
src/util/virhash.c
src/util/virhook.c
src/util/virhostdev.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 7e9a702..7615294 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -106,6 +106,8 @@ UTIL_SOURCES = \
util/virevent.c util/virevent.h \
util/vireventpoll.c util/vireventpoll.h \
util/virfile.c util/virfile.h \
+ util/virfirewall.c util/virfirewall.h \
+ util/virfirewallpriv.h \
util/virhash.c util/virhash.h \
util/virhashcode.c util/virhashcode.h \
util/virhook.c util/virhook.h \
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 0c2cf75..18be0e1 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1277,6 +1277,23 @@ virFileWriteStr;
virFindFileInPath;
+# util/virfirewall.h
+virFirewallAddRule;
+virFirewallAddRuleFull;
+virFirewallApply;
+virFirewallFree;
+virFirewallNew;
+virFirewallRemoveRule;
+virFirewallRuleAddArg;
+virFirewallRuleAddArgFormat;
+virFirewallRuleAddArgList;
+virFirewallRuleAddArgSet;
+virFirewallRuleGetArgCount;
+virFirewallSetBackend;
+virFirewallStartRollback;
+virFirewallStartTransaction;
+
+
# util/virhash.h
virHashAddEntry;
virHashCreate;
diff --git a/src/util/virerror.c b/src/util/virerror.c
index cbbaa83..e0bc970 100644
--- a/src/util/virerror.c
+++ b/src/util/virerror.c
@@ -129,6 +129,7 @@ VIR_ENUM_IMPL(virErrorDomain, VIR_ERR_DOMAIN_LAST,
"Systemd",
"Bhyve",
"Crypto",
+ "Firewall",
)
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
new file mode 100644
index 0000000..b558d2f
--- /dev/null
+++ b/src/util/virfirewall.c
@@ -0,0 +1,922 @@
+/*
+ * virfirewall.c: integration with firewalls
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Authors:
+ * Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#include <config.h>
+
+#define __VIR_FIREWALL_PRIV_H_ALLOW__
+
+#include <stdarg.h>
+
+#include "viralloc.h"
+#include "virfirewallpriv.h"
+#include "virerror.h"
+#include "virutil.h"
+#include "virstring.h"
+#include "vircommand.h"
+#include "virlog.h"
+#include "virdbus.h"
+#include "virfile.h"
+#include "virthread.h"
+
+#define VIR_FROM_THIS VIR_FROM_FIREWALL
+
+VIR_LOG_INIT("util.firewall");
+
+typedef struct _virFirewallGroup virFirewallGroup;
+typedef virFirewallGroup *virFirewallGroupPtr;
+
+VIR_ENUM_DECL(virFirewallLayerCommand)
+VIR_ENUM_IMPL(virFirewallLayerCommand, VIR_FIREWALL_LAYER_LAST,
+ EBTABLES_PATH,
+ IPTABLES_PATH,
+ IP6TABLES_PATH);
+
+VIR_ENUM_DECL(virFirewallLayerFirewallD)
+VIR_ENUM_IMPL(virFirewallLayerFirewallD, VIR_FIREWALL_LAYER_LAST,
+ "eb", "ipv4", "ipv6")
+
+
+struct _virFirewallRule {
+ virFirewallLayer layer;
+
+ virFirewallQueryCallback queryCB;
+ void *queryOpaque;
+ bool ignoreErrors;
+
+ size_t argsAlloc;
+ size_t argsLen;
+ char **args;
+};
+
+struct _virFirewallGroup {
+ unsigned int actionFlags;
+ unsigned int rollbackFlags;
+
+ size_t naction;
+ virFirewallRulePtr *action;
+
+ size_t nrollback;
+ virFirewallRulePtr *rollback;
+
+ bool addingRollback;
+};
+
+
+struct _virFirewall {
+ int err;
+
+ size_t ngroups;
+ virFirewallGroupPtr *groups;
+ size_t currentGroup;
+};
+
+static virFirewallBackend currentBackend = VIR_FIREWALL_BACKEND_AUTOMATIC;
+static virMutex ruleLock = VIR_MUTEX_INITIALIZER;
+
+static int
+virFirewallValidateBackend(virFirewallBackend backend);
+
+static int
+virFirewallOnceInit(void)
+{
+ return virFirewallValidateBackend(currentBackend);
+}
+
+VIR_ONCE_GLOBAL_INIT(virFirewall)
+
+static int
+virFirewallValidateBackend(virFirewallBackend backend)
+{
+ VIR_DEBUG("Validating backend %d", backend);
+#if WITH_DBUS
+ if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
+ backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
+ VIR_DEBUG("Firewalled is registered ? %d", rv);
+ if (rv < 0) {
+ if (rv == -2) {
+ if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld firewall backend requested, but
service is not running"));
+ return -1;
+ } else {
+ VIR_DEBUG("firewalld service not running, trying direct
backend");
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
+ }
+ } else {
+ return -1;
+ }
+ } else {
+ VIR_DEBUG("firewalld service running, using firewalld backend");
+ backend = VIR_FIREWALL_BACKEND_FIREWALLD;
+ }
+ }
+#else
+ if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC) {
+ VIR_DEBUG("DBus support disabled, trying direct backend");
+ backend = VIR_FIREWALL_BACKEND_DIRECT;
+ } else if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("firewalld firewall backend requested, but DBus support
disabled"));
+ return -1;
+ }
+#endif
+
+ if (backend == VIR_FIREWALL_BACKEND_DIRECT) {
+ const char *commands[] = {
+ IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH
+ };
+ size_t i;
+ for (i = 0; i < ARRAY_CARDINALITY(commands); i++) {
+ if (!virFileIsExecutable(commands[i])) {
+ virReportSystemError(errno,
+ _("direct firewall backend requested, but %s
is not available"),
+ commands[i]);
+ return -1;
+ }
+ }
+ VIR_DEBUG("found iptables/ip6tables/ebtables, using direct backend");
+ }
+
+ currentBackend = backend;
+ return 0;
+}
+
+int
+virFirewallSetBackend(virFirewallBackend backend)
+{
+ currentBackend = backend;
+
+ if (virFirewallInitialize() < 0)
+ return -1;
+
+ return virFirewallValidateBackend(backend);
+}
+
+static virFirewallGroupPtr
+virFirewallGroupNew(void)
+{
+ virFirewallGroupPtr group;
+
+ if (VIR_ALLOC(group) < 0)
+ return NULL;
+
+ return group;
+}
+
+
+/**
+ * virFirewallNew:
+ *
+ * Creates a new firewall ruleset for changing rules
+ * of @layer. This should be followed by a call to
+ * virFirewallStartTransaction before adding
+ * any rules
+ *
+ * Returns the new firewall ruleset
+ */
+virFirewallPtr virFirewallNew(void)
+{
+ virFirewallPtr firewall;
+
+ if (VIR_ALLOC(firewall) < 0)
+ return NULL;
+
+ return firewall;
+}
+
+
+static void
+virFirewallRuleFree(virFirewallRulePtr rule)
+{
+ size_t i;
+
+ if (!rule)
+ return;
+
+ for (i = 0; i < rule->argsLen; i++)
+ VIR_FREE(rule->args[i]);
+ VIR_FREE(rule->args);
+ VIR_FREE(rule);
+}
+
+
+static void
+virFirewallGroupFree(virFirewallGroupPtr group)
+{
+ size_t i;
+
+ if (!group)
+ return;
+
+ for (i = 0; i < group->naction; i++)
+ virFirewallRuleFree(group->action[i]);
+ VIR_FREE(group->action);
+
+ for (i = 0; i < group->nrollback; i++)
+ virFirewallRuleFree(group->rollback[i]);
+ VIR_FREE(group->rollback);
+
+ VIR_FREE(group);
+}
+
+
+/**
+ * virFirewallFree:
+ *
+ * Release all memory associated with the firewall
+ * ruleset
+ */
+void virFirewallFree(virFirewallPtr firewall)
+{
+ size_t i;
+
+ if (!firewall)
+ return;
+
+ for (i = 0; i < firewall->ngroups; i++)
+ virFirewallGroupFree(firewall->groups[i]);
+ VIR_FREE(firewall->groups);
+
+ VIR_FREE(firewall);
+}
+
+#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
+ if (!firewall || firewall->err) \
+ return;
+
+#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, ruel)\
+ if (!firewall || firewall->err || !rule) \
+ return;
+
+#define VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall) \
+ if (!firewall || firewall->err) \
+ return NULL;
+
+#define ADD_ARG(rule, str) \
+ if (VIR_RESIZE_N(rule->args, \
+ rule->argsAlloc, \
+ rule->argsLen, 1) < 0) \
+ goto no_memory; \
+ \
+ if (VIR_STRDUP(rule->args[rule->argsLen++], str) < 0)\
+ goto no_memory;
+
+static virFirewallRulePtr
+virFirewallAddRuleFullV(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ va_list args)
+{
+ virFirewallGroupPtr group;
+ virFirewallRulePtr rule;
+ char *str;
+
+ VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
+
+ if (firewall->ngroups == 0) {
+ firewall->err = ENODATA;
+ return NULL;
+ }
+ group = firewall->groups[firewall->currentGroup];
+
+
+ if (VIR_ALLOC(rule) < 0)
+ goto no_memory;
+
+ rule->layer = layer;
+ rule->queryCB = cb;
+ rule->queryOpaque = opaque;
+ rule->ignoreErrors = ignoreErrors;
+
+ while ((str = va_arg(args, char *)) != NULL) {
+ ADD_ARG(rule, str);
+ }
+
+ if (group->addingRollback) {
+ if (VIR_APPEND_ELEMENT_COPY(group->rollback,
+ group->nrollback,
+ rule) < 0)
+ goto no_memory;
+ } else {
+ if (VIR_APPEND_ELEMENT_COPY(group->action,
+ group->naction,
+ rule) < 0)
+ goto no_memory;
+ }
+
+
+ return rule;
+
+ no_memory:
+ firewall->err = ENOMEM;
+ virFirewallRuleFree(rule);
+ return NULL;
+}
+
+/**
+ * virFirewallAddRule:
+ * @firewall: firewall ruleset to add to
+ * @layer: the firewall layer to change
+ * @...: NULL terminated list of strings for the rule
+ *
+ * Add any type of rule to the firewall ruleset.
+ *
+ * Returns the new rule
+ */
+virFirewallRulePtr
+virFirewallAddRule(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ ...)
+{
+ virFirewallRulePtr rule;
+ va_list args;
+ va_start(args, layer);
+ rule = virFirewallAddRuleFullV(firewall, layer, false, NULL, NULL, args);
+ va_end(args);
+ return rule;
+}
+
+
+/**
+ * virFirewallAddRuleFull:
+ * @firewall: firewall ruleset to add to
+ * @layer: the firewall layer to change
+ * @ignoreErrors: true to ignore failure of the command
+ * @cb: callback to invoke with result of query
+ * @opaque: data passed into @cb
+ * @...: NULL terminated list of strings for the rule
+ *
+ * Add any type of rule to the firewall ruleset. Any output
+ * generated by the addition will be fed into the query
+ * callback @cb. This callback is permitted to create new
+ * rules by invoking the virFirewallAddRule method, but
+ * is not permitted to start new transactions.
+ *
+ * If @ignoreErrors is set to TRUE, then any failure of
+ * the command is ignored. If it is set to FALSE, then
+ * the behaviour upon failure is determined by the flags
+ * set when the transaction was started.
+ *
+ * Returns the new rule
+ */
+virFirewallRulePtr virFirewallAddRuleFull(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ ...)
+{
+ virFirewallRulePtr rule;
+ va_list args;
+ va_start(args, opaque);
+ rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args);
+ va_end(args);
+ return rule;
+}
+
+
+/**
+ * virFirewallRemoveRule:
+ * @firewall: firewall ruleset to remove from
+ * @rule: the rule to remove
+ *
+ * Remove a rule from the current transaction
+ */
+void virFirewallRemoveRule(virFirewallPtr firewall,
+ virFirewallRulePtr rule)
+{
+ size_t i;
+ virFirewallGroupPtr group;
+
+ /* Explicitly not checking firewall->err too,
+ * because if rule was partially created
+ * before hitting error we must still remove
+ * it to avoid leaking 'rule'
+ */
+ if (!firewall)
+ return;
+
+ if (firewall->ngroups == 0)
+ return;
+ group = firewall->groups[firewall->currentGroup];
+
+ if (group->addingRollback) {
+ for (i = 0; i < group->nrollback; i++) {
+ if (group->rollback[i] == rule) {
+ VIR_DELETE_ELEMENT(group->rollback,
+ i,
+ group->nrollback);
+ virFirewallRuleFree(rule);
+ break;
+ }
+ }
+ } else {
+ for (i = 0; i < group->naction; i++) {
+ if (group->action[i] == rule) {
+ VIR_DELETE_ELEMENT(group->action,
+ i,
+ group->naction);
+ virFirewallRuleFree(rule);
+ return;
+ }
+ }
+ }
+}
+
+
+void virFirewallRuleAddArg(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *arg)
+{
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ ADD_ARG(rule, arg);
+
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+}
+
+
+void virFirewallRuleAddArgFormat(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *fmt, ...)
+{
+ char *arg;
+ va_list list;
+
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ va_start(list, fmt);
+
+ if (virVasprintf(&arg, fmt, list) < 0)
+ goto no_memory;
+
+ ADD_ARG(rule, arg);
+
+ va_end(list);
+
+ VIR_FREE(arg);
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+ va_end(list);
+ VIR_FREE(arg);
+}
+
+
+void virFirewallRuleAddArgSet(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *const *args)
+{
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ while (*args) {
+ ADD_ARG(rule, *args);
+ args++;
+ }
+
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+}
+
+
+void virFirewallRuleAddArgList(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ ...)
+{
+ va_list list;
+ const char *str;
+
+ VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+
+ va_start(list, rule);
+
+ while ((str = va_arg(list, char *)) != NULL) {
+ ADD_ARG(rule, str);
+ }
+
+ va_end(list);
+
+ return;
+
+ no_memory:
+ firewall->err = ENOMEM;
+ va_end(list);
+}
+
+
+size_t virFirewallRuleGetArgCount(virFirewallRulePtr rule)
+{
+ if (!rule)
+ return 0;
+ return rule->argsLen;
+}
+
+
+/**
+ * virFirewallStartTransaction:
+ * @firewall: the firewall ruleset
+ * @flags: bitset of virFirewallTransactionFlags
+ *
+ * Start a new transaction with associated rollback
+ * block.
+ *
+ * Should be followed by calls to add various rules to
+ * the transaction. Then virFirwallStartRollback should
+ * be used to provide rules to rollback upon transaction
+ * failure
+ */
+void virFirewallStartTransaction(virFirewallPtr firewall,
+ unsigned int flags)
+{
+ virFirewallGroupPtr group;
+
+ VIR_FIREWALL_RETURN_IF_ERROR(firewall);
+
+ if (!(group = virFirewallGroupNew())) {
+ firewall->err = ENOMEM;
+ return;
+ }
+ group->actionFlags = flags;
+
+ if (VIR_EXPAND_N(firewall->groups,
+ firewall->ngroups, 1) < 0) {
+ firewall->err = ENOMEM;
+ virFirewallGroupFree(group);
+ return;
+ }
+ firewall->groups[firewall->ngroups - 1] = group;
+ firewall->currentGroup = firewall->ngroups - 1;
+}
+
+/**
+ * virFirewallBeginRollback:
+ * @firewall: the firewall ruleset
+ * @flags: bitset of virFirewallRollbackFlags
+ *
+ * Mark the beginning of a set of rules able to rollback
+ * changes in this and all earlier transactions.
+ *
+ * Should be followed by calls to add various rules needed
+ * to rollback state. Then virFirewallStartTransaction
+ * should be used to indicate the beginning of the next
+ * transactional ruleset.
+ */
+void virFirewallStartRollback(virFirewallPtr firewall,
+ unsigned int flags)
+{
+ virFirewallGroupPtr group;
+
+ VIR_FIREWALL_RETURN_IF_ERROR(firewall);
+
+ if (firewall->ngroups == 0) {
+ firewall->err = ENODATA;
+ return;
+ }
+
+ group = firewall->groups[firewall->ngroups-1];
+ group->rollbackFlags = flags;
+ group->addingRollback = true;
+}
+
+
+static char *
+virFirewallRuleToString(virFirewallRulePtr rule)
+{
+ const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ size_t i;
+
+ virBufferAdd(&buf, bin, -1);
+ for (i = 0; i < rule->argsLen; i++) {
+ virBufferAddLit(&buf, " ");
+ virBufferAdd(&buf, rule->args[i], -1);
+ }
+
+ return virBufferContentAndReset(&buf);
+}
+
+static int
+virFirewallApplyRuleDirect(virFirewallRulePtr rule,
+ bool ignoreErrors,
+ char **output)
+{
+ size_t i;
+ const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
+ virCommandPtr cmd = NULL;
+ int status;
+ int ret = -1;
+ char *error = NULL;
+
+ if (!bin) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unknown firewall layer %d"),
+ rule->layer);
+ goto cleanup;
+ }
+
+ cmd = virCommandNewArgList(bin, NULL);
+
+ for (i = 0; i < rule->argsLen; i++)
+ virCommandAddArg(cmd, rule->args[i]);
+
+ virCommandSetOutputBuffer(cmd, output);
+ virCommandSetErrorBuffer(cmd, &error);
+
+ if (virCommandRun(cmd, &status) < 0)
+ goto cleanup;
+
+ if (status != 0) {
+ if (ignoreErrors) {
+ VIR_DEBUG("Ignoring error running command");
+ } else {
+ char *args = virCommandToString(cmd);
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to apply firewall rules %s: %s"),
+ NULLSTR(args), NULLSTR(error));
+ VIR_FREE(args);
+ VIR_FREE(*output);
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+ cleanup:
+ VIR_FREE(error);
+ virCommandFree(cmd);
+ return ret;
+}
+
+
+#ifdef WITH_DBUS
+static int
+virFirewallApplyRuleFirewallD(virFirewallRulePtr rule,
+ bool ignoreErrors,
+ char **output)
+{
+ const char *ipv = virFirewallLayerFirewallDTypeToString(rule->layer);
+ DBusConnection *sysbus = virDBusGetSystemBus();
+ DBusMessage *reply = NULL;
+ DBusError error;
+ int ret = -1;
+
+ if (!sysbus)
+ return -1;
+
+ dbus_error_init(&error);
+
+ if (!ipv) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unknown firewall layer %d"),
+ rule->layer);
+ goto cleanup;
+ }
+
+ if (virDBusCallMethod(sysbus,
+ &reply,
+ &error,
+ VIR_FIREWALL_FIREWALLD_SERVICE,
+ "/org/fedoraproject/FirewallD1",
+ "org.fedoraproject.FirewallD1.direct",
+ "passthrough",
+ "sa&s",
+ ipv,
+ (int)rule->argsLen,
+ rule->args) < 0)
+ goto cleanup;
+
+ if (dbus_error_is_set(&error)) {
+ /*
+ * As of firewalld-0.3.9.3-1.fc20.noarch the name and
+ * message fields in the error look like
+ *
+ *
name="org.freedesktop.DBus.Python.dbus.exceptions.DBusException"
+ * message="COMMAND_FAILED: '/sbin/iptables --table filter --delete
+ * INPUT --in-interface virbr0 --protocol udp --destination-port 53
+ * --jump ACCEPT' failed: iptables: Bad rule (does a matching rule
+ * exist in that chain?)."
+ *
+ * We'd like to only ignore DBus errors precisely related to the failure
+ * of iptables/ebtables commands. A well designed DBus interface would
+ * return specific named exceptions not the top level generic python dbus
+ * exception name. With this current scheme our only option is todo a
+ * sub-string match for 'COMMAND_FAILED' on the message. eg like
+ *
+ * if (ignoreErrors &&
+ * STREQ(error.name,
+ *
"org.freedesktop.DBus.Python.dbus.exceptions.DBusException") &&
+ * STRPREFIX(error.message, "COMMAND_FAILED"))
+ * ...
+ *
+ * But this risks our error detecting code being broken if firewalld changes
+ * ever alter the message string, so we're avoiding doing that.
+ */
+ if (ignoreErrors) {
+ VIR_DEBUG("Ignoring error '%s': '%s'",
+ error.name, error.message);
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unable to apply rule '%s'"),
+ error.message);
+ goto cleanup;
+ }
+ } else {
+ if (virDBusMessageRead(reply, "s", output) < 0)
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ dbus_error_free(&error);
+ if (reply)
+ dbus_message_unref(reply);
+ return ret;
+}
+#endif
+
+static int
+virFirewallApplyRule(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ bool ignoreErrors)
+{
+ char *output = NULL;
+ char **lines = NULL;
+ int ret = -1;
+ char *str = virFirewallRuleToString(rule);
+ VIR_INFO("Applying rule '%s'", NULLSTR(str));
+ VIR_FREE(str);
+
+ if (rule->ignoreErrors)
+ ignoreErrors = rule->ignoreErrors;
+
+ switch (currentBackend) {
+ case VIR_FIREWALL_BACKEND_DIRECT:
+ if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0)
+ return -1;
+ break;
+#if WITH_DBUS
+ case VIR_FIREWALL_BACKEND_FIREWALLD:
+ if (virFirewallApplyRuleFirewallD(rule, ignoreErrors, &output) < 0)
+ return -1;
+ break;
+#endif
+ default:
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Unexpected firewall engine backend"));
+ return -1;
+ }
+
+ if (rule->queryCB && output) {
+ if (!(lines = virStringSplit(output, "\n", -1)))
+ goto cleanup;
+
+ VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB,
output);
+ if (rule->queryCB(firewall, (const char *const *)lines, rule->queryOpaque)
< 0)
+ goto cleanup;
+
+ if (firewall->err == ENOMEM) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ if (firewall->err) {
+ virReportSystemError(firewall->err, "%s",
+ _("Unable to create rule"));
+ goto cleanup;
+ }
+
+ }
+
+ ret = 0;
+ cleanup:
+ virStringFreeList(lines);
+ VIR_FREE(output);
+ return ret;
+}
+
+static int
+virFirewallApplyGroup(virFirewallPtr firewall,
+ size_t idx)
+{
+ virFirewallGroupPtr group = firewall->groups[idx];
+ bool ignoreErrors = (group->actionFlags &
VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ size_t i;
+
+ VIR_INFO("Starting transaction for %p flags=%x",
+ group, group->actionFlags);
+ firewall->currentGroup = idx;
+ group->addingRollback = false;
+ for (i = 0; i < group->naction; i++) {
+ if (virFirewallApplyRule(firewall,
+ group->action[i],
+ ignoreErrors) < 0)
+ return -1;
+ }
+ return 0;
+}
+
+
+static void
+virFirewallRollbackGroup(virFirewallPtr firewall,
+ size_t idx)
+{
+ virFirewallGroupPtr group = firewall->groups[idx];
+ size_t i;
+
+ VIR_INFO("Starting rollback for group %p", group);
+ firewall->currentGroup = idx;
+ group->addingRollback = true;
+ for (i = 0; i < group->nrollback; i++) {
+ ignore_value(virFirewallApplyRule(firewall,
+ group->rollback[i],
+ true));
+ }
+}
+
+
+int
+virFirewallApply(virFirewallPtr firewall)
+{
+ size_t i, j;
+ int ret = -1;
+
+ virMutexLock(&ruleLock);
+ if (virFirewallInitialize() < 0)
+ goto cleanup;
+
+ if (!firewall || firewall->err == ENOMEM) {
+ virReportOOMError();
+ goto cleanup;
+ }
+ if (firewall->err) {
+ virReportSystemError(firewall->err, "%s",
+ _("Unable to create rule"));
+ goto cleanup;
+ }
+
+ VIR_DEBUG("Applying groups for %p", firewall);
+ for (i = 0; i < firewall->ngroups; i++) {
+ if (virFirewallApplyGroup(firewall, i) < 0) {
+ VIR_DEBUG("Rolling back groups upto %zu for %p", i, firewall);
+ size_t first = i;
+ virErrorPtr saved_error = virSaveLastError();
+
+ /*
+ * Look at any inheritance markers to figure out
+ * what the first rollback group we need to apply is
+ */
+ for (j = 0; j <= i; j++) {
+ VIR_DEBUG("Checking inheritance of group %zu", i - j);
+ if (firewall->groups[i - j]->rollbackFlags &
+ VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS)
+ first = (i - j) - 1;
+ }
+ /*
+ * Now apply all rollback groups in order
+ */
+ for (j = first; j <= i; j++) {
+ VIR_DEBUG("Rolling back group %zu", j);
+ virFirewallRollbackGroup(firewall, j);
+ }
+
+ virSetError(saved_error);
+ virFreeError(saved_error);
+ VIR_DEBUG("Done rolling back groups for %p", firewall);
+ goto cleanup;
+ }
+ }
+ VIR_DEBUG("Done applying groups for %p", firewall);
+
+ ret = 0;
+ cleanup:
+ virMutexUnlock(&ruleLock);
+ return ret;
+}
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
new file mode 100644
index 0000000..5ca66fa
--- /dev/null
+++ b/src/util/virfirewall.h
@@ -0,0 +1,109 @@
+ /*
+ * virfirewall.h: integration with firewalls
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Authors:
+ * Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#ifndef __VIR_FIREWALL_H__
+# define __VIR_FIREWALL_H__
+
+# include "internal.h"
+
+typedef struct _virFirewall virFirewall;
+typedef virFirewall *virFirewallPtr;
+
+typedef struct _virFirewallRule virFirewallRule;
+typedef virFirewallRule *virFirewallRulePtr;
+
+typedef enum {
+ VIR_FIREWALL_LAYER_ETHERNET,
+ VIR_FIREWALL_LAYER_IPV4,
+ VIR_FIREWALL_LAYER_IPV6,
+
+ VIR_FIREWALL_LAYER_LAST,
+} virFirewallLayer;
+
+virFirewallPtr virFirewallNew(void);
+
+void virFirewallFree(virFirewallPtr firewall);
+
+virFirewallRulePtr virFirewallAddRule(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ ...)
+ ATTRIBUTE_SENTINEL;
+
+typedef int (*virFirewallQueryCallback)(virFirewallPtr firewall,
+ const char *const *lines,
+ void *opaque);
+
+virFirewallRulePtr virFirewallAddRuleFull(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ ...)
+ ATTRIBUTE_NONNULL(3) ATTRIBUTE_SENTINEL;
The Coverity build wasn't happy (it failed) since argument(3) is a bool:
In file included from util/virebtables.c:34:0:
util/virfirewall.h:62:5: error: nonnull argument references non-pointer
operand (argument 1, operand 3)
ATTRIBUTE_NONNULL(3) ATTRIBUTE_SENTINEL;
^
The only pointer argument is (1); however, virFirewallAddRuleFullV()
will check for it being NULL. Perhaps this was a cut-n-paste from
"virFirewallRuleAddArg()" below?
I wasn't sure which way to go in order to repair. Since it's only the
Coverity build that's broken - I figure it can wait for your feedback to
handle it.
If I changed it to (1), then my coverity build completes and there's no
new errors.
John
+
+void virFirewallRemoveRule(virFirewallPtr firewall,
+ virFirewallRulePtr rule);
+
+void virFirewallRuleAddArg(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *arg)
+ ATTRIBUTE_NONNULL(3);
+
+void virFirewallRuleAddArgFormat(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *fmt, ...)
+ ATTRIBUTE_NONNULL(3) ATTRIBUTE_FMT_PRINTF(3, 4);
+
+void virFirewallRuleAddArgSet(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ const char *const *args)
+ ATTRIBUTE_NONNULL(3);
+
+void virFirewallRuleAddArgList(virFirewallPtr firewall,
+ virFirewallRulePtr rule,
+ ...)
+ ATTRIBUTE_SENTINEL;
+
+size_t virFirewallRuleGetArgCount(virFirewallRulePtr rule);
+
+typedef enum {
+ /* Ignore all errors when applying rules, so no
+ * rollback block will be required */
+ VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS = (1 << 0),
+} virFirewallTransactionFlags;
+
+void virFirewallStartTransaction(virFirewallPtr firewall,
+ unsigned int flags);
+
+typedef enum {
+ /* Execute previous rollback block before this
+ * one, to chain cleanup */
+ VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS = (1 << 0),
+} virFirewallRollbackFlags;
+
+void virFirewallStartRollback(virFirewallPtr firewall,
+ unsigned int flags);
+
+int virFirewallApply(virFirewallPtr firewall);
+
+#endif /* __VIR_FIREWALL_H__ */
diff --git a/src/util/virfirewallpriv.h b/src/util/virfirewallpriv.h
new file mode 100644
index 0000000..130aaa1
--- /dev/null
+++ b/src/util/virfirewallpriv.h
@@ -0,0 +1,45 @@
+/*
+ * virfirewallpriv.h: integration with firewalls private APIs
+ *
+ * Copyright (C) 2013 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Authors:
+ * Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#ifndef __VIR_FIREWALL_PRIV_H_ALLOW__
+# error "virfirewallpriv.h may only be included by virfirewall.c or test
suites"
+#endif
+
+#ifndef __VIR_FIREWALL_PRIV_H__
+# define __VIR_FIREWALL_PRIV_H__
+
+# include "virfirewall.h"
+
+# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1"
+
+typedef enum {
+ VIR_FIREWALL_BACKEND_AUTOMATIC,
+ VIR_FIREWALL_BACKEND_DIRECT,
+ VIR_FIREWALL_BACKEND_FIREWALLD,
+
+ VIR_FIREWALL_BACKEND_LAST,
+} virFirewallBackend;
+
+int virFirewallSetBackend(virFirewallBackend backend);
+
+#endif /* __VIR_FIREWALL_PRIV_H__ */
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c13cc15..a10919d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -148,6 +148,7 @@ test_programs = virshtest sockettest \
virpcitest \
virendiantest \
virfiletest \
+ virfirewalltest \
viriscsitest \
virkeycodetest \
virlockspacetest \
@@ -998,6 +999,12 @@ virfiletest_SOURCES = \
virfiletest.c testutils.h testutils.c
virfiletest_LDADD = $(LDADDS)
+virfirewalltest_SOURCES = \
+ virfirewalltest.c testutils.h testutils.c
+virfirewalltest_LDADD = $(LDADDS)
+virfirewalltest_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)
+virfirewalltest_LDFLAGS = $(DRIVER_MODULE_LDFLAGS)
+
jsontest_SOURCES = \
jsontest.c testutils.h testutils.c
jsontest_LDADD = $(LDADDS)
diff --git a/tests/testutils.c b/tests/testutils.c
index 9767a78..022d543 100644
--- a/tests/testutils.c
+++ b/tests/testutils.c
@@ -459,10 +459,20 @@ int virtTestDifference(FILE *stream,
const char *expect,
const char *actual)
{
- const char *expectStart = expect;
- const char *expectEnd = expect + (strlen(expect)-1);
- const char *actualStart = actual;
- const char *actualEnd = actual + (strlen(actual)-1);
+ const char *expectStart;
+ const char *expectEnd;
+ const char *actualStart;
+ const char *actualEnd;
+
+ if (!expect)
+ expect = "";
+ if (!actual)
+ actual = "";
+
+ expectStart = expect;
+ expectEnd = expect + (strlen(expect)-1);
+ actualStart = actual;
+ actualEnd = actual + (strlen(actual)-1);
if (!virTestGetDebug())
return 0;
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
new file mode 100644
index 0000000..805fa44
--- /dev/null
+++ b/tests/virfirewalltest.c
@@ -0,0 +1,1186 @@
+/*
+ * Copyright (C) 2013-2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ * Author: Daniel P. Berrange <berrange(a)redhat.com>
+ */
+
+#include <config.h>
+
+#define __VIR_FIREWALL_PRIV_H_ALLOW__
+#define __VIR_COMMAND_PRIV_H_ALLOW__
+
+#include "testutils.h"
+#include "virbuffer.h"
+#include "vircommandpriv.h"
+#include "virfirewallpriv.h"
+#include "virmock.h"
+#include "virdbuspriv.h"
+
+#define VIR_FROM_THIS VIR_FROM_FIREWALL
+
+#if WITH_DBUS
+# include <dbus/dbus.h>
+#endif
+
+static bool fwDisabled = true;
+static virBufferPtr fwBuf;
+static bool fwError;
+
+#define TEST_FILTER_TABLE_LIST \
+ "Chain INPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain FORWARD (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain OUTPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n"
+
+#define TEST_NAT_TABLE_LIST \
+ "Chain PREROUTING (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain INPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain OUTPUT (policy ACCEPT)\n" \
+ "target prot opt source destination\n" \
+ "\n" \
+ "Chain POSTROUTING (policy ACCEPT)\n" \
+ "target prot opt source destination\n"
+
+#if WITH_DBUS
+VIR_MOCK_IMPL_RET_ARGS(dbus_connection_send_with_reply_and_block,
+ DBusMessage *,
+ DBusConnection *, connection,
+ DBusMessage *, message,
+ int, timeout_milliseconds,
+ DBusError *, error)
+{
+ DBusMessage *reply = NULL;
+ const char *service = dbus_message_get_destination(message);
+ const char *member = dbus_message_get_member(message);
+ size_t i;
+ size_t nargs = 0;
+ char **args = NULL;
+ char *type = NULL;
+
+ VIR_MOCK_IMPL_INIT_REAL(dbus_connection_send_with_reply_and_block);
+
+ if (STREQ(service, "org.freedesktop.DBus") &&
+ STREQ(member, "ListNames")) {
+ const char *svc1 = "org.foo.bar.wizz";
+ const char *svc2 = VIR_FIREWALL_FIREWALLD_SERVICE;
+ DBusMessageIter iter;
+ DBusMessageIter sub;
+ reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN);
+ dbus_message_iter_init_append(reply, &iter);
+ dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY,
+ "s", &sub);
+
+ if (!dbus_message_iter_append_basic(&sub,
+ DBUS_TYPE_STRING,
+ &svc1))
+ goto error;
+ if (!fwDisabled &&
+ !dbus_message_iter_append_basic(&sub,
+ DBUS_TYPE_STRING,
+ &svc2))
+ goto error;
+ dbus_message_iter_close_container(&iter, &sub);
+ } else if (STREQ(service, VIR_FIREWALL_FIREWALLD_SERVICE) &&
+ STREQ(member, "passthrough")) {
+ bool isAdd = false;
+ bool doError = false;
+
+ if (virDBusMessageDecode(message,
+ "sa&s",
+ &type,
+ &nargs,
+ &args) < 0)
+ goto error;
+
+ for (i = 0; i < nargs; i++) {
+ /* Fake failure on the command with this IP addr */
+ if (STREQ(args[i], "-A")) {
+ isAdd = true;
+ } else if (isAdd && STREQ(args[i], "192.168.122.255")) {
+ doError = true;
+ }
+ }
+
+ if (fwBuf) {
+ if (STREQ(type, "ipv4"))
+ virBufferAddLit(fwBuf, IPTABLES_PATH);
+ else if (STREQ(type, "ipv4"))
+ virBufferAddLit(fwBuf, IP6TABLES_PATH);
+ else
+ virBufferAddLit(fwBuf, EBTABLES_PATH);
+ }
+ for (i = 0; i < nargs; i++) {
+ if (fwBuf) {
+ virBufferAddLit(fwBuf, " ");
+ virBufferEscapeShell(fwBuf, args[i]);
+ }
+ }
+ if (fwBuf)
+ virBufferAddLit(fwBuf, "\n");
+ if (doError) {
+ dbus_set_error_const(error,
+ "org.firewalld.error",
+ "something bad happened");
+ } else {
+ if (nargs == 1 &&
+ STREQ(type, "ipv4") &&
+ STREQ(args[0], "-L")) {
+ if (virDBusCreateReply(&reply,
+ "s", TEST_FILTER_TABLE_LIST) < 0)
+ goto error;
+ } else if (nargs == 3 &&
+ STREQ(type, "ipv4") &&
+ STREQ(args[0], "-t") &&
+ STREQ(args[1], "nat") &&
+ STREQ(args[2], "-L")) {
+ if (virDBusCreateReply(&reply,
+ "s", TEST_NAT_TABLE_LIST) < 0)
+ goto error;
+ } else {
+ if (virDBusCreateReply(&reply,
+ "s", "success") < 0)
+ goto error;
+ }
+ }
+ } else {
+ reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN);
+ }
+
+ cleanup:
+ VIR_FREE(type);
+ for (i = 0; i < nargs; i++)
+ VIR_FREE(args[i]);
+ VIR_FREE(args);
+ return reply;
+
+ error:
+ if (reply)
+ dbus_message_unref(reply);
+ reply = NULL;
+ if (error && !dbus_error_is_set(error))
+ dbus_set_error_const(error,
+ "org.firewalld.error",
+ "something unexpected happened");
+
+ goto cleanup;
+}
+#endif
+
+struct testFirewallData {
+ virFirewallBackend tryBackend;
+ virFirewallBackend expectBackend;
+ bool fwDisabled;
+};
+
+static int
+testFirewallSingleGroup(const void *opaque)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
+ virCommandSetDryRun(&cmdbuf, NULL, NULL);
+ else
+ fwBuf = &cmdbuf;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallRemoveRule(const void *opaque)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+ virFirewallRulePtr fwrule;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
+ virCommandSetDryRun(&cmdbuf, NULL, NULL);
+ else
+ fwBuf = &cmdbuf;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallRuleAddArg(fw, fwrule, "--source-host");
+ virFirewallRemoveRule(fw, fwrule);
+
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallRuleAddArg(fw, fwrule, "--source-host");
+ virFirewallRuleAddArgFormat(fw, fwrule, "%s",
"!192.168.122.1");
+ virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT",
NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallManyGroups(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump
ACCEPT\n"
+ IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
+ virCommandSetDryRun(&cmdbuf, NULL, NULL);
+ else
+ fwBuf = &cmdbuf;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
+
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static void
+testFirewallRollbackHook(const char *const*args,
+ const char *const*env ATTRIBUTE_UNUSED,
+ const char *input ATTRIBUTE_UNUSED,
+ char **output ATTRIBUTE_UNUSED,
+ char **error ATTRIBUTE_UNUSED,
+ int *status,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ bool isAdd = false;
+ while (*args) {
+ /* Fake failure on the command with this IP addr */
+ if (STREQ(*args, "-A")) {
+ isAdd = true;
+ } else if (isAdd && STREQ(*args, "192.168.122.255")) {
+ *status = 127;
+ break;
+ }
+ args++;
+ }
+}
+
+static int
+testFirewallIgnoreFailGroup(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump
ACCEPT\n"
+ IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
+
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallIgnoreFailRule(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump
ACCEPT\n"
+ IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ true, NULL, NULL,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
+
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static int
+testFirewallNoRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+testFirewallSingleRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwError = true;
+ fwBuf = &cmdbuf;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+testFirewallManyRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+testFirewallChainedRollback(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump
REJECT\n"
+ IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "192.168.122.255",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) == 0) {
+ fprintf(stderr, "Firewall apply unexpectedly worked\n");
+ goto cleanup;
+ }
+
+ if (virtTestOOMActive())
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+
+static const char *expectedLines[] = {
+ "Chain INPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain FORWARD (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain OUTPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain PREROUTING (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain INPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain OUTPUT (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+ "Chain POSTROUTING (policy ACCEPT)",
+ "target prot opt source destination",
+ "",
+};
+static size_t expectedLineNum;
+static bool expectedLineError;
+
+static void
+testFirewallQueryHook(const char *const*args,
+ const char *const*env ATTRIBUTE_UNUSED,
+ const char *input ATTRIBUTE_UNUSED,
+ char **output,
+ char **error ATTRIBUTE_UNUSED,
+ int *status,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ if (STREQ(args[0], IPTABLES_PATH) &&
+ STREQ(args[1], "-L")) {
+ if (VIR_STRDUP(*output, TEST_FILTER_TABLE_LIST) < 0)
+ *status = 127;
+ } else if (STREQ(args[0], IPTABLES_PATH) &&
+ STREQ(args[1], "-t") &&
+ STREQ(args[2], "nat") &&
+ STREQ(args[3], "-L")) {
+ if (VIR_STRDUP(*output, TEST_NAT_TABLE_LIST) < 0)
+ *status = 127;
+ }
+}
+
+
+static int
+testFirewallQueryCallback(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ size_t i;
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.129",
+ "--jump", "REJECT", NULL);
+
+ for (i = 0; lines[i] != NULL; i++) {
+ if (expectedLineNum >= ARRAY_CARDINALITY(expectedLines)) {
+ expectedLineError = true;
+ break;
+ }
+ if (STRNEQ(expectedLines[expectedLineNum], lines[i])) {
+ fprintf(stderr, "Mismatch '%s' vs '%s' at %zu,
%zu\n",
+ expectedLines[expectedLineNum], lines[i],
+ expectedLineNum, i);
+ expectedLineError = true;
+ break;
+ }
+ expectedLineNum++;
+ }
+ return 0;
+}
+
+static int
+testFirewallQuery(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+ const char *actual = NULL;
+ const char *expected =
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump
REJECT\n"
+ IPTABLES_PATH " -L\n"
+ IPTABLES_PATH " -t nat -L\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump
REJECT\n"
+ IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump
REJECT\n";
+ const struct testFirewallData *data = opaque;
+
+ expectedLineNum = 0;
+ expectedLineError = false;
+ fwDisabled = data->fwDisabled;
+ if (virFirewallSetBackend(data->tryBackend) < 0)
+ goto cleanup;
+
+ if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
+ virCommandSetDryRun(&cmdbuf, testFirewallQueryHook, NULL);
+ } else {
+ fwBuf = &cmdbuf;
+ fwError = true;
+ }
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
+ "-L", NULL);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
+ "-t", "nat", "-L", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.130",
+ "--jump", "REJECT", NULL);
+
+
+ virFirewallStartTransaction(fw, 0);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "192.168.122.128",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source-host", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ if (virBufferError(&cmdbuf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&cmdbuf);
+
+ if (expectedLineError) {
+ fprintf(stderr, "Got some unexpected query data\n");
+ goto cleanup;
+ }
+
+ if (STRNEQ_NULLABLE(expected, actual)) {
+ fprintf(stderr, "Unexected command execution\n");
+ virtTestDifference(stderr, expected, actual);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virBufferFreeAndReset(&cmdbuf);
+ fwBuf = NULL;
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virFirewallFree(fw);
+ return ret;
+}
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+#define RUN_TEST_DIRECT(name, method) \
+ do { \
+ struct testFirewallData data; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
+ data.fwDisabled = true; \
+ if (virtTestRun(name " auto direct", method, &data) < 0)
\
+ ret = -1; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_DIRECT; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
+ data.fwDisabled = true; \
+ if (virtTestRun(name " manual direct", method, &data) < 0)
\
+ ret = -1; \
+ } while (0)
+
+#if WITH_DBUS
+# define RUN_TEST_FIREWALLD(name, method) \
+ do { \
+ struct testFirewallData data; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
+ data.fwDisabled = false; \
+ if (virtTestRun(name " auto firewalld", method, &data) < 0)
\
+ ret = -1; \
+ data.tryBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
+ data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
+ data.fwDisabled = false; \
+ if (virtTestRun(name " manual firewalld", method, &data) < 0)
\
+ ret = -1; \
+ } while (0)
+
+# define RUN_TEST(name, method) \
+ RUN_TEST_DIRECT(name, method); \
+ RUN_TEST_FIREWALLD(name, method)
+#else /* ! WITH_DBUS */
+# define RUN_TEST(name, method) \
+ RUN_TEST_DIRECT(name, method)
+#endif /* ! WITH_DBUS */
+
+ RUN_TEST("single group", testFirewallSingleGroup);
+ RUN_TEST("remove rule", testFirewallRemoveRule);
+ RUN_TEST("many groups", testFirewallManyGroups);
+ RUN_TEST("ignore fail group", testFirewallIgnoreFailGroup);
+ RUN_TEST("ignore fail rule", testFirewallIgnoreFailRule);
+ RUN_TEST("no rollback", testFirewallNoRollback);
+ RUN_TEST("single rollback", testFirewallSingleRollback);
+ RUN_TEST("many rollback", testFirewallManyRollback);
+ RUN_TEST("chained rollback", testFirewallChainedRollback);
+ RUN_TEST("query transaction", testFirewallQuery);
+
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+#if WITH_DBUS
+VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virmockdbus.so")
+#else
+VIRT_TEST_MAIN(mymain)
+#endif
9:45 a.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
On 8.4.2014 17:38, Daniel P. Berrange wrote:
The network and nwfilter drivers both have a need to update
firewall rules. The currently share no code for interacting
with iptables / firewalld. The nwfilter driver is fairly
tied to the concept of creating shell scripts to execute
which makes it very hard to port to talk to firewalld via
DBus APIs.
This patch introduces a virFirewallPtr object which is able
to represent a complete sequence of rule changes, with the
ability to have multiple transactional checkpoints with
rollbacks. By formally separating the definition of the rules
to be applied from the mechanism used to apply them, it is
also possible to write a firewall engine that uses firewalld
DBus APIs natively instead of via the slow firewalld-cmd.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
include/libvirt/virterror.h | 1 +
po/POTFILES.in | 1 +
src/Makefile.am | 2 +
src/libvirt_private.syms | 17 +
src/util/virerror.c | 1 +
src/util/virfirewall.c | 922 +++++++++++++++++++++++++++++++++
src/util/virfirewall.h | 109 ++++
src/util/virfirewallpriv.h | 45 ++
tests/Makefile.am | 7 +
tests/testutils.c | 18 +-
tests/virfirewalltest.c | 1186 +++++++++++++++++++++++++++++++++++++++++++
11 files changed, 2305 insertions(+), 4 deletions(-)
create mode 100644 src/util/virfirewall.c
create mode 100644 src/util/virfirewall.h
create mode 100644 src/util/virfirewallpriv.h
create mode 100644 tests/virfirewalltest.c
[...]
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
new file mode 100644
index 0000000..b558d2f
--- /dev/null
+++ b/src/util/virfirewall.c
@@ -0,0 +1,922 @@
[...]
+static virFirewallRulePtr
+virFirewallAddRuleFullV(virFirewallPtr firewall,
+ virFirewallLayer layer,
+ bool ignoreErrors,
+ virFirewallQueryCallback cb,
+ void *opaque,
+ va_list args)
+{
+ virFirewallGroupPtr group;
+ virFirewallRulePtr rule;
+ char *str;
+
+ VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
+
+ if (firewall->ngroups == 0) {
+ firewall->err = ENODATA;
+ return NULL;
+ }
+ group = firewall->groups[firewall->currentGroup];
[...]
+void virFirewallStartRollback(virFirewallPtr firewall,
+ unsigned int flags)
+{
+ virFirewallGroupPtr group;
+
+ VIR_FIREWALL_RETURN_IF_ERROR(firewall);
+
+ if (firewall->ngroups == 0) {
+ firewall->err = ENODATA;
+ return;
+ }
+
+ group = firewall->groups[firewall->ngroups-1];
+ group->rollbackFlags = flags;
+ group->addingRollback = true;
+}
Hi Dan,
The ENODATA error is not defined in freebsd and I'm wondering
whether it should be compiled there? If yes, than we have to
add:
#ifndef ENODATA
# define ENODATA ENOMSG
#endif
into that file.
Pavel
10:06 a.m.
New subject: [libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
On Tue, Apr 29, 2014 at 04:45:31PM +0200, Pavel Hrdina wrote:
On 8.4.2014 17:38, Daniel P. Berrange wrote:
> The network and nwfilter drivers both have a need to update
> firewall rules. The currently share no code for interacting
> with iptables / firewalld. The nwfilter driver is fairly
> tied to the concept of creating shell scripts to execute
> which makes it very hard to port to talk to firewalld via
> DBus APIs.
>
> This patch introduces a virFirewallPtr object which is able
> to represent a complete sequence of rule changes, with the
> ability to have multiple transactional checkpoints with
> rollbacks. By formally separating the definition of the rules
> to be applied from the mechanism used to apply them, it is
> also possible to write a firewall engine that uses firewalld
> DBus APIs natively instead of via the slow firewalld-cmd.
>
> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> +void virFirewallStartRollback(virFirewallPtr firewall,
> + unsigned int flags)
> +{
> + virFirewallGroupPtr group;
> +
> + VIR_FIREWALL_RETURN_IF_ERROR(firewall);
> +
> + if (firewall->ngroups == 0) {
> + firewall->err = ENODATA;
> + return;
> + }
> +
> + group = firewall->groups[firewall->ngroups-1];
> + group->rollbackFlags = flags;
> + group->addingRollback = true;
> +}
Hi Dan,
The ENODATA error is not defined in freebsd and I'm wondering
whether it should be compiled there? If yes, than we have to
add:
#ifndef ENODATA
# define ENODATA ENOMSG
#endif
into that file.
Yes, this is intended to be usable on freebsd. The ENODATA choice was
kind of arbitrary - I think we could just use EINVAL instead as a safe
bet. This would only ever occur if the caller was ignoring the defined
API usage rules, so only ever likely to see this during devevelopment
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:38 a.m.
New subject: [libvirt] [PATCH 12/26] Convert bridge driver over to use new firewall APIs
Update the iptablesXXXX methods so that instead of directly
executing iptables commands, they populate rules in an
instance of virFirewallPtr. The bridge driver can thus
construct the ruleset and then invoke it in one operation
having rollback handled automatically.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/network/bridge_driver_linux.c | 669 ++++++++++++++++----------------------
src/util/viriptables.c | 632 +++++++++++++++--------------------
src/util/viriptables.h | 114 ++++---
3 files changed, 619 insertions(+), 796 deletions(-)
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 3891357..9f4911b 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -28,6 +28,7 @@
#include "viriptables.h"
#include "virstring.h"
#include "virlog.h"
+#include "virfirewall.h"
#define VIR_FROM_THIS VIR_FROM_NONE
@@ -134,7 +135,8 @@ static const char networkLocalMulticast[] = "224.0.0.0/24";
static const char networkLocalBroadcast[] = "255.255.255.255/32";
static int
-networkAddMasqueradingFirewallRules(virNetworkObjPtr network,
+networkAddMasqueradingFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
@@ -144,32 +146,26 @@ networkAddMasqueradingFirewallRules(virNetworkObjPtr network,
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Invalid prefix or netmask for '%s'"),
network->def->bridge);
- goto masqerr1;
+ return -1;
}
/* allow forwarding packets from the bridge interface */
- if (iptablesAddForwardAllowOut(&ipdef->address,
+ if (iptablesAddForwardAllowOut(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow forwarding from
'%s'"),
- network->def->bridge);
- goto masqerr1;
- }
+ forwardIf) < 0)
+ return -1;
/* allow forwarding packets to the bridge interface if they are
* part of an existing connection
*/
- if (iptablesAddForwardAllowRelatedIn(&ipdef->address,
+ if (iptablesAddForwardAllowRelatedIn(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow forwarding to
'%s'"),
- network->def->bridge);
- goto masqerr2;
- }
+ forwardIf) < 0)
+ return -1;
/*
* Enable masquerading.
@@ -204,176 +200,127 @@ networkAddMasqueradingFirewallRules(virNetworkObjPtr network,
*/
/* First the generic masquerade rule for other protocols */
- if (iptablesAddForwardMasquerade(&ipdef->address,
+ if (iptablesAddForwardMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
- NULL) < 0) {
- if (forwardIf)
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to enable masquerading to
%s"),
- forwardIf);
- else
- virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
- _("failed to add iptables rule to enable
masquerading"));
- goto masqerr3;
- }
+ NULL) < 0)
+ return -1;
/* UDP with a source port restriction */
- if (iptablesAddForwardMasquerade(&ipdef->address,
+ if (iptablesAddForwardMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
- "udp") < 0) {
- if (forwardIf)
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to enable UDP masquerading
to %s"),
- forwardIf);
- else
- virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
- _("failed to add iptables rule to enable UDP
masquerading"));
- goto masqerr4;
- }
+ "udp") < 0)
+ return -1;
/* TCP with a source port restriction */
- if (iptablesAddForwardMasquerade(&ipdef->address,
+ if (iptablesAddForwardMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
- "tcp") < 0) {
- if (forwardIf)
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to enable TCP masquerading
to %s"),
- forwardIf);
- else
- virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
- _("failed to add iptables rule to enable TCP
masquerading"));
- goto masqerr5;
- }
+ "tcp") < 0)
+ return -1;
/* exempt local network broadcast address as destination */
- if (iptablesAddDontMasquerade(&ipdef->address,
+ if (iptablesAddDontMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
- networkLocalBroadcast) < 0) {
- if (forwardIf)
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to prevent local broadcast
masquerading on %s"),
- forwardIf);
- else
- virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
- _("failed to add iptables rule to prevent local broadcast
masquerading"));
- goto masqerr6;
- }
+ networkLocalBroadcast) < 0)
+ return -1;
/* exempt local multicast range as destination */
- if (iptablesAddDontMasquerade(&ipdef->address,
+ if (iptablesAddDontMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
- networkLocalMulticast) < 0) {
- if (forwardIf)
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to prevent local multicast
masquerading on %s"),
- forwardIf);
- else
- virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
- _("failed to add iptables rule to prevent local multicast
masquerading"));
- goto masqerr7;
- }
+ networkLocalMulticast) < 0)
+ return -1;
return 0;
-
- masqerr7:
- iptablesRemoveDontMasquerade(&ipdef->address,
- prefix,
- forwardIf,
- networkLocalBroadcast);
- masqerr6:
- iptablesRemoveForwardMasquerade(&ipdef->address,
- prefix,
- forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
- "tcp");
- masqerr5:
- iptablesRemoveForwardMasquerade(&ipdef->address,
- prefix,
- forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
- "udp");
- masqerr4:
- iptablesRemoveForwardMasquerade(&ipdef->address,
- prefix,
- forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
- NULL);
- masqerr3:
- iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
- prefix,
- network->def->bridge,
- forwardIf);
- masqerr2:
- iptablesRemoveForwardAllowOut(&ipdef->address,
- prefix,
- network->def->bridge,
- forwardIf);
- masqerr1:
- return -1;
}
-static void
-networkRemoveMasqueradingFirewallRules(virNetworkObjPtr network,
+static int
+networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
- if (prefix >= 0) {
- iptablesRemoveDontMasquerade(&ipdef->address,
+ if (prefix < 0)
+ return 0;
+
+ if (iptablesRemoveDontMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
- networkLocalMulticast);
- iptablesRemoveDontMasquerade(&ipdef->address,
+ networkLocalMulticast) < 0)
+ return -1;
+
+ if (iptablesRemoveDontMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
- networkLocalBroadcast);
- iptablesRemoveForwardMasquerade(&ipdef->address,
+ networkLocalBroadcast) < 0)
+ return -1;
+
+ if (iptablesRemoveForwardMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
- "tcp");
- iptablesRemoveForwardMasquerade(&ipdef->address,
+ "tcp") < 0)
+ return -1;
+
+ if (iptablesRemoveForwardMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
- "udp");
- iptablesRemoveForwardMasquerade(&ipdef->address,
+ "udp") < 0)
+ return -1;
+
+ if (iptablesRemoveForwardMasquerade(fw,
+ &ipdef->address,
prefix,
forwardIf,
&network->def->forward.addr,
&network->def->forward.port,
- NULL);
+ NULL) < 0)
+ return -1;
- iptablesRemoveForwardAllowRelatedIn(&ipdef->address,
+ if (iptablesRemoveForwardAllowRelatedIn(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf);
- iptablesRemoveForwardAllowOut(&ipdef->address,
+ forwardIf) < 0)
+ return -1;
+
+ if (iptablesRemoveForwardAllowOut(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf);
- }
+ forwardIf) < 0)
+ return -1;
+
+ return 0;
}
+
static int
-networkAddRoutingFirewallRules(virNetworkObjPtr network,
+networkAddRoutingFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
@@ -383,168 +330,199 @@ networkAddRoutingFirewallRules(virNetworkObjPtr network,
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Invalid prefix or netmask for '%s'"),
network->def->bridge);
- goto routeerr1;
+ return -1;
}
/* allow routing packets from the bridge interface */
- if (iptablesAddForwardAllowOut(&ipdef->address,
+ if (iptablesAddForwardAllowOut(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow routing from
'%s'"),
- network->def->bridge);
- goto routeerr1;
- }
+ forwardIf) < 0)
+ return -1;
/* allow routing packets to the bridge interface */
- if (iptablesAddForwardAllowIn(&ipdef->address,
+ if (iptablesAddForwardAllowIn(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow routing to
'%s'"),
- network->def->bridge);
- goto routeerr2;
- }
+ forwardIf) < 0)
+ return -1;
return 0;
-
- routeerr2:
- iptablesRemoveForwardAllowOut(&ipdef->address,
- prefix,
- network->def->bridge,
- forwardIf);
- routeerr1:
- return -1;
}
-static void
-networkRemoveRoutingFirewallRules(virNetworkObjPtr network,
+static int
+networkRemoveRoutingFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
- if (prefix >= 0) {
- iptablesRemoveForwardAllowIn(&ipdef->address,
+ if (prefix < 0)
+ return 0;
+
+ if (iptablesRemoveForwardAllowIn(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf);
+ forwardIf) < 0)
+ return -1;
- iptablesRemoveForwardAllowOut(&ipdef->address,
+ if (iptablesRemoveForwardAllowOut(fw,
+ &ipdef->address,
prefix,
network->def->bridge,
- forwardIf);
+ forwardIf) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static void
+networkAddGeneralIPv4FirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
+{
+ size_t i;
+ virNetworkIpDefPtr ipv4def;
+
+ /* First look for first IPv4 address that has dhcp or tftpboot defined. */
+ /* We support dhcp config on 1 IPv4 interface only. */
+ for (i = 0;
+ (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
+ i++) {
+ if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
+ break;
+ }
+
+ /* allow DHCP requests through to dnsmasq */
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
+ iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 68);
+
+ /* allow DNS requests through to dnsmasq */
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
+
+ /* allow TFTP requests through to dnsmasq if necessary */
+ if (ipv4def && ipv4def->tftproot)
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge,
69);
+
+ /* Catch all rules to block forwarding to/from bridges */
+ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
+ iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge);
+
+ /* Allow traffic between guests on the same bridge */
+ iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
+}
+
+static void
+networkRemoveGeneralIPv4FirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
+{
+ size_t i;
+ virNetworkIpDefPtr ipv4def;
+
+ for (i = 0;
+ (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
+ i++) {
+ if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
+ break;
}
+
+ iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
+ iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
+ iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
+
+ if (ipv4def && ipv4def->tftproot)
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge,
69);
+
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
+
+ iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge,
68);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
}
+
/* Add all once/network rules required for IPv6.
* If no IPv6 addresses are defined and <network ipv6='yes'> is
* specified, then allow IPv6 commuinications between virtual systems.
* If any IPv6 addresses are defined, then add the rules for regular operation.
*/
-static int
-networkAddGeneralIp6tablesRules(virNetworkObjPtr network)
+static void
+networkAddGeneralIPv6FirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
{
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
!network->def->ipv6nogw) {
- return 0;
+ return;
}
/* Catch all rules to block forwarding to/from bridges */
-
- if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add ip6tables rule to block outbound traffic
from '%s'"),
- network->def->bridge);
- goto err1;
- }
-
- if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add ip6tables rule to block inbound traffic to
'%s'"),
- network->def->bridge);
- goto err2;
- }
+ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
+ iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge);
/* Allow traffic between guests on the same bridge */
- if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add ip6tables rule to allow cross bridge traffic
on '%s'"),
- network->def->bridge);
- goto err3;
- }
-
- /* if no IPv6 addresses are defined, we are done. */
- if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0))
- return 0;
-
- /* allow DNS over IPv6 */
- if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add ip6tables rule to allow DNS requests from
'%s'"),
- network->def->bridge);
- goto err4;
- }
-
- if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add ip6tables rule to allow DNS requests from
'%s'"),
- network->def->bridge);
- goto err5;
- }
+ iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
- if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add ip6tables rule to allow DHCP6 requests from
'%s'"),
- network->def->bridge);
- goto err6;
+ if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
+ /* allow DNS over IPv6 */
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
547);
}
-
- return 0;
-
- /* unwind in reverse order from the point of failure */
- err6:
- iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
- err5:
- iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
- err4:
- iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
- err3:
- iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
- err2:
- iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
- err1:
- return -1;
}
static void
-networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network)
+networkRemoveGeneralIPv6FirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
{
if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
!network->def->ipv6nogw) {
return;
}
+
if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
- iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547);
- iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53);
- iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
547);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
}
/* the following rules are there if no IPv6 address has been defined
* but network->def->ipv6nogw == true
*/
- iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge);
- iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge);
- iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge);
+ iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
+ iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
+ iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
}
-static int
-networkAddGeneralFirewallRules(virNetworkObjPtr network)
+static void
+networkAddGeneralFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
+{
+ networkAddGeneralIPv4FirewallRules(fw, network);
+ networkAddGeneralIPv6FirewallRules(fw, network);
+}
+
+
+static void
+networkRemoveGeneralFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
+{
+ networkRemoveGeneralIPv4FirewallRules(fw, network);
+ networkRemoveGeneralIPv6FirewallRules(fw, network);
+}
+
+static void
+networkAddChecksumFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
{
size_t i;
virNetworkIpDefPtr ipv4def;
@@ -554,161 +532,44 @@ networkAddGeneralFirewallRules(virNetworkObjPtr network)
for (i = 0;
(ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
i++) {
- if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
+ if (ipv4def->nranges || ipv4def->nhosts)
break;
}
- /* allow DHCP requests through to dnsmasq */
-
- if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow DHCP requests from
'%s'"),
- network->def->bridge);
- goto err1;
- }
-
- if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow DHCP requests from
'%s'"),
- network->def->bridge);
- goto err2;
- }
-
- if (iptablesAddUdpOutput(AF_INET, network->def->bridge, 68) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow DHCP replies to
'%s'"),
- network->def->bridge);
- goto err3;
- }
-
/* If we are doing local DHCP service on this network, attempt to
* add a rule that will fixup the checksum of DHCP response
* packets back to the guests (but report failure without
* aborting, since not all iptables implementations support it).
*/
-
- if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) &&
- (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) {
- VIR_WARN("Could not add rule to fixup DHCP response checksums "
- "on network '%s'.", network->def->name);
- VIR_WARN("May need to update iptables package & kernel to support
CHECKSUM rule.");
- }
-
- /* allow DNS requests through to dnsmasq */
- if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow DNS requests from
'%s'"),
- network->def->bridge);
- goto err4;
- }
-
- if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow DNS requests from
'%s'"),
- network->def->bridge);
- goto err5;
- }
-
- /* allow TFTP requests through to dnsmasq if necessary */
- if (ipv4def && ipv4def->tftproot &&
- iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow TFTP requests from
'%s'"),
- network->def->bridge);
- goto err6;
- }
-
- /* Catch all rules to block forwarding to/from bridges */
-
- if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to block outbound traffic from
'%s'"),
- network->def->bridge);
- goto err7;
- }
-
- if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to block inbound traffic to
'%s'"),
- network->def->bridge);
- goto err8;
- }
-
- /* Allow traffic between guests on the same bridge */
- if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("failed to add iptables rule to allow cross bridge traffic
on '%s'"),
- network->def->bridge);
- goto err9;
- }
-
- /* add IPv6 general rules, if needed */
- if (networkAddGeneralIp6tablesRules(network) < 0) {
- goto err10;
- }
-
- return 0;
-
- /* unwind in reverse order from the point of failure */
- err10:
- iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
- err9:
- iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
- err8:
- iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
- err7:
- if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
- }
- err6:
- iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
- err5:
- iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
- err4:
- iptablesRemoveUdpOutput(AF_INET, network->def->bridge, 68);
- err3:
- iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
- err2:
- iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
- err1:
- return -1;
+ if (ipv4def)
+ iptablesAddOutputFixUdpChecksum(fw, network->def->bridge, 68);
}
static void
-networkRemoveGeneralFirewallRules(virNetworkObjPtr network)
+networkRemoveChecksumFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network)
{
size_t i;
virNetworkIpDefPtr ipv4def;
- networkRemoveGeneralIp6tablesRules(network);
-
+ /* First look for first IPv4 address that has dhcp or tftpboot defined. */
+ /* We support dhcp config on 1 IPv4 interface only. */
for (i = 0;
(ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
i++) {
- if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
+ if (ipv4def->nranges || ipv4def->nhosts)
break;
}
- iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge);
- iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge);
- iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge);
- if (ipv4def && ipv4def->tftproot) {
- iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69);
- }
- iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53);
- iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53);
- if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) {
- iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68);
- }
- iptablesRemoveUdpOutput(AF_INET, network->def->bridge, 68);
- iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67);
- iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67);
+ if (ipv4def)
+ iptablesRemoveOutputFixUdpChecksum(fw, network->def->bridge, 68);
}
static int
-networkAddIpSpecificFirewallRules(virNetworkObjPtr network,
+networkAddIpSpecificFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
/* NB: in the case of IPv6, routing rules are added when the
@@ -717,70 +578,74 @@ networkAddIpSpecificFirewallRules(virNetworkObjPtr network,
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- return networkAddMasqueradingFirewallRules(network, ipdef);
+ return networkAddMasqueradingFirewallRules(fw, network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- return networkAddRoutingFirewallRules(network, ipdef);
+ return networkAddRoutingFirewallRules(fw, network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- return networkAddRoutingFirewallRules(network, ipdef);
+ return networkAddRoutingFirewallRules(fw, network, ipdef);
}
return 0;
}
-static void
-networkRemoveIpSpecificFirewallRules(virNetworkObjPtr network,
+static int
+networkRemoveIpSpecificFirewallRules(virFirewallPtr fw,
+ virNetworkObjPtr network,
virNetworkIpDefPtr ipdef)
{
if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- networkRemoveMasqueradingFirewallRules(network, ipdef);
+ return networkRemoveMasqueradingFirewallRules(fw, network, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- networkRemoveRoutingFirewallRules(network, ipdef);
+ return networkRemoveRoutingFirewallRules(fw, network, ipdef);
} else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- networkRemoveRoutingFirewallRules(network, ipdef);
+ return networkRemoveRoutingFirewallRules(fw, network, ipdef);
}
+ return 0;
}
/* Add all rules for all ip addresses (and general rules) on a network */
int networkAddFirewallRules(virNetworkObjPtr network)
{
- size_t i, j;
+ size_t i;
virNetworkIpDefPtr ipdef;
- virErrorPtr orig_error;
+ virFirewallPtr fw = NULL;
+ int ret = -1;
- /* Add "once per network" rules */
- if (networkAddGeneralFirewallRules(network) < 0)
- return -1;
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, 0);
+
+ networkAddGeneralFirewallRules(fw, network);
for (i = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i));
i++) {
- /* Add address-specific iptables rules */
- if (networkAddIpSpecificFirewallRules(network, ipdef) < 0) {
- goto err;
- }
+ if (networkAddIpSpecificFirewallRules(fw, network, ipdef) < 0)
+ goto cleanup;
}
- return 0;
- err:
- /* store the previous error message before attempting removal of rules */
- orig_error = virSaveLastError();
+ virFirewallStartRollback(fw, 0);
- /* The final failed call to networkAddIpSpecificFirewallRules will
- * have removed any rules it created, but we need to remove those
- * added for previous IP addresses.
- */
- for (j = 0; j < i; j++) {
- if ((ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, j)))
- networkRemoveIpSpecificFirewallRules(network, ipdef);
+ for (i = 0;
+ (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i));
+ i++) {
+ if (networkRemoveIpSpecificFirewallRules(fw, network, ipdef) < 0)
+ goto cleanup;
}
- networkRemoveGeneralFirewallRules(network);
+ networkRemoveGeneralFirewallRules(fw, network);
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ networkAddChecksumFirewallRules(fw, network);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
- /* return the original error */
- virSetError(orig_error);
- virFreeError(orig_error);
- return -1;
+ ret = 0;
+ cleanup:
+ virFirewallFree(fw);
+ return ret;
}
/* Remove all rules for all ip addresses (and general rules) on a network */
@@ -788,11 +653,25 @@ void networkRemoveFirewallRules(virNetworkObjPtr network)
{
size_t i;
virNetworkIpDefPtr ipdef;
+ virFirewallPtr fw = NULL;
+
+ fw = virFirewallNew();
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ networkRemoveChecksumFirewallRules(fw, network);
+
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
for (i = 0;
(ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i));
i++) {
- networkRemoveIpSpecificFirewallRules(network, ipdef);
+ if (networkRemoveIpSpecificFirewallRules(fw, network, ipdef) < 0)
+ goto cleanup;
}
- networkRemoveGeneralFirewallRules(network);
+ networkRemoveGeneralFirewallRules(fw, network);
+
+ virFirewallApply(fw);
+
+ cleanup:
+ virFirewallFree(fw);
}
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index c8c4175..4f3ac9c 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -54,56 +54,6 @@ VIR_LOG_INIT("util.iptables");
bool iptables_supports_xlock = false;
-#if HAVE_FIREWALLD
-static char *firewall_cmd_path = NULL;
-#endif
-
-static int
-virIpTablesOnceInit(void)
-{
- virCommandPtr cmd;
- int status;
-
-#if HAVE_FIREWALLD
- firewall_cmd_path = virFindFileInPath("firewall-cmd");
- if (!firewall_cmd_path) {
- VIR_INFO("firewall-cmd not found on system. "
- "firewalld support disabled for iptables.");
- } else {
- cmd = virCommandNew(firewall_cmd_path);
-
- virCommandAddArgList(cmd, "--state", NULL);
- /* don't log non-zero status */
- if (virCommandRun(cmd, &status) < 0 || status != 0) {
- VIR_INFO("firewall-cmd found but disabled for iptables");
- VIR_FREE(firewall_cmd_path);
- firewall_cmd_path = NULL;
- } else {
- VIR_INFO("using firewalld for iptables commands");
- }
- virCommandFree(cmd);
- }
-
- if (firewall_cmd_path)
- return 0;
-
-#endif
-
- cmd = virCommandNew(IPTABLES_PATH);
- virCommandAddArgList(cmd, "-w", "-L", "-n", NULL);
- /* don't log non-zero status */
- if (virCommandRun(cmd, &status) < 0 || status != 0) {
- VIR_INFO("xtables locking not supported by your iptables");
- } else {
- VIR_INFO("using xtables locking for iptables");
- iptables_supports_xlock = true;
- }
- virCommandFree(cmd);
- return 0;
-}
-
-VIR_ONCE_GLOBAL_INIT(virIpTables)
-
#define VIR_FROM_THIS VIR_FROM_NONE
enum {
@@ -111,63 +61,10 @@ enum {
REMOVE
};
-static virCommandPtr
-iptablesCommandNew(const char *table, const char *chain, int family, int action)
-{
- virCommandPtr cmd = NULL;
- virIpTablesInitialize();
-#if HAVE_FIREWALLD
- if (firewall_cmd_path) {
- cmd = virCommandNew(firewall_cmd_path);
- virCommandAddArgList(cmd, "--direct", "--passthrough",
- (family == AF_INET6) ? "ipv6" : "ipv4",
NULL);
- }
-#endif
-
- if (cmd == NULL) {
- cmd = virCommandNew((family == AF_INET6)
- ? IP6TABLES_PATH : IPTABLES_PATH);
- if (iptables_supports_xlock)
- virCommandAddArgList(cmd, "-w", NULL);
- }
-
- virCommandAddArgList(cmd, "--table", table,
- action == ADD ? "--insert" : "--delete",
- chain, NULL);
- return cmd;
-}
-
-static int
-iptablesCommandRunAndFree(virCommandPtr cmd)
-{
- int ret;
- ret = virCommandRun(cmd, NULL);
- virCommandFree(cmd);
- return ret;
-}
-
-static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(const char *table, const char *chain, int family, int action,
- const char *arg, ...)
-{
- va_list args;
- virCommandPtr cmd = NULL;
- const char *s;
-
- cmd = iptablesCommandNew(table, chain, family, action);
- virCommandAddArg(cmd, arg);
-
- va_start(args, arg);
- while ((s = va_arg(args, const char *)))
- virCommandAddArg(cmd, s);
- va_end(args);
-
- return iptablesCommandRunAndFree(cmd);
-}
-
-static int
-iptablesInput(int family,
+static void
+iptablesInput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port,
int action,
@@ -178,18 +75,19 @@ iptablesInput(int family,
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule("filter", "INPUT",
- family,
- action,
- "--in-interface", iface,
- "--protocol", tcp ? "tcp" :
"udp",
- "--destination-port", portstr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"INPUT",
+ "--in-interface", iface,
+ "--protocol", tcp ? "tcp" : "udp",
+ "--destination-port", portstr,
+ "--jump", "ACCEPT",
+ NULL);
}
-static int
-iptablesOutput(int family,
+static void
+iptablesOutput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port,
int action,
@@ -200,14 +98,14 @@ iptablesOutput(int family,
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule("filter", "OUTPUT",
- family,
- action,
- "--out-interface", iface,
- "--protocol", tcp ? "tcp" :
"udp",
- "--destination-port", portstr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"OUTPUT",
+ "--out-interface", iface,
+ "--protocol", tcp ? "tcp" : "udp",
+ "--destination-port", portstr,
+ "--jump", "ACCEPT",
+ NULL);
}
/**
@@ -218,16 +116,14 @@ iptablesOutput(int family,
*
* Add an input to the IP table allowing access to the given @port on
* the given @iface interface for TCP packets
- *
- * Returns 0 in case of success or an error code in case of error
*/
-
-int
-iptablesAddTcpInput(int family,
+void
+iptablesAddTcpInput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port)
{
- return iptablesInput(family, iface, port, ADD, 1);
+ iptablesInput(fw, layer, iface, port, ADD, 1);
}
/**
@@ -238,15 +134,14 @@ iptablesAddTcpInput(int family,
*
* Removes an input from the IP table, hence forbidding access to the given
* @port on the given @iface interface for TCP packets
- *
- * Returns 0 in case of success or an error code in case of error
*/
-int
-iptablesRemoveTcpInput(int family,
+void
+iptablesRemoveTcpInput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port)
{
- return iptablesInput(family, iface, port, REMOVE, 1);
+ iptablesInput(fw, layer, iface, port, REMOVE, 1);
}
/**
@@ -257,16 +152,14 @@ iptablesRemoveTcpInput(int family,
*
* Add an input to the IP table allowing access to the given @port on
* the given @iface interface for UDP packets
- *
- * Returns 0 in case of success or an error code in case of error
*/
-
-int
-iptablesAddUdpInput(int family,
+void
+iptablesAddUdpInput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port)
{
- return iptablesInput(family, iface, port, ADD, 0);
+ iptablesInput(fw, layer, iface, port, ADD, 0);
}
/**
@@ -277,15 +170,14 @@ iptablesAddUdpInput(int family,
*
* Removes an input from the IP table, hence forbidding access to the given
* @port on the given @iface interface for UDP packets
- *
- * Returns 0 in case of success or an error code in case of error
*/
-int
-iptablesRemoveUdpInput(int family,
+void
+iptablesRemoveUdpInput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port)
{
- return iptablesInput(family, iface, port, REMOVE, 0);
+ return iptablesInput(fw, layer, iface, port, REMOVE, 0);
}
/**
@@ -296,16 +188,14 @@ iptablesRemoveUdpInput(int family,
*
* Add an output to the IP table allowing access to the given @port from
* the given @iface interface for UDP packets
- *
- * Returns 0 in case of success or an error code in case of error
*/
-
-int
-iptablesAddUdpOutput(int family,
+void
+iptablesAddUdpOutput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port)
{
- return iptablesOutput(family, iface, port, ADD, 0);
+ iptablesOutput(fw, layer, iface, port, ADD, 0);
}
/**
@@ -316,15 +206,14 @@ iptablesAddUdpOutput(int family,
*
* Removes an output from the IP table, hence forbidding access to the given
* @port from the given @iface interface for UDP packets
- *
- * Returns 0 in case of success or an error code in case of error
*/
-int
-iptablesRemoveUdpOutput(int family,
+void
+iptablesRemoveUdpOutput(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port)
{
- return iptablesOutput(family, iface, port, REMOVE, 0);
+ iptablesOutput(fw, layer, iface, port, REMOVE, 0);
}
@@ -364,34 +253,40 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
* to proceed to WAN
*/
static int
-iptablesForwardAllowOut(virSocketAddr *netaddr,
+iptablesForwardAllowOut(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
int action)
{
- int ret;
char *networkstr;
- virCommandPtr cmd = NULL;
+ virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
- cmd = iptablesCommandNew("filter", "FORWARD",
- VIR_SOCKET_ADDR_FAMILY(netaddr),
- action);
- virCommandAddArgList(cmd,
- "--source", networkstr,
- "--in-interface", iface, NULL);
-
if (physdev && physdev[0])
- virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
-
- virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--source", networkstr,
+ "--in-interface", iface,
+ "--out-interface", physdev,
+ "--jump", "ACCEPT",
+ NULL);
+ else
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--source", networkstr,
+ "--in-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
- ret = iptablesCommandRunAndFree(cmd);
VIR_FREE(networkstr);
- return ret;
+ return 0;
}
/**
@@ -408,12 +303,13 @@ iptablesForwardAllowOut(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowOut(virSocketAddr *netaddr,
+iptablesAddForwardAllowOut(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -430,12 +326,13 @@ iptablesAddForwardAllowOut(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowOut(virSocketAddr *netaddr,
+iptablesRemoveForwardAllowOut(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
}
@@ -443,42 +340,44 @@ iptablesRemoveForwardAllowOut(virSocketAddr *netaddr,
* and associated with an existing connection
*/
static int
-iptablesForwardAllowRelatedIn(virSocketAddr *netaddr,
+iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
int action)
{
- int ret;
+ virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
char *networkstr;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
- if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule("filter", "FORWARD",
- VIR_SOCKET_ADDR_FAMILY(netaddr),
- action,
- "--destination", networkstr,
- "--in-interface", physdev,
- "--out-interface", iface,
- "--match", "conntrack",
- "--ctstate",
"ESTABLISHED,RELATED",
- "--jump", "ACCEPT",
- NULL);
- } else {
- ret = iptablesAddRemoveRule("filter", "FORWARD",
- VIR_SOCKET_ADDR_FAMILY(netaddr),
- action,
- "--destination", networkstr,
- "--out-interface", iface,
- "--match", "conntrack",
- "--ctstate",
"ESTABLISHED,RELATED",
- "--jump", "ACCEPT",
- NULL);
- }
+ if (physdev && physdev[0])
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--destination", networkstr,
+ "--in-interface", physdev,
+ "--out-interface", iface,
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
+ "--jump", "ACCEPT",
+ NULL);
+ else
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--destination", networkstr,
+ "--out-interface", iface,
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
+ "--jump", "ACCEPT",
+ NULL);
+
VIR_FREE(networkstr);
- return ret;
+ return 0;
}
/**
@@ -495,12 +394,13 @@ iptablesForwardAllowRelatedIn(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
+iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -517,49 +417,51 @@ iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
+iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE);
+ return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
}
/* Allow all traffic destined to the bridge, with a valid network address
*/
static int
-iptablesForwardAllowIn(virSocketAddr *netaddr,
+iptablesForwardAllowIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev,
int action)
{
- int ret;
+ virFirewallLayer layer = VIR_SOCKET_ADDR_FAMILY(netaddr) == AF_INET ?
+ VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
char *networkstr;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
- if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule("filter", "FORWARD",
- VIR_SOCKET_ADDR_FAMILY(netaddr),
- action,
- "--destination", networkstr,
- "--in-interface", physdev,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
- } else {
- ret = iptablesAddRemoveRule("filter", "FORWARD",
- VIR_SOCKET_ADDR_FAMILY(netaddr),
- action,
- "--destination", networkstr,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
- }
+ if (physdev && physdev[0])
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--destination", networkstr,
+ "--in-interface", physdev,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
+ else
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ action == ADD ? "--insert" : "--delete",
"FORWARD",
+ "--destination", networkstr,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
VIR_FREE(networkstr);
- return ret;
+ return 0;
}
/**
@@ -576,12 +478,13 @@ iptablesForwardAllowIn(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardAllowIn(virSocketAddr *netaddr,
+iptablesAddForwardAllowIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD);
+ return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
}
/**
@@ -598,30 +501,13 @@ iptablesAddForwardAllowIn(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardAllowIn(virSocketAddr *netaddr,
+iptablesRemoveForwardAllowIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
const char *physdev)
{
- return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE);
-}
-
-
-/* Allow all traffic between guests on the same bridge,
- * with a valid network address
- */
-static int
-iptablesForwardAllowCross(int family,
- const char *iface,
- int action)
-{
- return iptablesAddRemoveRule("filter", "FORWARD",
- family,
- action,
- "--in-interface", iface,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
}
/**
@@ -635,11 +521,18 @@ iptablesForwardAllowCross(int family,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
-iptablesAddForwardAllowCross(int family,
+void
+iptablesAddForwardAllowCross(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface)
{
- return iptablesForwardAllowCross(family, iface, ADD);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ "--insert", "FORWARD",
+ "--in-interface", iface,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
}
/**
@@ -653,28 +546,18 @@ iptablesAddForwardAllowCross(int family,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
-iptablesRemoveForwardAllowCross(int family,
+void
+iptablesRemoveForwardAllowCross(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface)
{
- return iptablesForwardAllowCross(family, iface, REMOVE);
-}
-
-
-/* Drop all traffic trying to forward from the bridge.
- * ie the bridge is the in interface
- */
-static int
-iptablesForwardRejectOut(int family,
- const char *iface,
- int action)
-{
- return iptablesAddRemoveRule("filter", "FORWARD",
- family,
- action,
- "--in-interface", iface,
- "--jump", "REJECT",
- NULL);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ "--delete", "FORWARD",
+ "--in-interface", iface,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
}
/**
@@ -687,11 +570,17 @@ iptablesForwardRejectOut(int family,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
-iptablesAddForwardRejectOut(int family,
+void
+iptablesAddForwardRejectOut(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface)
{
- return iptablesForwardRejectOut(family, iface, ADD);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ "--insert", "FORWARD",
+ "--in-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
@@ -704,32 +593,20 @@ iptablesAddForwardRejectOut(int family,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
-iptablesRemoveForwardRejectOut(int family,
+void
+iptablesRemoveForwardRejectOut(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface)
{
- return iptablesForwardRejectOut(family, iface, REMOVE);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ "--delete", "FORWARD",
+ "--in-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
-
-
-/* Drop all traffic trying to forward to the bridge.
- * ie the bridge is the out interface
- */
-static int
-iptablesForwardRejectIn(int family,
- const char *iface,
- int action)
-{
- return iptablesAddRemoveRule("filter", "FORWARD",
- family,
- action,
- "--out-interface", iface,
- "--jump", "REJECT",
- NULL);
-}
-
/**
* iptablesAddForwardRejectIn:
* @ctx: pointer to the IP table context
@@ -740,11 +617,17 @@ iptablesForwardRejectIn(int family,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
-iptablesAddForwardRejectIn(int family,
+void
+iptablesAddForwardRejectIn(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface)
{
- return iptablesForwardRejectIn(family, iface, ADD);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ "--insert", "FORWARD",
+ "--out-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
@@ -757,11 +640,17 @@ iptablesAddForwardRejectIn(int family,
*
* Returns 0 in case of success or an error code otherwise
*/
-int
-iptablesRemoveForwardRejectIn(int family,
+void
+iptablesRemoveForwardRejectIn(virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface)
{
- return iptablesForwardRejectIn(family, iface, REMOVE);
+ virFirewallAddRule(fw, layer,
+ "--table", "filter",
+ "--delete", "FORWARD",
+ "--out-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
@@ -769,7 +658,8 @@ iptablesRemoveForwardRejectIn(int family,
* with the bridge
*/
static int
-iptablesForwardMasquerade(virSocketAddr *netaddr,
+iptablesForwardMasquerade(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
@@ -783,7 +673,7 @@ iptablesForwardMasquerade(virSocketAddr *netaddr,
char *addrEndStr = NULL;
char *portRangeStr = NULL;
char *natRangeStr = NULL;
- virCommandPtr cmd = NULL;
+ virFirewallRulePtr rule;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -805,16 +695,25 @@ iptablesForwardMasquerade(virSocketAddr *netaddr,
}
}
- cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action);
- virCommandAddArgList(cmd, "--source", networkstr, NULL);
-
- if (protocol && protocol[0])
- virCommandAddArgList(cmd, "-p", protocol, NULL);
-
- virCommandAddArgList(cmd, "!", "--destination", networkstr,
NULL);
+ if (protocol && protocol[0]) {
+ rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "--table", "nat",
+ action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ "--source", networkstr,
+ "-p", protocol,
+ "!", "--destination", networkstr,
+ NULL);
+ } else {
+ rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "--table", "nat",
+ action == ADD ? "--insert" :
"--delete", "POSTROUTING",
+ "--source", networkstr,
+ "!", "--destination", networkstr,
+ NULL);
+ }
if (physdev && physdev[0])
- virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
+ virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL);
if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) {
@@ -848,18 +747,20 @@ iptablesForwardMasquerade(virSocketAddr *netaddr,
if (r < 0)
goto cleanup;
- virCommandAddArgList(cmd, "--jump", "SNAT",
+ virFirewallRuleAddArgList(fw, rule,
+ "--jump", "SNAT",
"--to-source", natRangeStr, NULL);
- } else {
- virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
+ } else {
+ virFirewallRuleAddArgList(fw, rule,
+ "--jump", "MASQUERADE", NULL);
- if (portRangeStr && portRangeStr[0])
- virCommandAddArgList(cmd, "--to-ports", &portRangeStr[1],
NULL);
- }
+ if (portRangeStr && portRangeStr[0])
+ virFirewallRuleAddArgList(fw, rule,
+ "--to-ports", &portRangeStr[1],
NULL);
+ }
- ret = virCommandRun(cmd, NULL);
+ ret = 0;
cleanup:
- virCommandFree(cmd);
VIR_FREE(networkstr);
VIR_FREE(addrStartStr);
VIR_FREE(addrEndStr);
@@ -882,14 +783,15 @@ iptablesForwardMasquerade(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesAddForwardMasquerade(virSocketAddr *netaddr,
+iptablesAddForwardMasquerade(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
+ return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
protocol, ADD);
}
@@ -907,14 +809,15 @@ iptablesAddForwardMasquerade(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise
*/
int
-iptablesRemoveForwardMasquerade(virSocketAddr *netaddr,
+iptablesRemoveForwardMasquerade(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
const char *protocol)
{
- return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port,
+ return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
protocol, REMOVE);
}
@@ -923,7 +826,8 @@ iptablesRemoveForwardMasquerade(virSocketAddr *netaddr,
* if said traffic targets @destaddr.
*/
static int
-iptablesForwardDontMasquerade(virSocketAddr *netaddr,
+iptablesForwardDontMasquerade(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
const char *destaddr,
@@ -931,7 +835,6 @@ iptablesForwardDontMasquerade(virSocketAddr *netaddr,
{
int ret = -1;
char *networkstr = NULL;
- virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -944,16 +847,26 @@ iptablesForwardDontMasquerade(virSocketAddr *netaddr,
goto cleanup;
}
- cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action);
-
if (physdev && physdev[0])
- virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
-
- virCommandAddArgList(cmd, "--source", networkstr,
- "--destination", destaddr, "--jump",
"RETURN", NULL);
- ret = virCommandRun(cmd, NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "--table", "nat",
+ action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ "--out-interface", physdev,
+ "--source", networkstr,
+ "--destination", destaddr,
+ "--jump", "RETURN",
+ NULL);
+ else
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "--table", "nat",
+ action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ "--source", networkstr,
+ "--destination", destaddr,
+ "--jump", "RETURN",
+ NULL);
+
+ ret = 0;
cleanup:
- virCommandFree(cmd);
VIR_FREE(networkstr);
return ret;
}
@@ -973,12 +886,13 @@ iptablesForwardDontMasquerade(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise.
*/
int
-iptablesAddDontMasquerade(virSocketAddr *netaddr,
+iptablesAddDontMasquerade(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(netaddr, prefix, physdev, destaddr,
+ return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
ADD);
}
@@ -997,18 +911,20 @@ iptablesAddDontMasquerade(virSocketAddr *netaddr,
* Returns 0 in case of success or an error code otherwise.
*/
int
-iptablesRemoveDontMasquerade(virSocketAddr *netaddr,
+iptablesRemoveDontMasquerade(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
const char *destaddr)
{
- return iptablesForwardDontMasquerade(netaddr, prefix, physdev, destaddr,
+ return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
REMOVE);
}
-static int
-iptablesOutputFixUdpChecksum(const char *iface,
+static void
+iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+ const char *iface,
int port,
int action)
{
@@ -1017,14 +933,14 @@ iptablesOutputFixUdpChecksum(const char *iface,
snprintf(portstr, sizeof(portstr), "%d", port);
portstr[sizeof(portstr) - 1] = '\0';
- return iptablesAddRemoveRule("mangle", "POSTROUTING",
- AF_INET,
- action,
- "--out-interface", iface,
- "--protocol", "udp",
- "--destination-port", portstr,
- "--jump", "CHECKSUM",
"--checksum-fill",
- NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+ "--table", "mangle",
+ action == ADD ? "--insert" : "--delete",
"POSTROUTING",
+ "--out-interface", iface,
+ "--protocol", "udp",
+ "--destination-port", portstr,
+ "--jump", "CHECKSUM",
"--checksum-fill",
+ NULL);
}
/**
@@ -1037,16 +953,13 @@ iptablesOutputFixUdpChecksum(const char *iface,
* checksum of packets with the given destination @port.
* the given @iface interface for TCP packets.
*
- * Returns 0 in case of success or an error code in case of error.
- * (NB: if the system's iptables does not support checksum mangling,
- * this will return an error, which should be ignored.)
*/
-
-int
-iptablesAddOutputFixUdpChecksum(const char *iface,
+void
+iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
+ const char *iface,
int port)
{
- return iptablesOutputFixUdpChecksum(iface, port, ADD);
+ iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
}
/**
@@ -1057,14 +970,11 @@ iptablesAddOutputFixUdpChecksum(const char *iface,
*
* Removes the checksum fixup rule that was previous added with
* iptablesAddOutputFixUdpChecksum.
- *
- * Returns 0 in case of success or an error code in case of error
- * (again, if iptables doesn't support checksum fixup, this will
- * return an error, which should be ignored)
*/
-int
-iptablesRemoveOutputFixUdpChecksum(const char *iface,
+void
+iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
+ const char *iface,
int port)
{
- return iptablesOutputFixUdpChecksum(iface, port, REMOVE);
+ iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
}
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index 2f9a212..9ea25fc 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -21,97 +21,131 @@
* Mark McLoughlin <markmc(a)redhat.com>
*/
-#ifndef __QEMUD_IPTABLES_H__
-# define __QEMUD_IPTABLES_H__
+#ifndef __VIR_IPTABLES_H__
+# define __VIR_IPTABLES_H__
# include "virsocketaddr.h"
+# include "virfirewall.h"
-int iptablesAddTcpInput (int family,
+void iptablesAddTcpInput (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port);
-int iptablesRemoveTcpInput (int family,
+void iptablesRemoveTcpInput (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port);
-int iptablesAddUdpInput (int family,
+void iptablesAddUdpInput (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port);
-int iptablesRemoveUdpInput (int family,
+void iptablesRemoveUdpInput (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port);
-int iptablesAddUdpOutput (int family,
+void iptablesAddUdpOutput (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port);
-int iptablesRemoveUdpOutput (int family,
+void iptablesRemoveUdpOutput (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface,
int port);
-int iptablesAddForwardAllowOut (virSocketAddr *netaddr,
+int iptablesAddForwardAllowOut (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
- const char *physdev);
-int iptablesRemoveForwardAllowOut (virSocketAddr *netaddr,
+ const char *physdev)
+ ATTRIBUTE_RETURN_CHECK;
+int iptablesRemoveForwardAllowOut (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
- const char *physdev);
-
-int iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr,
- unsigned int prefix,
- const char *iface,
- const char *physdev);
-int iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr,
+ const char *physdev)
+ ATTRIBUTE_RETURN_CHECK;
+int iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
- const char *physdev);
+ const char *physdev)
+ ATTRIBUTE_RETURN_CHECK;
+int iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
+ virSocketAddr *netaddr,
+ unsigned int prefix,
+ const char *iface,
+ const char *physdev)
+ ATTRIBUTE_RETURN_CHECK;
-int iptablesAddForwardAllowIn (virSocketAddr *netaddr,
+int iptablesAddForwardAllowIn (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
- const char *physdev);
-int iptablesRemoveForwardAllowIn (virSocketAddr *netaddr,
+ const char *physdev)
+ ATTRIBUTE_RETURN_CHECK;
+int iptablesRemoveForwardAllowIn (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *iface,
- const char *physdev);
+ const char *physdev)
+ ATTRIBUTE_RETURN_CHECK;
-int iptablesAddForwardAllowCross (int family,
+void iptablesAddForwardAllowCross (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface);
-int iptablesRemoveForwardAllowCross (int family,
+void iptablesRemoveForwardAllowCross (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface);
-int iptablesAddForwardRejectOut (int family,
+void iptablesAddForwardRejectOut (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface);
-int iptablesRemoveForwardRejectOut (int family,
+void iptablesRemoveForwardRejectOut (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface);
-int iptablesAddForwardRejectIn (int family,
+void iptablesAddForwardRejectIn (virFirewallPtr fw,
+ virFirewallLayer layer,
const char *iface);
-int iptablesRemoveForwardRejectIn (int family,
+void iptablesRemoveForwardRejectIn (virFirewallPtr fw,
+ virFirewallLayer layery,
const char *iface);
-int iptablesAddForwardMasquerade (virSocketAddr *netaddr,
+int iptablesAddForwardMasquerade (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
- const char *protocol);
-int iptablesRemoveForwardMasquerade (virSocketAddr *netaddr,
+ const char *protocol)
+ ATTRIBUTE_RETURN_CHECK;
+int iptablesRemoveForwardMasquerade (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
virSocketAddrRangePtr addr,
virPortRangePtr port,
- const char *protocol);
-int iptablesAddDontMasquerade (virSocketAddr *netaddr,
+ const char *protocol)
+ ATTRIBUTE_RETURN_CHECK;
+int iptablesAddDontMasquerade (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
- const char *destaddr);
-int iptablesRemoveDontMasquerade (virSocketAddr *netaddr,
+ const char *destaddr)
+ ATTRIBUTE_RETURN_CHECK;
+int iptablesRemoveDontMasquerade (virFirewallPtr fw,
+ virSocketAddr *netaddr,
unsigned int prefix,
const char *physdev,
- const char *destaddr);
-int iptablesAddOutputFixUdpChecksum (const char *iface,
+ const char *destaddr)
+ ATTRIBUTE_RETURN_CHECK;
+void iptablesAddOutputFixUdpChecksum (virFirewallPtr fw,
+ const char *iface,
int port);
-int iptablesRemoveOutputFixUdpChecksum (const char *iface,
+void iptablesRemoveOutputFixUdpChecksum (virFirewallPtr fw,
+ const char *iface,
int port);
-#endif /* __QEMUD_IPTABLES_H__ */
+#endif /* __VIR_IPTABLES_H__ */
--
1.9.0
4:56 p.m.
New subject: [libvirt] [PATCH 12/26] Convert bridge driver over to use new firewall APIs
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Update the iptablesXXXX methods so that instead of directly
executing iptables commands, they populate rules in an
instance of virFirewallPtr. The bridge driver can thus
construct the ruleset and then invoke it in one operation
having rollback handled automatically.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
I looked at this 2 times now... ACK
10:38 a.m.
New subject: [libvirt] [PATCH 13/26] Replace virNetworkObjPtr with virNetworkDefPtr in network platform APIs
The networkCheckRouteCollision, networkAddFirewallRules and
networkRemoveFirewallRules APIs all take a virNetworkObjPtr
instance, but only ever access the 'def' member. It thus
simplifies testing if the APIs are changed to just take a
virNetworkDefPtr instead
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/network/bridge_driver.c | 18 +--
src/network/bridge_driver_linux.c | 226 +++++++++++++++++------------------
src/network/bridge_driver_nop.c | 6 +-
src/network/bridge_driver_platform.h | 7 +-
4 files changed, 129 insertions(+), 128 deletions(-)
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index eb276cd..201b22f 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1650,8 +1650,8 @@ networkReloadFirewallRules(virNetworkDriverStatePtr driver)
/* Only the three L3 network types that are configured by libvirt
* need to have iptables rules reloaded.
*/
- networkRemoveFirewallRules(network);
- if (networkAddFirewallRules(network) < 0) {
+ networkRemoveFirewallRules(network->def);
+ if (networkAddFirewallRules(network->def) < 0) {
/* failed to add but already logged */
}
}
@@ -1833,7 +1833,7 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,
int tapfd = -1;
/* Check to see if any network IP collides with an existing route */
- if (networkCheckRouteCollision(network) < 0)
+ if (networkCheckRouteCollision(network->def) < 0)
return -1;
/* Create and configure the bridge device */
@@ -1882,7 +1882,7 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,
goto err1;
/* Add "once per network" rules */
- if (networkAddFirewallRules(network) < 0)
+ if (networkAddFirewallRules(network->def) < 0)
goto err1;
for (i = 0;
@@ -1975,7 +1975,7 @@ networkStartNetworkVirtual(virNetworkDriverStatePtr driver,
err2:
if (!save_err)
save_err = virSaveLastError();
- networkRemoveFirewallRules(network);
+ networkRemoveFirewallRules(network->def);
err1:
if (!save_err)
@@ -2029,7 +2029,7 @@ static int networkShutdownNetworkVirtual(virNetworkDriverStatePtr
driver ATTRIBU
ignore_value(virNetDevSetOnline(network->def->bridge, 0));
- networkRemoveFirewallRules(network);
+ networkRemoveFirewallRules(network->def);
ignore_value(virNetDevBridgeDelete(network->def->bridge));
@@ -2897,7 +2897,7 @@ networkUpdate(virNetworkPtr net,
* old rules (and remember to load new ones after the
* update).
*/
- networkRemoveFirewallRules(network);
+ networkRemoveFirewallRules(network->def);
needFirewallRefresh = true;
break;
default:
@@ -2909,11 +2909,11 @@ networkUpdate(virNetworkPtr net,
/* update the network config in memory/on disk */
if (virNetworkObjUpdate(network, command, section, parentIndex, xml, flags) < 0)
{
if (needFirewallRefresh)
- ignore_value(networkAddFirewallRules(network));
+ ignore_value(networkAddFirewallRules(network->def));
goto cleanup;
}
- if (needFirewallRefresh && networkAddFirewallRules(network) < 0)
+ if (needFirewallRefresh && networkAddFirewallRules(network->def) < 0)
goto cleanup;
if (flags & VIR_NETWORK_UPDATE_AFFECT_CONFIG) {
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 9f4911b..6b32838 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -40,7 +40,7 @@ VIR_LOG_INIT("network.bridge_driver_linux");
* other scenarios where we can ruin host network connectivity.
* XXX: Using a proper library is preferred over parsing /proc
*/
-int networkCheckRouteCollision(virNetworkObjPtr network)
+int networkCheckRouteCollision(virNetworkDefPtr def)
{
int ret = 0, len;
char *cur, *buf = NULL;
@@ -100,7 +100,7 @@ int networkCheckRouteCollision(virNetworkObjPtr network)
addr_val &= mask_val;
for (i = 0;
- (ipdef = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
+ (ipdef = virNetworkDefGetIpByIndex(def, AF_INET, i));
i++) {
unsigned int net_dest;
@@ -108,7 +108,7 @@ int networkCheckRouteCollision(virNetworkObjPtr network)
if (virNetworkIpDefNetmask(ipdef, &netmask) < 0) {
VIR_WARN("Failed to get netmask of '%s'",
- network->def->bridge);
+ def->bridge);
continue;
}
@@ -136,16 +136,16 @@ static const char networkLocalBroadcast[] =
"255.255.255.255/32";
static int
networkAddMasqueradingFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network,
+ virNetworkDefPtr def,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
if (prefix < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Invalid prefix or netmask for '%s'"),
- network->def->bridge);
+ def->bridge);
return -1;
}
@@ -153,7 +153,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
if (iptablesAddForwardAllowOut(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
@@ -163,7 +163,7 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
if (iptablesAddForwardAllowRelatedIn(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
@@ -204,8 +204,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
+ &def->forward.addr,
+ &def->forward.port,
NULL) < 0)
return -1;
@@ -214,8 +214,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
+ &def->forward.addr,
+ &def->forward.port,
"udp") < 0)
return -1;
@@ -224,8 +224,8 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
+ &def->forward.addr,
+ &def->forward.port,
"tcp") < 0)
return -1;
@@ -250,11 +250,11 @@ networkAddMasqueradingFirewallRules(virFirewallPtr fw,
static int
networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network,
+ virNetworkDefPtr def,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
if (prefix < 0)
return 0;
@@ -277,8 +277,8 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
+ &def->forward.addr,
+ &def->forward.port,
"tcp") < 0)
return -1;
@@ -286,8 +286,8 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
+ &def->forward.addr,
+ &def->forward.port,
"udp") < 0)
return -1;
@@ -295,22 +295,22 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
&ipdef->address,
prefix,
forwardIf,
- &network->def->forward.addr,
- &network->def->forward.port,
+ &def->forward.addr,
+ &def->forward.port,
NULL) < 0)
return -1;
if (iptablesRemoveForwardAllowRelatedIn(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
if (iptablesRemoveForwardAllowOut(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
@@ -320,16 +320,16 @@ networkRemoveMasqueradingFirewallRules(virFirewallPtr fw,
static int
networkAddRoutingFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network,
+ virNetworkDefPtr def,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
if (prefix < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Invalid prefix or netmask for '%s'"),
- network->def->bridge);
+ def->bridge);
return -1;
}
@@ -337,7 +337,7 @@ networkAddRoutingFirewallRules(virFirewallPtr fw,
if (iptablesAddForwardAllowOut(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
@@ -345,7 +345,7 @@ networkAddRoutingFirewallRules(virFirewallPtr fw,
if (iptablesAddForwardAllowIn(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
@@ -355,11 +355,11 @@ networkAddRoutingFirewallRules(virFirewallPtr fw,
static int
networkRemoveRoutingFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network,
+ virNetworkDefPtr def,
virNetworkIpDefPtr ipdef)
{
int prefix = virNetworkIpDefPrefix(ipdef);
- const char *forwardIf = virNetworkDefForwardIf(network->def, 0);
+ const char *forwardIf = virNetworkDefForwardIf(def, 0);
if (prefix < 0)
return 0;
@@ -367,14 +367,14 @@ networkRemoveRoutingFirewallRules(virFirewallPtr fw,
if (iptablesRemoveForwardAllowIn(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
if (iptablesRemoveForwardAllowOut(fw,
&ipdef->address,
prefix,
- network->def->bridge,
+ def->bridge,
forwardIf) < 0)
return -1;
@@ -384,7 +384,7 @@ networkRemoveRoutingFirewallRules(virFirewallPtr fw,
static void
networkAddGeneralIPv4FirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
size_t i;
virNetworkIpDefPtr ipv4def;
@@ -392,60 +392,60 @@ networkAddGeneralIPv4FirewallRules(virFirewallPtr fw,
/* First look for first IPv4 address that has dhcp or tftpboot defined. */
/* We support dhcp config on 1 IPv4 interface only. */
for (i = 0;
- (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
+ (ipv4def = virNetworkDefGetIpByIndex(def, AF_INET, i));
i++) {
if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
break;
}
/* allow DHCP requests through to dnsmasq */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
- iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 68);
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ iptablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
/* allow DNS requests through to dnsmasq */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
/* allow TFTP requests through to dnsmasq if necessary */
if (ipv4def && ipv4def->tftproot)
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge,
69);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
/* Catch all rules to block forwarding to/from bridges */
- iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
- iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge);
+ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
/* Allow traffic between guests on the same bridge */
- iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
+ iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
}
static void
networkRemoveGeneralIPv4FirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
size_t i;
virNetworkIpDefPtr ipv4def;
for (i = 0;
- (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
+ (ipv4def = virNetworkDefGetIpByIndex(def, AF_INET, i));
i++) {
if (ipv4def->nranges || ipv4def->nhosts || ipv4def->tftproot)
break;
}
- iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
- iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
- iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4,
network->def->bridge);
+ iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
+ iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge);
if (ipv4def && ipv4def->tftproot)
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge,
69);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 53);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 53);
- iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge,
68);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, network->def->bridge, 67);
+ iptablesRemoveUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 68);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67);
}
@@ -456,73 +456,73 @@ networkRemoveGeneralIPv4FirewallRules(virFirewallPtr fw,
*/
static void
networkAddGeneralIPv6FirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
- if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
- !network->def->ipv6nogw) {
+ if (!virNetworkDefGetIpByIndex(def, AF_INET6, 0) &&
+ !def->ipv6nogw) {
return;
}
/* Catch all rules to block forwarding to/from bridges */
- iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
- iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge);
+ iptablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ iptablesAddForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
/* Allow traffic between guests on the same bridge */
- iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
+ iptablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
- if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
+ if (virNetworkDefGetIpByIndex(def, AF_INET6, 0)) {
/* allow DNS over IPv6 */
- iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
- iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
547);
+ iptablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
}
}
static void
networkRemoveGeneralIPv6FirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
- if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) &&
- !network->def->ipv6nogw) {
+ if (!virNetworkDefGetIpByIndex(def, AF_INET6, 0) &&
+ !def->ipv6nogw) {
return;
}
- if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
547);
- iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
- iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, network->def->bridge,
53);
+ if (virNetworkDefGetIpByIndex(def, AF_INET6, 0)) {
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547);
+ iptablesRemoveUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
+ iptablesRemoveTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53);
}
/* the following rules are there if no IPv6 address has been defined
- * but network->def->ipv6nogw == true
+ * but def->ipv6nogw == true
*/
- iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
- iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
- iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6,
network->def->bridge);
+ iptablesRemoveForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ iptablesRemoveForwardRejectIn(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
+ iptablesRemoveForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge);
}
static void
networkAddGeneralFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
- networkAddGeneralIPv4FirewallRules(fw, network);
- networkAddGeneralIPv6FirewallRules(fw, network);
+ networkAddGeneralIPv4FirewallRules(fw, def);
+ networkAddGeneralIPv6FirewallRules(fw, def);
}
static void
networkRemoveGeneralFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
- networkRemoveGeneralIPv4FirewallRules(fw, network);
- networkRemoveGeneralIPv6FirewallRules(fw, network);
+ networkRemoveGeneralIPv4FirewallRules(fw, def);
+ networkRemoveGeneralIPv6FirewallRules(fw, def);
}
static void
networkAddChecksumFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
size_t i;
virNetworkIpDefPtr ipv4def;
@@ -530,7 +530,7 @@ networkAddChecksumFirewallRules(virFirewallPtr fw,
/* First look for first IPv4 address that has dhcp or tftpboot defined. */
/* We support dhcp config on 1 IPv4 interface only. */
for (i = 0;
- (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
+ (ipv4def = virNetworkDefGetIpByIndex(def, AF_INET, i));
i++) {
if (ipv4def->nranges || ipv4def->nhosts)
break;
@@ -542,13 +542,13 @@ networkAddChecksumFirewallRules(virFirewallPtr fw,
* aborting, since not all iptables implementations support it).
*/
if (ipv4def)
- iptablesAddOutputFixUdpChecksum(fw, network->def->bridge, 68);
+ iptablesAddOutputFixUdpChecksum(fw, def->bridge, 68);
}
static void
networkRemoveChecksumFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network)
+ virNetworkDefPtr def)
{
size_t i;
virNetworkIpDefPtr ipv4def;
@@ -556,33 +556,33 @@ networkRemoveChecksumFirewallRules(virFirewallPtr fw,
/* First look for first IPv4 address that has dhcp or tftpboot defined. */
/* We support dhcp config on 1 IPv4 interface only. */
for (i = 0;
- (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, i));
+ (ipv4def = virNetworkDefGetIpByIndex(def, AF_INET, i));
i++) {
if (ipv4def->nranges || ipv4def->nhosts)
break;
}
if (ipv4def)
- iptablesRemoveOutputFixUdpChecksum(fw, network->def->bridge, 68);
+ iptablesRemoveOutputFixUdpChecksum(fw, def->bridge, 68);
}
static int
networkAddIpSpecificFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network,
+ virNetworkDefPtr def,
virNetworkIpDefPtr ipdef)
{
/* NB: in the case of IPv6, routing rules are added when the
* forward mode is NAT. This is because IPv6 has no NAT.
*/
- if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
+ if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- return networkAddMasqueradingFirewallRules(fw, network, ipdef);
+ return networkAddMasqueradingFirewallRules(fw, def, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- return networkAddRoutingFirewallRules(fw, network, ipdef);
- } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- return networkAddRoutingFirewallRules(fw, network, ipdef);
+ return networkAddRoutingFirewallRules(fw, def, ipdef);
+ } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+ return networkAddRoutingFirewallRules(fw, def, ipdef);
}
return 0;
}
@@ -590,23 +590,23 @@ networkAddIpSpecificFirewallRules(virFirewallPtr fw,
static int
networkRemoveIpSpecificFirewallRules(virFirewallPtr fw,
- virNetworkObjPtr network,
+ virNetworkDefPtr def,
virNetworkIpDefPtr ipdef)
{
- if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) {
+ if (def->forward.type == VIR_NETWORK_FORWARD_NAT) {
if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET))
- return networkRemoveMasqueradingFirewallRules(fw, network, ipdef);
+ return networkRemoveMasqueradingFirewallRules(fw, def, ipdef);
else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6))
- return networkRemoveRoutingFirewallRules(fw, network, ipdef);
- } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
- return networkRemoveRoutingFirewallRules(fw, network, ipdef);
+ return networkRemoveRoutingFirewallRules(fw, def, ipdef);
+ } else if (def->forward.type == VIR_NETWORK_FORWARD_ROUTE) {
+ return networkRemoveRoutingFirewallRules(fw, def, ipdef);
}
return 0;
}
/* Add all rules for all ip addresses (and general rules) on a network */
-int networkAddFirewallRules(virNetworkObjPtr network)
+int networkAddFirewallRules(virNetworkDefPtr def)
{
size_t i;
virNetworkIpDefPtr ipdef;
@@ -617,27 +617,27 @@ int networkAddFirewallRules(virNetworkObjPtr network)
virFirewallStartTransaction(fw, 0);
- networkAddGeneralFirewallRules(fw, network);
+ networkAddGeneralFirewallRules(fw, def);
for (i = 0;
- (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i));
+ (ipdef = virNetworkDefGetIpByIndex(def, AF_UNSPEC, i));
i++) {
- if (networkAddIpSpecificFirewallRules(fw, network, ipdef) < 0)
+ if (networkAddIpSpecificFirewallRules(fw, def, ipdef) < 0)
goto cleanup;
}
virFirewallStartRollback(fw, 0);
for (i = 0;
- (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i));
+ (ipdef = virNetworkDefGetIpByIndex(def, AF_UNSPEC, i));
i++) {
- if (networkRemoveIpSpecificFirewallRules(fw, network, ipdef) < 0)
+ if (networkRemoveIpSpecificFirewallRules(fw, def, ipdef) < 0)
goto cleanup;
}
- networkRemoveGeneralFirewallRules(fw, network);
+ networkRemoveGeneralFirewallRules(fw, def);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- networkAddChecksumFirewallRules(fw, network);
+ networkAddChecksumFirewallRules(fw, def);
if (virFirewallApply(fw) < 0)
goto cleanup;
@@ -649,7 +649,7 @@ int networkAddFirewallRules(virNetworkObjPtr network)
}
/* Remove all rules for all ip addresses (and general rules) on a network */
-void networkRemoveFirewallRules(virNetworkObjPtr network)
+void networkRemoveFirewallRules(virNetworkDefPtr def)
{
size_t i;
virNetworkIpDefPtr ipdef;
@@ -658,17 +658,17 @@ void networkRemoveFirewallRules(virNetworkObjPtr network)
fw = virFirewallNew();
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- networkRemoveChecksumFirewallRules(fw, network);
+ networkRemoveChecksumFirewallRules(fw, def);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
for (i = 0;
- (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, i));
+ (ipdef = virNetworkDefGetIpByIndex(def, AF_UNSPEC, i));
i++) {
- if (networkRemoveIpSpecificFirewallRules(fw, network, ipdef) < 0)
+ if (networkRemoveIpSpecificFirewallRules(fw, def, ipdef) < 0)
goto cleanup;
}
- networkRemoveGeneralFirewallRules(fw, network);
+ networkRemoveGeneralFirewallRules(fw, def);
virFirewallApply(fw);
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_nop.c
index b8aeaba..5e1acd0 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -21,16 +21,16 @@
#include <config.h>
-int networkCheckRouteCollision(virNetworkObjPtr network ATTRIBUTE_UNUSED)
+int networkCheckRouteCollision(virNetworkDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
-int networkAddFirewallRules(virNetworkObjPtr network ATTRIBUTE_UNUSED)
+int networkAddFirewallRules(virNetworkDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
-void networkRemoveFirewallRules(virNetworkObjPtr network ATTRIBUTE_UNUSED)
+void networkRemoveFirewallRules(virNetworkDefPtr def ATTRIBUTE_UNUSED)
{
}
diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driver_platform.h
index 6a571da..a1286da 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -21,6 +21,7 @@
* Author: Daniel P. Berrange <berrange(a)redhat.com>
*/
+
#ifndef __VIR_BRIDGE_DRIVER_PLATFORM_H__
# define __VIR_BRIDGE_DRIVER_PLATFORM_H__
@@ -50,10 +51,10 @@ struct _virNetworkDriverState {
typedef struct _virNetworkDriverState virNetworkDriverState;
typedef virNetworkDriverState *virNetworkDriverStatePtr;
-int networkCheckRouteCollision(virNetworkObjPtr network);
+int networkCheckRouteCollision(virNetworkDefPtr def);
-int networkAddFirewallRules(virNetworkObjPtr network);
+int networkAddFirewallRules(virNetworkDefPtr def);
-void networkRemoveFirewallRules(virNetworkObjPtr network);
+void networkRemoveFirewallRules(virNetworkDefPtr def);
#endif /* __VIR_BRIDGE_DRIVER_PLATFORM_H__ */
--
1.9.0
5 p.m.
New subject: [libvirt] [PATCH 13/26] Replace virNetworkObjPtr with virNetworkDefPtr in network platform APIs
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
The networkCheckRouteCollision, networkAddFirewallRules and
networkRemoveFirewallRules APIs all take a virNetworkObjPtr
instance, but only ever access the 'def' member. It thus
simplifies testing if the APIs are changed to just take a
virNetworkDefPtr instead
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
diff --git a/src/network/bridge_driver_platform.h
b/src/network/bridge_driver_platform.h
index 6a571da..a1286da 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -21,6 +21,7 @@
* Author: Daniel P. Berrange <berrange(a)redhat.com>
*/
+
This may be the only unnecessary part.
Otherwise a replacement by pattern. Compile doesn't complain ... ACK
10:38 a.m.
New subject: [libvirt] [PATCH 14/26] Add test for converting network XML to iptables rules
Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
tests/Makefile.am | 17 ++-
.../networkxml2firewalldata/nat-default-linux.args | 30 ++++
tests/networkxml2firewalldata/nat-default.xml | 10 ++
tests/networkxml2firewalldata/nat-ipv6-linux.args | 44 ++++++
tests/networkxml2firewalldata/nat-ipv6.xml | 15 ++
.../nat-many-ips-linux.args | 58 ++++++++
tests/networkxml2firewalldata/nat-many-ips.xml | 12 ++
.../networkxml2firewalldata/nat-no-dhcp-linux.args | 42 ++++++
tests/networkxml2firewalldata/nat-no-dhcp.xml | 7 +
tests/networkxml2firewalldata/nat-tftp-linux.args | 32 ++++
tests/networkxml2firewalldata/nat-tftp.xml | 11 ++
.../route-default-linux.args | 20 +++
tests/networkxml2firewalldata/route-default.xml | 10 ++
tests/networkxml2firewalltest.c | 162 +++++++++++++++++++++
14 files changed, 468 insertions(+), 2 deletions(-)
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-default.xml
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-ipv6.xml
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-many-ips.xml
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp.xml
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-tftp.xml
create mode 100644 tests/networkxml2firewalldata/route-default-linux.args
create mode 100644 tests/networkxml2firewalldata/route-default.xml
create mode 100644 tests/networkxml2firewalltest.c
diff --git a/tests/Makefile.am b/tests/Makefile.am
index a10919d..75e723f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -87,6 +87,7 @@ EXTRA_DIST = \
networkxml2confdata \
networkxml2xmlupdatein \
networkxml2xmlupdateout \
+ networkxml2firewalldata \
nodedevschemadata \
nodedevschematest \
nodeinfodata \
@@ -249,10 +250,16 @@ if WITH_YAJL
test_programs += jsontest
endif WITH_YAJL
-test_programs += networkxml2xmltest networkxml2xmlupdatetest
+test_programs += \
+ networkxml2xmltest \
+ networkxml2xmlupdatetest \
+ $(NULL)
if WITH_NETWORK
-test_programs += networkxml2conftest
+test_programs += \
+ networkxml2conftest \
+ networkxml2firewalltest \
+ $(NULL)
endif WITH_NETWORK
if WITH_STORAGE_SHEEPDOG
@@ -655,6 +662,12 @@ networkxml2conftest_SOURCES = \
networkxml2conftest.c \
testutils.c testutils.h
networkxml2conftest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
+networkxml2firewalltest_SOURCES = \
+ networkxml2firewalltest.c \
+ testutils.c testutils.h
+networkxml2firewalltest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
else ! WITH_NETWORK
EXTRA_DIST += networkxml2conftest.c
endif ! WITH_NETWORK
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
new file mode 100644
index 0000000..0ec2807
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -0,0 +1,30 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-default.xml
b/tests/networkxml2firewalldata/nat-default.xml
new file mode 100644
index 0000000..d7241d0
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default.xml
@@ -0,0 +1,10 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
new file mode 100644
index 0000000..690a354
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -0,0 +1,44 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-ipv6.xml
b/tests/networkxml2firewalldata/nat-ipv6.xml
new file mode 100644
index 0000000..337e71d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6.xml
@@ -0,0 +1,15 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+ <ip family="ipv6" address="2001:db8:ca2:2::1"
prefix="64" >
+ <dhcp>
+ <range start="2001:db8:ca2:2:1::10"
end="2001:db8:ca2:2:1::ff" />
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
new file mode 100644
index 0000000..92c6069
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -0,0 +1,58 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.128.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.128.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 '!'
\
+--destination 192.168.128.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p udp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p tcp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.150.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.150.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 '!'
\
+--destination 192.168.150.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p udp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p tcp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-many-ips.xml
b/tests/networkxml2firewalldata/nat-many-ips.xml
new file mode 100644
index 0000000..0c8dcff
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips.xml
@@ -0,0 +1,12 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+ <ip address="192.168.128.1" netmask="255.255.255.0"/>
+ <ip address="192.168.150.1" netmask="255.255.255.0"/>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
new file mode 100644
index 0000000..bbfb3eb
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -0,0 +1,42 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp.xml
b/tests/networkxml2firewalldata/nat-no-dhcp.xml
new file mode 100644
index 0000000..0bccd1d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp.xml
@@ -0,0 +1,7 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0"/>
+ <ip family="ipv6" address="2001:db8:ca2:2::1"
prefix="64"/>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
new file mode 100644
index 0000000..d6d65c1
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -0,0 +1,32 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 69 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-tftp.xml
b/tests/networkxml2firewalldata/nat-tftp.xml
new file mode 100644
index 0000000..17e8e0a
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp.xml
@@ -0,0 +1,11 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <tftp root='/some/dir'/>
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
new file mode 100644
index 0000000..31e5394
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/route-default.xml
b/tests/networkxml2firewalldata/route-default.xml
new file mode 100644
index 0000000..3bc7bb9
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default.xml
@@ -0,0 +1,10 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward mode='route'/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
new file mode 100644
index 0000000..55cb38a
--- /dev/null
+++ b/tests/networkxml2firewalltest.c
@@ -0,0 +1,162 @@
+/*
+ * networkxml2firewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "network/bridge_driver_platform.h"
+# include "virbuffer.h"
+
+# define __VIR_FIREWALL_PRIV_H_ALLOW__
+# include "virfirewallpriv.h"
+
+# define __VIR_COMMAND_PRIV_H_ALLOW__
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+static const char *abs_top_srcdir;
+
+# ifdef __linux__
+# define RULESTYPE "linux"
+# else
+# error "test case not ported to this platform"
+# endif
+
+static int testCompareXMLToArgvFiles(const char *xml,
+ const char *cmdline)
+{
+ char *expectargv = NULL;
+ int len;
+ char *actualargv = NULL;
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ virNetworkDefPtr def = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (!(def = virNetworkDefParseFile(xml)))
+ goto cleanup;
+
+ if (networkAddFirewallRules(def) < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actualargv = virBufferContentAndReset(&buf);
+ virCommandSetDryRun(NULL, NULL, NULL);
+
+ len = virtTestLoadFile(cmdline, &expectargv);
+ if (len < 0)
+ goto cleanup;
+
+ if (STRNEQ(expectargv, actualargv)) {
+ virtTestDifference(stderr, expectargv, actualargv);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ virBufferFreeAndReset(&buf);
+ VIR_FREE(expectargv);
+ VIR_FREE(actualargv);
+ virNetworkDefFree(def);
+ return ret;
+}
+
+struct testInfo {
+ const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+ int result = -1;
+ const struct testInfo *info = data;
+ char *xml = NULL;
+ char *args = NULL;
+
+ if (virAsprintf(&xml, "%s/networkxml2firewalldata/%s.xml",
+ abs_srcdir, info->name) < 0 ||
+ virAsprintf(&args, "%s/networkxml2firewalldata/%s-%s.args",
+ abs_srcdir, info->name, RULESTYPE) < 0)
+ goto cleanup;
+
+ result = testCompareXMLToArgvFiles(xml, args);
+
+ cleanup:
+ VIR_FREE(xml);
+ VIR_FREE(args);
+ return result;
+}
+
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+ abs_top_srcdir = getenv("abs_top_srcdir");
+ if (!abs_top_srcdir)
+ abs_top_srcdir = abs_srcdir "/..";
+
+# define DO_TEST(name) \
+ do { \
+ static struct testInfo info = { \
+ name, \
+ }; \
+ if (virtTestRun("Network XML-2-iptables " name, \
+ testCompareXMLToIPTablesHelper, &info) < 0) \
+ ret = -1; \
+ } while (0)
+
+ if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ DO_TEST("nat-default");
+ DO_TEST("nat-tftp");
+ DO_TEST("nat-many-ips");
+ DO_TEST("nat-no-dhcp");
+ DO_TEST("nat-ipv6");
+ DO_TEST("route-default");
+ DO_TEST("route-default");
+
+ cleanup:
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+ return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */
--
1.9.0
5:11 p.m.
New subject: [libvirt] [PATCH 14/26] Add test for converting network XML to iptables rules
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
Great. I did not check the individual iptables rules whether they are
correct for the XML.
ACK
8:54 a.m.
New subject: [libvirt] [PATCH 14/26] Add test for converting network XML to iptables rules
On 04/08/2014 05:38 PM, Daniel P. Berrange wrote:
Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
new file mode 100644
index 0000000..0ec2807
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -0,0 +1,30 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
This test fails on systems having iptables in /sbin
Jan
8:37 a.m.
New subject: [libvirt] [PATCH 14/26] Add test for converting network XML to iptables rules
On Wed, Apr 16, 2014 at 03:54:48PM +0200, Ján Tomko wrote:
On 04/08/2014 05:38 PM, Daniel P. Berrange wrote:
> Using the virCommand dry run capability, capture iptables rules
> created by various network XML documents.
>
> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> ---
> diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
> new file mode 100644
> index 0000000..0ec2807
> --- /dev/null
> +++ b/tests/networkxml2firewalldata/nat-default-linux.args
> @@ -0,0 +1,30 @@
> +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol
tcp \
> +--destination-port 67 --jump ACCEPT
This test fails on systems having iptables in /sbin
I'm going to add the following code which strips off any path
component from the buffer we construct. The '.args' files can
then be changed to say 'iptables' instead of '/sbin/iptables'
which will make is portable
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 55cb38a..9255e01 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -65,6 +65,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
goto cleanup;
actualargv = virBufferContentAndReset(&buf);
+ virtTestClearCommandPath(actualargv);
virCommandSetDryRun(NULL, NULL, NULL);
len = virtTestLoadFile(cmdline, &expectargv);
diff --git a/tests/testutils.c b/tests/testutils.c
index feda22b..a1d31f0 100644
--- a/tests/testutils.c
+++ b/tests/testutils.c
@@ -855,6 +855,57 @@ int virtTestClearLineRegex(const char *pattern,
}
+/*
+ * @cmdset contains a list of command line args, eg
+ *
+ * "/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0
--protocol tcp --destination-port 53 --jump ACCEPT
+ * /usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp
--destination-port 53 --jump ACCEPT
+ * /usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump
REJECT
+ * /usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump
REJECT
+ * /usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0
--out-interface virbr0 --jump ACCEPT"
+ *
+ * And we're munging it in-place to string the path component
+ * of the command line, to produce
+ *
+ * "iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp
--destination-port 53 --jump ACCEPT
+ * iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp
--destination-port 53 --jump ACCEPT
+ * iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+ * iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+ * iptables --table filter --insert FORWARD --in-interface virbr0 --out-interface virbr0
--jump ACCEPT"
+ */
+void virtTestClearCommandPath(char *cmdset)
+{
+ size_t offset = 0;
+ char *lineStart = cmdset;
+ char *lineEnd = strchr(lineStart, '\n');
+
+ while (lineStart) {
+ char *dirsep;
+ char *movestart;
+ size_t movelen;
+ dirsep = strchr(lineStart, ' ');
+ if (dirsep) {
+ while (dirsep > lineStart && *dirsep != '/')
+ dirsep--;
+ if (*dirsep == '/')
+ dirsep++;
+ movestart = dirsep;
+ } else {
+ movestart = lineStart;
+ }
+ movelen = lineEnd ? lineEnd - movestart : strlen(movestart);
+
+ if (movelen) {
+ memmove(cmdset + offset, movestart, movelen + 1);
+ offset += movelen + 1;
+ }
+ lineStart = lineEnd ? lineEnd + 1 : NULL;
+ lineEnd = lineStart ? strchr(lineStart, '\n') : NULL;
+ }
+ cmdset[offset] = '\0';
+}
+
+
virCapsPtr virTestGenericCapsInit(void)
{
virCapsPtr caps;
diff --git a/tests/testutils.h b/tests/testutils.h
index e89492b..ad28ea7 100644
--- a/tests/testutils.h
+++ b/tests/testutils.h
@@ -59,6 +59,8 @@ int virtTestCaptureProgramOutput(const char *const argv[], char **buf,
int maxle
int virtTestClearLineRegex(const char *pattern,
char *string);
+void virtTestClearCommandPath(char *cmdset);
+
int virtTestDifference(FILE *stream,
const char *expect,
const char *actual);
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:06 a.m.
New subject: [libvirt] [PATCH 14/26] Add test for converting network XML to iptables rules
On 04/25/2014 07:37 AM, Daniel P. Berrange wrote:
On Wed, Apr 16, 2014 at 03:54:48PM +0200, Ján Tomko wrote:
> On 04/08/2014 05:38 PM, Daniel P. Berrange wrote:
>> Using the virCommand dry run capability, capture iptables rules
>> created by various network XML documents.
+ * And we're munging it in-place to string the path component
+ * of the command line, to produce
s/string/strip/
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
10:38 a.m.
New subject: [libvirt] [PATCH 15/26] Convert ebtables code over to use firewall APIs
Convert the virebtables.{c,h} files to use the new virFirewall
APIs for changing ebtables rules.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/util/virebtables.c | 185 ++++++++++++-------------------------------------
1 file changed, 45 insertions(+), 140 deletions(-)
diff --git a/src/util/virebtables.c b/src/util/virebtables.c
index 2e5c025..2ffff08 100644
--- a/src/util/virebtables.c
+++ b/src/util/virebtables.c
@@ -25,67 +25,18 @@
#include <config.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <errno.h>
-#include <limits.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/wait.h>
-
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-
#include "internal.h"
#include "virebtables.h"
-#include "vircommand.h"
#include "viralloc.h"
#include "virerror.h"
-#include "virfile.h"
#include "virlog.h"
-#include "virthread.h"
#include "virstring.h"
-#include "virutil.h"
+#include "virfirewall.h"
#define VIR_FROM_THIS VIR_FROM_NONE
VIR_LOG_INIT("util.ebtables");
-#if HAVE_FIREWALLD
-static char *firewall_cmd_path = NULL;
-
-static int
-virEbTablesOnceInit(void)
-{
- firewall_cmd_path = virFindFileInPath("firewall-cmd");
- if (!firewall_cmd_path) {
- VIR_INFO("firewall-cmd not found on system. "
- "firewalld support disabled for ebtables.");
- } else {
- virCommandPtr cmd = virCommandNew(firewall_cmd_path);
-
- virCommandAddArgList(cmd, "--state", NULL);
- if (virCommandRun(cmd, NULL) < 0) {
- VIR_INFO("firewall-cmd found but disabled for ebtables");
- VIR_FREE(firewall_cmd_path);
- firewall_cmd_path = NULL;
- } else {
- VIR_INFO("using firewalld for ebtables commands");
- }
- virCommandFree(cmd);
- }
- return 0;
-}
-
-VIR_ONCE_GLOBAL_INIT(virEbTables)
-
-#endif
-
struct _ebtablesContext
{
char *chain;
@@ -96,84 +47,6 @@ enum {
REMOVE,
};
-
-static int ATTRIBUTE_SENTINEL
-ebtablesAddRemoveRule(const char *arg, ...)
-{
- va_list args;
- int retval = ENOMEM;
- char **argv;
- const char *s;
- int n;
-
- n = 1 + /* /sbin/ebtables */
- 2 + /* --table foo */
- 2 + /* --insert bar */
- 1; /* arg */
-
-#if HAVE_FIREWALLD
- virEbTablesInitialize();
- if (firewall_cmd_path)
- n += 3; /* --direct --passthrough eb */
-#endif
-
- va_start(args, arg);
- while (va_arg(args, const char *))
- n++;
-
- va_end(args);
-
- if (VIR_ALLOC_N(argv, n + 1) < 0)
- goto error;
-
- n = 0;
-
-#if HAVE_FIREWALLD
- if (firewall_cmd_path) {
- if (VIR_STRDUP(argv[n++], firewall_cmd_path) < 0)
- goto error;
- if (VIR_STRDUP(argv[n++], "--direct") < 0)
- goto error;
- if (VIR_STRDUP(argv[n++], "--passthrough") < 0)
- goto error;
- if (VIR_STRDUP(argv[n++], "eb") < 0)
- goto error;
- } else
-#endif
- if (VIR_STRDUP(argv[n++], EBTABLES_PATH) < 0)
- goto error;
-
- if (VIR_STRDUP(argv[n++], arg) < 0)
- goto error;
-
- va_start(args, arg);
-
- while ((s = va_arg(args, const char *))) {
- if (VIR_STRDUP(argv[n++], s) < 0) {
- va_end(args);
- goto error;
- }
- }
-
- va_end(args);
-
- if (virRun((const char **)argv, NULL) < 0) {
- retval = errno;
- goto error;
- }
-
- error:
- if (argv) {
- n = 0;
- while (argv[n])
- VIR_FREE(argv[n++]);
- VIR_FREE(argv);
- }
-
- return retval;
-}
-
-
/**
* ebtablesContextNew:
*
@@ -216,12 +89,30 @@ ebtablesContextFree(ebtablesContext *ctx)
int
ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
{
- ebtablesAddRemoveRule("--new-chain", ctx->chain, NULL,
- NULL);
- ebtablesAddRemoveRule("--insert", "FORWARD", "--jump",
- ctx->chain, NULL);
- return ebtablesAddRemoveRule("-P", ctx->chain, "DROP",
- NULL);
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+
+ fw = virFirewallNew();
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--new-chain", ctx->chain,
+ NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--insert", "FORWARD",
+ "--jump", ctx->chain, NULL);
+
+ virFirewallStartTransaction(fw, 0);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-P", ctx->chain, "DROP",
+ NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ virFirewallFree(fw);
+ return ret;
}
@@ -234,12 +125,26 @@ ebtablesForwardAllowIn(ebtablesContext *ctx,
const char *macaddr,
int action)
{
- return ebtablesAddRemoveRule(action == ADD ? "--insert" :
"--delete",
- ctx->chain,
- "--in-interface", iface,
- "--source", macaddr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+
+ fw = virFirewallNew();
+ virFirewallStartTransaction(fw, 0);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ action == ADD ? "--insert" : "--delete",
+ ctx->chain,
+ "--in-interface", iface,
+ "--source", macaddr,
+ "--jump", "ACCEPT",
+ NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ virFirewallFree(fw);
+ return ret;
}
/**
--
1.9.0
5:15 p.m.
New subject: [libvirt] [PATCH 15/26] Convert ebtables code over to use firewall APIs
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the virebtables.{c,h} files to use the new virFirewall
APIs for changing ebtables rules.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
/**
* ebtablesContextNew:
*
@@ -216,12 +89,30 @@ ebtablesContextFree(ebtablesContext *ctx)
int
ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
{
- ebtablesAddRemoveRule("--new-chain", ctx->chain, NULL,
- NULL);
- ebtablesAddRemoveRule("--insert", "FORWARD",
"--jump",
- ctx->chain, NULL);
- return ebtablesAddRemoveRule("-P", ctx->chain, "DROP",
- NULL);
+ virFirewallPtr fw = NULL;
+ int ret = -1;
+
+ fw = virFirewallNew();
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
Ignoring errors because the ebtablesAdd* calls above ignored them as
well... makes sense.
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--new-chain", ctx->chain,
+ NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "--insert", "FORWARD",
+ "--jump", ctx->chain, NULL);
+
+ virFirewallStartTransaction(fw, 0);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-P", ctx->chain, "DROP",
+ NULL);
+
+ if (virFirewallApply(fw) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ virFirewallFree(fw);
+ return ret;
}
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 16/26] Convert nwfilter ebiptablesAllTeardown to virFirewall
Convert the nwfilter ebiptablesAllTeardown method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/Makefile.am | 18 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 326 ++++++++++++++++++++++++++----
tests/Makefile.am | 11 +
tests/nwfilterebiptablestest.c | 116 +++++++++++
4 files changed, 422 insertions(+), 49 deletions(-)
create mode 100644 tests/nwfilterebiptablestest.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 7615294..70ef6b6 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1536,6 +1536,9 @@ endif WITH_NODE_DEVICES
if WITH_NWFILTER
+noinst_LTLIBRARIES += libvirt_driver_nwfilter_impl.la
+libvirt_driver_nwfilter_la_SOURCES =
+libvirt_driver_nwfilter_la_LIBADD = libvirt_driver_nwfilter_impl.la
if WITH_DRIVER_MODULES
mod_LTLIBRARIES += libvirt_driver_nwfilter.la
else ! WITH_DRIVER_MODULES
@@ -1543,20 +1546,23 @@ noinst_LTLIBRARIES += libvirt_driver_nwfilter.la
# Stateful, so linked to daemon instead
#libvirt_la_BUILT_LIBADD += libvirt_driver_nwfilter.la
endif ! WITH_DRIVER_MODULES
-libvirt_driver_nwfilter_la_CFLAGS = \
+libvirt_driver_nwfilter_impl_la_CFLAGS = \
$(LIBPCAP_CFLAGS) \
$(LIBNL_CFLAGS) \
$(DBUS_CFLAGS) \
-I$(top_srcdir)/src/access \
-I$(top_srcdir)/src/conf \
$(AM_CFLAGS)
-libvirt_driver_nwfilter_la_LDFLAGS = $(AM_LDFLAGS)
-libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS)
+libvirt_driver_nwfilter_impl_la_LDFLAGS = $(AM_LDFLAGS)
+libvirt_driver_nwfilter_impl_la_LIBADD = \
+ $(LIBPCAP_LIBS) \
+ $(LIBNL_LIBS) \
+ $(DBUS_LIBS)
if WITH_DRIVER_MODULES
-libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la
-libvirt_driver_nwfilter_la_LDFLAGS += -module -avoid-version
+libvirt_driver_nwfilter_impl_la_LIBADD += ../gnulib/lib/libgnu.la
+libvirt_driver_nwfilter_impl_la_LDFLAGS += -module -avoid-version
endif WITH_DRIVER_MODULES
-libvirt_driver_nwfilter_la_SOURCES = $(NWFILTER_DRIVER_SOURCES)
+libvirt_driver_nwfilter_impl_la_SOURCES = $(NWFILTER_DRIVER_SOURCES)
endif WITH_NWFILTER
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 0361d99..8a53ceb 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -45,6 +45,7 @@
#include "configmake.h"
#include "intprops.h"
#include "virstring.h"
+#include "virfirewall.h"
#define VIR_FROM_THIS VIR_FROM_NWFILTER
@@ -180,22 +181,15 @@ static const char ebiptables_script_set_ifs[] =
snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)
#define PHYSDEV_IN "--physdev-in"
-#define PHYSDEV_OUT "--physdev-is-bridged --physdev-out"
-/*
- * Previous versions of libvirt only used --physdev-out.
- * To be able to upgrade with running VMs we need to be able to
- * remove rules generated by those older versions of libvirt.
- */
-#define PHYSDEV_OUT_OLD "--physdev-out"
static const char *m_state_out_str = "-m state --state NEW,ESTABLISHED";
static const char *m_state_in_str = "-m state --state ESTABLISHED";
static const char *m_state_out_str_new = "-m conntrack --ctstate
NEW,ESTABLISHED";
static const char *m_state_in_str_new = "-m conntrack --ctstate ESTABLISHED";
-static const char *m_physdev_in_str = "-m physdev " PHYSDEV_IN;
-static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
-static const char *m_physdev_out_old_str = "-m physdev " PHYSDEV_OUT_OLD;
+static const char *m_physdev_in_str = "-m physdev --physdev-in";
+static const char *m_physdev_out_str = "-m physdev --physdev-is-bridged
--physdev-out";
+static const char *m_physdev_out_old_str = "-m physdev --physdev-out";
#define MATCH_STATE_OUT m_state_out_str
#define MATCH_STATE_IN m_state_in_str
@@ -203,6 +197,10 @@ static const char *m_physdev_out_old_str = "-m physdev "
PHYSDEV_OUT_OLD;
#define MATCH_PHYSDEV_OUT m_physdev_out_str
#define MATCH_PHYSDEV_OUT_OLD m_physdev_out_old_str
+#define MATCH_PHYSDEV_IN_FW "-m", "physdev",
"--physdev-in"
+#define MATCH_PHYSDEV_OUT_FW "-m", "physdev",
"--physdev-is-bridged", "--physdev-out"
+#define MATCH_PHYSDEV_OUT_OLD_FW "-m", "physdev",
"--physdev-out"
+
#define COMMENT_VARNAME "comment"
static int ebtablesRemoveBasicRules(const char *ifname);
@@ -661,6 +659,32 @@ _iptablesRemoveRootChain(virBufferPtr buf,
static void
+_iptablesRemoveRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ char prefix,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix[2] = {
+ prefix,
+ };
+
+ if (isTempChain)
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ else
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+
+ PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRule(fw, layer, "-F", chain, NULL);
+ virFirewallAddRule(fw, layer, "-X", chain, NULL);
+}
+
+
+static void
iptablesRemoveRootChain(virBufferPtr buf,
char prefix,
bool incoming,
@@ -671,6 +695,17 @@ iptablesRemoveRootChain(virBufferPtr buf,
static void
+iptablesRemoveRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ char prefix,
+ bool incoming,
+ const char *ifname)
+{
+ _iptablesRemoveRootChainFW(fw, layer, prefix, incoming, ifname, false);
+}
+
+
+static void
iptablesRemoveTmpRootChain(virBufferPtr buf,
char prefix,
bool incoming,
@@ -702,6 +737,17 @@ iptablesRemoveRootChains(virBufferPtr buf,
static void
+iptablesRemoveRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
+{
+ iptablesRemoveRootChainFW(fw, layer, 'F', false, ifname);
+ iptablesRemoveRootChainFW(fw, layer, 'F', true, ifname);
+ iptablesRemoveRootChainFW(fw, layer, 'H', true, ifname);
+}
+
+
+static void
iptablesLinkTmpRootChain(virBufferPtr buf,
const char *basechain,
char prefix,
@@ -762,14 +808,14 @@ iptablesSetupVirtInPost(virBufferPtr buf,
static void
-iptablesClearVirtInPost(virBufferPtr buf,
- const char *ifname)
+iptablesClearVirtInPostFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
{
- const char *match = MATCH_PHYSDEV_IN;
- virBufferAsprintf(buf,
- "$IPT -D " VIRT_IN_POST_CHAIN
- " %s %s -j ACCEPT" CMD_SEPARATOR,
- match, ifname);
+ virFirewallAddRule(fw, layer,
+ "-D", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
}
static void
@@ -817,6 +863,54 @@ _iptablesUnlinkRootChain(virBufferPtr buf,
static void
+_iptablesUnlinkRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *basechain,
+ char prefix,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix[2] = {
+ prefix,
+ };
+ if (isTempChain)
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ else
+ chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+
+ PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ if (incoming)
+ virFirewallAddRule(fw, layer,
+ "-D", basechain,
+ MATCH_PHYSDEV_IN_FW, ifname,
+ "-g", chain,
+ NULL);
+ else
+ virFirewallAddRule(fw, layer,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_FW, ifname,
+ "-g", chain,
+ NULL);
+
+ /*
+ * Previous versions of libvirt may have created a rule
+ * with the --physdev-is-bridged missing. Remove this one
+ * as well.
+ */
+ if (!incoming)
+ virFirewallAddRule(fw, layer,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_OLD_FW, ifname,
+ "-g", chain,
+ NULL);
+}
+
+
+static void
iptablesUnlinkRootChain(virBufferPtr buf,
const char *basechain,
char prefix,
@@ -826,6 +920,17 @@ iptablesUnlinkRootChain(virBufferPtr buf,
basechain, prefix, incoming, ifname, false);
}
+static void
+iptablesUnlinkRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *basechain,
+ char prefix,
+ bool incoming, const char *ifname)
+{
+ _iptablesUnlinkRootChainFW(fw, layer,
+ basechain, prefix, incoming, ifname, false);
+}
+
static void
iptablesUnlinkTmpRootChain(virBufferPtr buf,
@@ -849,6 +954,17 @@ iptablesUnlinkRootChains(virBufferPtr buf,
static void
+iptablesUnlinkRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
+{
+ iptablesUnlinkRootChainFW(fw, layer, VIRT_OUT_CHAIN, 'F', false, ifname);
+ iptablesUnlinkRootChainFW(fw, layer, VIRT_IN_CHAIN, 'F', true, ifname);
+ iptablesUnlinkRootChainFW(fw, layer, HOST_IN_CHAIN, 'H', true, ifname);
+}
+
+
+static void
iptablesUnlinkTmpRootChains(virBufferPtr buf,
const char *ifname)
{
@@ -2802,6 +2918,29 @@ _ebtablesRemoveRootChain(virBufferPtr buf,
static void
+_ebtablesRemoveRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix;
+ if (isTempChain)
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ else
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-F", chain, NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-X", chain, NULL);
+}
+
+
+static void
ebtablesRemoveRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
{
@@ -2810,6 +2949,14 @@ ebtablesRemoveRootChain(virBufferPtr buf,
static void
+ebtablesRemoveRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname)
+{
+ _ebtablesRemoveRootChainFW(fw, incoming, ifname, false);
+}
+
+
+static void
ebtablesRemoveTmpRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
{
@@ -2845,6 +2992,32 @@ _ebtablesUnlinkRootChain(virBufferPtr buf,
static void
+_ebtablesUnlinkRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname,
+ int isTempChain)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix;
+
+ if (isTempChain) {
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ } else {
+ chainPrefix = incoming ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+ }
+
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-D",
+ incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+ incoming ? "-i" : "-o",
+ ifname, "-j", chain, NULL);
+}
+
+
+static void
ebtablesUnlinkRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
{
@@ -2853,6 +3026,14 @@ ebtablesUnlinkRootChain(virBufferPtr buf,
static void
+ebtablesUnlinkRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname)
+{
+ _ebtablesUnlinkRootChainFW(fw, incoming, ifname, false);
+}
+
+
+static void
ebtablesUnlinkTmpRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
{
@@ -2972,6 +3153,58 @@ _ebtablesRemoveSubChains(virBufferPtr buf,
virBufferAddLit(buf, "rm_chains $chains\n");
}
+
+static int
+ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque)
+{
+ size_t i, j;
+ const char *chains = opaque;
+
+ for (i = 0; lines[i] != NULL; i++) {
+ VIR_DEBUG("Considering '%s'", lines[i]);
+ char *tmp = strstr(lines[i], "-j ");
+ if (!tmp)
+ continue;
+ tmp = tmp + 3;
+ for (j = 0; chains[j]; j++) {
+ if (tmp[0] == chains[j] &&
+ tmp[1] == '-') {
+ VIR_DEBUG("Processing chain '%s'", tmp);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chains,
+ "-t", "nat", "-L",
tmp, NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-F", tmp,
NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-X", tmp,
NULL);
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+static void
+_ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname,
+ const char *chains)
+{
+ char rootchain[MAX_CHAINNAME_LENGTH];
+ size_t i;
+
+ for (i = 0; chains[i] != 0; i++) {
+ PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chains,
+ "-t", "nat", "-L",
rootchain, NULL);
+ }
+}
+
static void
ebtablesRemoveSubChains(virBufferPtr buf,
const char *ifname)
@@ -2986,6 +3219,19 @@ ebtablesRemoveSubChains(virBufferPtr buf,
}
static void
+ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname)
+{
+ char chains[3] = {
+ CHAINPREFIX_HOST_IN,
+ CHAINPREFIX_HOST_OUT,
+ 0
+ };
+
+ _ebtablesRemoveSubChainsFW(fw, ifname, chains);
+}
+
+static void
ebtablesRemoveTmpSubChains(virBufferPtr buf,
const char *ifname)
{
@@ -4052,43 +4298,37 @@ ebiptablesTearOldRules(const char *ifname)
* Unconditionally remove all possible user defined tables and rules
* that were created for the given interface (ifname).
*
- * Always returns 0.
+ * Returns 0 on success, -1 on OOM
*/
static int
ebiptablesAllTeardown(const char *ifname)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
-
- if (iptables_cmd_path) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ virFirewallPtr fw = virFirewallNew();
+ int ret = -1;
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesClearVirtInPost(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
- }
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- if (ip6tables_cmd_path) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesClearVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesClearVirtInPost(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
- }
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesClearVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ ebtablesUnlinkRootChainFW(fw, true, ifname);
+ ebtablesUnlinkRootChainFW(fw, false, ifname);
- ebtablesUnlinkRootChain(&buf, true, ifname);
- ebtablesUnlinkRootChain(&buf, false, ifname);
+ ebtablesRemoveSubChainsFW(fw, ifname);
- ebtablesRemoveSubChains(&buf, ifname);
+ ebtablesRemoveRootChainFW(fw, true, ifname);
+ ebtablesRemoveRootChainFW(fw, false, ifname);
- ebtablesRemoveRootChain(&buf, true, ifname);
- ebtablesRemoveRootChain(&buf, false, ifname);
- }
- ebiptablesExecCLI(&buf, true, NULL);
-
- return 0;
+ virMutexLock(&execCLIMutex);
+ ret = virFirewallApply(fw);
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
+ return ret;
}
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 75e723f..9547c02 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -268,6 +268,10 @@ endif WITH_STORAGE_SHEEPDOG
test_programs += nwfilterxml2xmltest
+if WITH_NWFILTER
+test_programs += nwfilterebiptablestest
+endif WITH_NWFILTER
+
if WITH_STORAGE
test_programs += storagevolxml2argvtest
endif WITH_STORAGE
@@ -687,6 +691,13 @@ nwfilterxml2xmltest_SOURCES = \
testutils.c testutils.h
nwfilterxml2xmltest_LDADD = $(LDADDS)
+if WITH_NWFILTER
+nwfilterebiptablestest_SOURCES = \
+ nwfilterebiptablestest.c \
+ testutils.c testutils.h
+nwfilterebiptablestest_LDADD = ../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
+endif WITH_NWFILTER
+
secretxml2xmltest_SOURCES = \
secretxml2xmltest.c \
testutils.c testutils.h
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
new file mode 100644
index 0000000..c05682b
--- /dev/null
+++ b/tests/nwfilterebiptablestest.c
@@ -0,0 +1,116 @@
+/*
+ * nwfilterebiptablestest.c: Test {eb,ip,ip6}tables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ */
+
+#include <config.h>
+
+#include "testutils.h"
+#include "nwfilter/nwfilter_ebiptables_driver.h"
+#include "virbuffer.h"
+
+#define __VIR_FIREWALL_PRIV_H_ALLOW__
+#include "virfirewallpriv.h"
+
+#define __VIR_COMMAND_PRIV_H_ALLOW__
+#include "vircommandpriv.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+static int
+testNWFilterEBIPTablesAllTeardown(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/iptables -F FO-vnet0\n"
+ "/usr/sbin/iptables -X FO-vnet0\n"
+ "/usr/sbin/iptables -F FI-vnet0\n"
+ "/usr/sbin/iptables -X FI-vnet0\n"
+ "/usr/sbin/iptables -F HI-vnet0\n"
+ "/usr/sbin/iptables -X HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/ip6tables -F FO-vnet0\n"
+ "/usr/sbin/ip6tables -X FO-vnet0\n"
+ "/usr/sbin/ip6tables -F FI-vnet0\n"
+ "/usr/sbin/ip6tables -X FI-vnet0\n"
+ "/usr/sbin/ip6tables -F HI-vnet0\n"
+ "/usr/sbin/ip6tables -X HI-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-O-vnet0\n";
+ const char *actual = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.allTeardown("vnet0") < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&buf);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ return ret;
+}
+
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+ if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ if (virtTestRun("ebiptablesAllTeardown",
+ testNWFilterEBIPTablesAllTeardown,
+ NULL) < 0)
+ ret = -1;
+
+ cleanup:
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
--
1.9.0
12:19 p.m.
New subject: [libvirt] [PATCH 16/26] Convert nwfilter ebiptablesAllTeardown to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebiptablesAllTeardown method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
@@ -2972,6 +3153,58 @@ _ebtablesRemoveSubChains(virBufferPtr buf,
virBufferAddLit(buf, "rm_chains $chains\n");
}
+
+static int
+ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque)
+{
+ size_t i, j;
+ const char *chains = opaque;
+
The problem here is 'opaque' may have gone out of scope ... [continue below]
+ for (i = 0; lines[i] != NULL; i++) {
+ VIR_DEBUG("Considering '%s'", lines[i]);
+ char *tmp = strstr(lines[i], "-j ");
+ if (!tmp)
+ continue;
+ tmp = tmp + 3;
+ for (j = 0; chains[j]; j++) {
+ if (tmp[0] == chains[j] &&
+ tmp[1] == '-') {
+ VIR_DEBUG("Processing chain '%s'", tmp);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chains,
+ "-t", "nat", "-L",
tmp, NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-F", tmp,
NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-X", tmp,
NULL);
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+static void
+_ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname,
+ const char *chains)
+{
+ char rootchain[MAX_CHAINNAME_LENGTH];
+ size_t i;
+
[...]
@@ -2986,6 +3219,19 @@ ebtablesRemoveSubChains(virBufferPtr buf,
}
static void
+ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname)
+{
+ char chains[3] = {
+ CHAINPREFIX_HOST_IN,
+ CHAINPREFIX_HOST_OUT,
+ 0
+ };
+
... due to these arrays residing on the stack. So I prepended 'static'
to these arrays and the ebtables rules cleanup started working.
My suggested modification to this patch would be this here:
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -139,6 +139,19 @@ static const struct ushort_map l3_protoc
};
+static char chainprefixes_host[3] = {
+ CHAINPREFIX_HOST_IN,
+ CHAINPREFIX_HOST_OUT,
+ 0
+};
+
+static char chainprefixes_host_temp[3] = {
+ CHAINPREFIX_HOST_IN_TEMP,
+ CHAINPREFIX_HOST_OUT_TEMP,
+ 0
+};
+
+
static int
printVar(virNWFilterVarCombIterPtr vars,
char *buf, int bufsize,
@@ -2621,7 +2634,7 @@ ebtablesRemoveSubChainsQuery(virFirewall
void *opaque)
{
size_t i, j;
- const char *chains = opaque;
+ const char *chainprefixes = opaque;
for (i = 0; lines[i] != NULL; i++) {
VIR_DEBUG("Considering '%s'", lines[i]);
@@ -2629,13 +2642,13 @@ ebtablesRemoveSubChainsQuery(virFirewall
if (!tmp)
continue;
tmp = tmp + 3;
- for (j = 0; chains[j]; j++) {
- if (tmp[0] == chains[j] &&
+ for (j = 0; chainprefixes[j]; j++) {
+ if (tmp[0] == chainprefixes[j] &&
tmp[1] == '-') {
VIR_DEBUG("Processing chain '%s'", tmp);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
false,
ebtablesRemoveSubChainsQuery,
- (void *)chains,
+ (void *)chainprefixes,
"-t", "nat", "-L",
tmp, NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
"-t", "nat", "-F", tmp,
NULL);
@@ -2652,16 +2665,16 @@ ebtablesRemoveSubChainsQuery(virFirewall
static void
_ebtablesRemoveSubChainsFW(virFirewallPtr fw,
const char *ifname,
- const char *chains)
+ const char *chainprefixes)
{
char rootchain[MAX_CHAINNAME_LENGTH];
size_t i;
- for (i = 0; chains[i] != 0; i++) {
- PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
+ for (i = 0; chainprefixes[i] != 0; i++) {
+ PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
false, ebtablesRemoveSubChainsQuery,
- (void *)chains,
+ (void *)chainprefixes,
"-t", "nat", "-L",
rootchain, NULL);
}
}
@@ -2670,13 +2683,7 @@ static void
ebtablesRemoveSubChainsFW(virFirewallPtr fw,
const char *ifname)
{
- char chains[3] = {
- CHAINPREFIX_HOST_IN,
- CHAINPREFIX_HOST_OUT,
- 0
- };
-
- _ebtablesRemoveSubChainsFW(fw, ifname, chains);
+ _ebtablesRemoveSubChainsFW(fw, ifname, chainprefixes_host);
}
@@ -2684,13 +2691,7 @@ static void
ebtablesRemoveTmpSubChainsFW(virFirewallPtr fw,
const char *ifname)
{
- char chains[3] = {
- CHAINPREFIX_HOST_IN_TEMP,
- CHAINPREFIX_HOST_OUT_TEMP,
- 0
- };
-
- _ebtablesRemoveSubChainsFW(fw, ifname, chains);
+ _ebtablesRemoveSubChainsFW(fw, ifname, chainprefixes_host_temp);
}
static void
10:38 a.m.
New subject: [libvirt] [PATCH 17/26] Convert nwfilter ebiptablesTearOldRules to virFirewall
Convert the nwfilter ebiptablesTearOldRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 228 ++++++++++++++++--------------
tests/nwfilterebiptablestest.c | 74 ++++++++++
2 files changed, 192 insertions(+), 110 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 8a53ceb..da4d096 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -685,16 +685,6 @@ _iptablesRemoveRootChainFW(virFirewallPtr fw,
static void
-iptablesRemoveRootChain(virBufferPtr buf,
- char prefix,
- bool incoming,
- const char *ifname)
-{
- _iptablesRemoveRootChain(buf, prefix, incoming, ifname, false);
-}
-
-
-static void
iptablesRemoveRootChainFW(virFirewallPtr fw,
virFirewallLayer layer,
char prefix,
@@ -727,16 +717,6 @@ iptablesRemoveTmpRootChains(virBufferPtr buf,
static void
-iptablesRemoveRootChains(virBufferPtr buf,
- const char *ifname)
-{
- iptablesRemoveRootChain(buf, 'F', false, ifname);
- iptablesRemoveRootChain(buf, 'F', true, ifname);
- iptablesRemoveRootChain(buf, 'H', true, ifname);
-}
-
-
-static void
iptablesRemoveRootChainsFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *ifname)
@@ -911,16 +891,6 @@ _iptablesUnlinkRootChainFW(virFirewallPtr fw,
static void
-iptablesUnlinkRootChain(virBufferPtr buf,
- const char *basechain,
- char prefix,
- bool incoming, const char *ifname)
-{
- _iptablesUnlinkRootChain(buf,
- basechain, prefix, incoming, ifname, false);
-}
-
-static void
iptablesUnlinkRootChainFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *basechain,
@@ -944,16 +914,6 @@ iptablesUnlinkTmpRootChain(virBufferPtr buf,
static void
-iptablesUnlinkRootChains(virBufferPtr buf,
- const char *ifname)
-{
- iptablesUnlinkRootChain(buf, VIRT_OUT_CHAIN, 'F', false, ifname);
- iptablesUnlinkRootChain(buf, VIRT_IN_CHAIN, 'F', true, ifname);
- iptablesUnlinkRootChain(buf, HOST_IN_CHAIN, 'H', true, ifname);
-}
-
-
-static void
iptablesUnlinkRootChainsFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *ifname)
@@ -975,10 +935,11 @@ iptablesUnlinkTmpRootChains(virBufferPtr buf,
static void
-iptablesRenameTmpRootChain(virBufferPtr buf,
- char prefix,
- bool incoming,
- const char *ifname)
+iptablesRenameTmpRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ char prefix,
+ bool incoming,
+ const char *ifname)
{
char tmpchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
char tmpChainPrefix[2] = {
@@ -995,20 +956,19 @@ iptablesRenameTmpRootChain(virBufferPtr buf,
PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virBufferAsprintf(buf,
- "$IPT -E %s %s" CMD_SEPARATOR,
- tmpchain,
- chain);
+ virFirewallAddRule(fw, layer,
+ "-E", tmpchain, chain, NULL);
}
static void
-iptablesRenameTmpRootChains(virBufferPtr buf,
- const char *ifname)
+iptablesRenameTmpRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
{
- iptablesRenameTmpRootChain(buf, 'F', false, ifname);
- iptablesRenameTmpRootChain(buf, 'F', true, ifname);
- iptablesRenameTmpRootChain(buf, 'H', true, ifname);
+ iptablesRenameTmpRootChainFW(fw, layer, 'F', false, ifname);
+ iptablesRenameTmpRootChainFW(fw, layer, 'F', true, ifname);
+ iptablesRenameTmpRootChainFW(fw, layer, 'H', true, ifname);
}
@@ -3270,6 +3230,30 @@ ebtablesRenameTmpSubChain(virBufferPtr buf,
}
static void
+ebtablesRenameTmpSubChainFW(virFirewallPtr fw,
+ int incoming,
+ const char *ifname,
+ const char *protocol)
+{
+ char tmpchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
+ char tmpChainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN
+ : CHAINPREFIX_HOST_OUT;
+
+ if (protocol) {
+ PRINT_CHAIN(tmpchain, tmpChainPrefix, ifname, protocol);
+ PRINT_CHAIN(chain, chainPrefix, ifname, protocol);
+ } else {
+ PRINT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+ }
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-E", tmpchain, chain,
NULL);
+}
+
+static void
ebtablesRenameTmpRootChain(virBufferPtr buf,
bool incoming,
const char *ifname)
@@ -3278,38 +3262,77 @@ ebtablesRenameTmpRootChain(virBufferPtr buf,
}
static void
-ebtablesRenameTmpSubAndRootChains(virBufferPtr buf,
- const char *ifname)
+ebtablesRenameTmpRootChainFW(virFirewallPtr fw,
+ bool incoming,
+ const char *ifname)
+{
+ ebtablesRenameTmpSubChainFW(fw, incoming, ifname, NULL);
+}
+
+
+static int
+ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ size_t i;
+ char newchain[MAX_CHAINNAME_LENGTH];
+
+ for (i = 0; lines[i] != NULL; i++) {
+ VIR_DEBUG("Considering '%s'", lines[i]);
+ char *tmp = strstr(lines[i], "-j ");
+ if (!tmp)
+ continue;
+ tmp = tmp + 3;
+ if (tmp[0] != CHAINPREFIX_HOST_IN_TEMP &&
+ tmp[0] != CHAINPREFIX_HOST_OUT_TEMP)
+ continue;
+ if (tmp[1] != '-')
+ continue;
+
+ ignore_value(virStrcpyStatic(newchain, tmp));
+ if (newchain[0] == CHAINPREFIX_HOST_IN_TEMP)
+ newchain[0] = CHAINPREFIX_HOST_IN;
+ else
+ newchain[0] = CHAINPREFIX_HOST_OUT;
+ VIR_DEBUG("Renaming chain '%s' to '%s'", tmp,
newchain);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRenameTmpSubAndRootChainsQuery,
+ NULL,
+ "-t", "nat", "-L", tmp,
NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-F", newchain,
NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-X", newchain,
NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-E", tmp,
newchain, NULL);
+ }
+
+ return 0;
+}
+
+
+static void
+ebtablesRenameTmpSubAndRootChainsFW(virFirewallPtr fw,
+ const char *ifname)
{
char rootchain[MAX_CHAINNAME_LENGTH];
size_t i;
char chains[3] = {
CHAINPREFIX_HOST_IN_TEMP,
CHAINPREFIX_HOST_OUT_TEMP,
- 0};
-
- NWFILTER_SET_EBTABLES_SHELLVAR(buf);
-
- virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS,
- chains);
- virBufferAsprintf(buf, NWFILTER_FUNC_RENAME_CHAINS,
- CHAINPREFIX_HOST_IN_TEMP,
- CHAINPREFIX_HOST_IN,
- CHAINPREFIX_HOST_OUT_TEMP,
- CHAINPREFIX_HOST_OUT);
-
- virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS);
- virBufferAddLit(buf, "chains=\"$(collect_chains");
+ 0
+ };
for (i = 0; chains[i] != 0; i++) {
PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
- virBufferAsprintf(buf, " %s", rootchain);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRenameTmpSubAndRootChainsQuery,
+ NULL,
+ "-t", "nat", "-L",
rootchain, NULL);
}
- virBufferAddLit(buf, ")\"\n");
-
- virBufferAddLit(buf, "rename_chains $chains\n");
- ebtablesRenameTmpRootChain(buf, true, ifname);
- ebtablesRenameTmpRootChain(buf, false, ifname);
+ ebtablesRenameTmpRootChainFW(fw, true, ifname);
+ ebtablesRenameTmpRootChainFW(fw, false, ifname);
}
static void
@@ -4248,46 +4271,31 @@ ebiptablesTearNewRules(const char *ifname)
static int
ebiptablesTearOldRules(const char *ifname)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
-
- /* switch to new iptables user defined chains */
- if (iptables_cmd_path) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
-
- iptablesRenameTmpRootChains(&buf, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
- }
-
- if (ip6tables_cmd_path) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
-
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
-
- iptablesRenameTmpRootChains(&buf, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
- }
-
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
-
- ebtablesUnlinkRootChain(&buf, true, ifname);
- ebtablesUnlinkRootChain(&buf, false, ifname);
+ virFirewallPtr fw = virFirewallNew();
+ int ret = -1;
- ebtablesRemoveSubChains(&buf, ifname);
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- ebtablesRemoveRootChain(&buf, true, ifname);
- ebtablesRemoveRootChain(&buf, false, ifname);
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- ebtablesRenameTmpSubAndRootChains(&buf, ifname);
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
- }
+ ebtablesUnlinkRootChainFW(fw, true, ifname);
+ ebtablesUnlinkRootChainFW(fw, false, ifname);
+ ebtablesRemoveSubChainsFW(fw, ifname);
+ ebtablesRemoveRootChainFW(fw, true, ifname);
+ ebtablesRemoveRootChainFW(fw, false, ifname);
+ ebtablesRenameTmpSubAndRootChainsFW(fw, ifname);
- return 0;
+ virMutexLock(&execCLIMutex);
+ ret = virFirewallApply(fw);
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
+ return ret;
}
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
index c05682b..85077f1 100644
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@@ -95,6 +95,75 @@ testNWFilterEBIPTablesAllTeardown(const void *opaque ATTRIBUTE_UNUSED)
static int
+testNWFilterEBIPTablesTearOldRules(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/iptables -F FO-vnet0\n"
+ "/usr/sbin/iptables -X FO-vnet0\n"
+ "/usr/sbin/iptables -F FI-vnet0\n"
+ "/usr/sbin/iptables -X FI-vnet0\n"
+ "/usr/sbin/iptables -F HI-vnet0\n"
+ "/usr/sbin/iptables -X HI-vnet0\n"
+ "/usr/sbin/iptables -E FP-vnet0 FO-vnet0\n"
+ "/usr/sbin/iptables -E FJ-vnet0 FI-vnet0\n"
+ "/usr/sbin/iptables -E HJ-vnet0 HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/ip6tables -F FO-vnet0\n"
+ "/usr/sbin/ip6tables -X FO-vnet0\n"
+ "/usr/sbin/ip6tables -F FI-vnet0\n"
+ "/usr/sbin/ip6tables -X FI-vnet0\n"
+ "/usr/sbin/ip6tables -F HI-vnet0\n"
+ "/usr/sbin/ip6tables -X HI-vnet0\n"
+ "/usr/sbin/ip6tables -E FP-vnet0 FO-vnet0\n"
+ "/usr/sbin/ip6tables -E FJ-vnet0 FI-vnet0\n"
+ "/usr/sbin/ip6tables -E HJ-vnet0 HI-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+ const char *actual = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.tearOldRules("vnet0") < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&buf);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ return ret;
+}
+
+
+static int
mymain(void)
{
int ret = 0;
@@ -109,6 +178,11 @@ mymain(void)
NULL) < 0)
ret = -1;
+ if (virtTestRun("ebiptablesTearOldRules",
+ testNWFilterEBIPTablesTearOldRules,
+ NULL) < 0)
+ ret = -1;
+
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.9.0
6:41 a.m.
New subject: [libvirt] [PATCH 17/26] Convert nwfilter ebiptablesTearOldRules to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebiptablesTearOldRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
static void
@@ -4248,46 +4271,31 @@ ebiptablesTearNewRules(const char *ifname)
static int
ebiptablesTearOldRules(const char *ifname)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
-
- /* switch to new iptables user defined chains */
- if (iptables_cmd_path) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
-
- iptablesRenameTmpRootChains(&buf, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
- }
-
- if (ip6tables_cmd_path) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
-
- iptablesUnlinkRootChains(&buf, ifname);
- iptablesRemoveRootChains(&buf, ifname);
-
- iptablesRenameTmpRootChains(&buf, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
- }
-
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
-
- ebtablesUnlinkRootChain(&buf, true, ifname);
- ebtablesUnlinkRootChain(&buf, false, ifname);
+ virFirewallPtr fw = virFirewallNew();
+ int ret = -1;
- ebtablesRemoveSubChains(&buf, ifname);
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- ebtablesRemoveRootChain(&buf, true, ifname);
- ebtablesRemoveRootChain(&buf, false, ifname);
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- ebtablesRenameTmpSubAndRootChains(&buf, ifname);
+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
- }
+ ebtablesUnlinkRootChainFW(fw, true, ifname);
+ ebtablesUnlinkRootChainFW(fw, false, ifname);
+ ebtablesRemoveSubChainsFW(fw, ifname);
+ ebtablesRemoveRootChainFW(fw, true, ifname);
+ ebtablesRemoveRootChainFW(fw, false, ifname);
+ ebtablesRenameTmpSubAndRootChainsFW(fw, ifname);
- return 0;
+ virMutexLock(&execCLIMutex);
+ ret = virFirewallApply(fw);
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
+ return ret;
}
Looks like the transformations I have seen in the other patches - really
amazing!. I suppose we wouldn't get here if either iptables, ip6tables,
or ebtables weren't installed?
Besides I see the lock being grabbed here. You shouldn't need this lock
anymore if you lock in the virFirewall code, where I guess you have to
have a libvirt-internal centralized lock (possibly 3 locks , one for
iptables, ip6tables, and ebtables if they don't mutually influence each
other -- would need to test this -- or one lock for all of them) in case
of direct eb/ip/ip6tables execution and none in case of firewalld, which
should do its own locking.
Regards,
Stefan
6:55 a.m.
New subject: [libvirt] [PATCH 17/26] Convert nwfilter ebiptablesTearOldRules to virFirewall
On Wed, Apr 16, 2014 at 07:41:10AM -0400, Stefan Berger wrote:
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
>Convert the nwfilter ebiptablesTearOldRules method to use the
>virFirewall object APIs instead of creating shell scripts
>using virBuffer APIs. This provides a performance improvement
>through allowing direct use of firewalld dbus APIs and will
>facilitate automated testing.
>
>Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
>
> static void
>@@ -4248,46 +4271,31 @@ ebiptablesTearNewRules(const char *ifname)
> static int
> ebiptablesTearOldRules(const char *ifname)
> {
>- virBuffer buf = VIR_BUFFER_INITIALIZER;
>-
>- /* switch to new iptables user defined chains */
>- if (iptables_cmd_path) {
>- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
>-
>- iptablesUnlinkRootChains(&buf, ifname);
>- iptablesRemoveRootChains(&buf, ifname);
>-
>- iptablesRenameTmpRootChains(&buf, ifname);
>- ebiptablesExecCLI(&buf, true, NULL);
>- }
>-
>- if (ip6tables_cmd_path) {
>- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
>-
>- iptablesUnlinkRootChains(&buf, ifname);
>- iptablesRemoveRootChains(&buf, ifname);
>-
>- iptablesRenameTmpRootChains(&buf, ifname);
>- ebiptablesExecCLI(&buf, true, NULL);
>- }
>-
>- if (ebtables_cmd_path) {
>- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
>-
>- ebtablesUnlinkRootChain(&buf, true, ifname);
>- ebtablesUnlinkRootChain(&buf, false, ifname);
>+ virFirewallPtr fw = virFirewallNew();
>+ int ret = -1;
>
>- ebtablesRemoveSubChains(&buf, ifname);
>+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
>
>- ebtablesRemoveRootChain(&buf, true, ifname);
>- ebtablesRemoveRootChain(&buf, false, ifname);
>+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
>+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
>+ iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
>
>- ebtablesRenameTmpSubAndRootChains(&buf, ifname);
>+ iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
>+ iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
>+ iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
>
>- ebiptablesExecCLI(&buf, true, NULL);
>- }
>+ ebtablesUnlinkRootChainFW(fw, true, ifname);
>+ ebtablesUnlinkRootChainFW(fw, false, ifname);
>+ ebtablesRemoveSubChainsFW(fw, ifname);
>+ ebtablesRemoveRootChainFW(fw, true, ifname);
>+ ebtablesRemoveRootChainFW(fw, false, ifname);
>+ ebtablesRenameTmpSubAndRootChainsFW(fw, ifname);
>
>- return 0;
>+ virMutexLock(&execCLIMutex);
>+ ret = virFirewallApply(fw);
>+ virMutexUnlock(&execCLIMutex);
>+ virFirewallFree(fw);
>+ return ret;
> }
Looks like the transformations I have seen in the other patches -
really amazing!. I suppose we wouldn't get here if either iptables,
ip6tables, or ebtables weren't installed?
The RPM will ensure they are all available, and the virfirewall
code will complain if they're missing, so IMHO that's sufficient.
Besides I see the lock being grabbed here. You shouldn't need
this
lock anymore if you lock in the virFirewall code, where I guess you
have to have a libvirt-internal centralized lock (possibly 3 locks ,
one for iptables, ip6tables, and ebtables if they don't mutually
influence each other -- would need to test this -- or one lock for
all of them) in case of direct eb/ip/ip6tables execution and none in
case of firewalld, which should do its own locking.
These locks are just to protect things during the intermediate
part-converted stage. They go away at the end of this series
so we rely on the lock in virfirewall.c, which obsoletes the
execCLIMutex.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
7:08 a.m.
New subject: [libvirt] [PATCH 17/26] Convert nwfilter ebiptablesTearOldRules to virFirewall
On 04/16/2014 07:55 AM, Daniel P. Berrange wrote:
On Wed, Apr 16, 2014 at 07:41:10AM -0400, Stefan Berger wrote:
> On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
>> Convert the nwfilter ebiptablesTearOldRules method to use the
>> virFirewall object APIs instead of creating shell scripts
>> using virBuffer APIs. This provides a performance improvement
>> through allowing direct use of firewalld dbus APIs and will
>> facilitate automated testing.
>>
>> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
>>
>
>> static void
>> @@ -4248,46 +4271,31 @@ ebiptablesTearNewRules(const char *ifname)
>> static int
>> ebiptablesTearOldRules(const char *ifname)
>> {
>> - virBuffer buf = VIR_BUFFER_INITIALIZER;
>> -
>> - /* switch to new iptables user defined chains */
>> - if (iptables_cmd_path) {
>> - NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
>> -
>> - iptablesUnlinkRootChains(&buf, ifname);
>> - iptablesRemoveRootChains(&buf, ifname);
>> -
>> - iptablesRenameTmpRootChains(&buf, ifname);
>> - ebiptablesExecCLI(&buf, true, NULL);
>> - }
>> -
>> - if (ip6tables_cmd_path) {
>> - NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
>> -
>> - iptablesUnlinkRootChains(&buf, ifname);
>> - iptablesRemoveRootChains(&buf, ifname);
>> -
>> - iptablesRenameTmpRootChains(&buf, ifname);
>> - ebiptablesExecCLI(&buf, true, NULL);
>> - }
>> -
>> - if (ebtables_cmd_path) {
>> - NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
>> -
>> - ebtablesUnlinkRootChain(&buf, true, ifname);
>> - ebtablesUnlinkRootChain(&buf, false, ifname);
>> + virFirewallPtr fw = virFirewallNew();
>> + int ret = -1;
>>
>> - ebtablesRemoveSubChains(&buf, ifname);
>> + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
>>
>> - ebtablesRemoveRootChain(&buf, true, ifname);
>> - ebtablesRemoveRootChain(&buf, false, ifname);
>> + iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
>> + iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
>> + iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
>>
>> - ebtablesRenameTmpSubAndRootChains(&buf, ifname);
>> + iptablesUnlinkRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
>> + iptablesRemoveRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
>> + iptablesRenameTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
>>
>> - ebiptablesExecCLI(&buf, true, NULL);
>> - }
>> + ebtablesUnlinkRootChainFW(fw, true, ifname);
>> + ebtablesUnlinkRootChainFW(fw, false, ifname);
>> + ebtablesRemoveSubChainsFW(fw, ifname);
>> + ebtablesRemoveRootChainFW(fw, true, ifname);
>> + ebtablesRemoveRootChainFW(fw, false, ifname);
>> + ebtablesRenameTmpSubAndRootChainsFW(fw, ifname);
>>
>> - return 0;
>> + virMutexLock(&execCLIMutex);
>> + ret = virFirewallApply(fw);
>> + virMutexUnlock(&execCLIMutex);
>> + virFirewallFree(fw);
>> + return ret;
>> }
> Looks like the transformations I have seen in the other patches -
> really amazing!. I suppose we wouldn't get here if either iptables,
> ip6tables, or ebtables weren't installed?
The RPM will ensure they are all available, and the virfirewall
code will complain if they're missing, so IMHO that's sufficient.
> Besides I see the lock being grabbed here. You shouldn't need this
> lock anymore if you lock in the virFirewall code, where I guess you
> have to have a libvirt-internal centralized lock (possibly 3 locks ,
> one for iptables, ip6tables, and ebtables if they don't mutually
> influence each other -- would need to test this -- or one lock for
> all of them) in case of direct eb/ip/ip6tables execution and none in
> case of firewalld, which should do its own locking.
These locks are just to protect things during the intermediate
part-converted stage. They go away at the end of this series
so we rely on the lock in virfirewall.c, which obsoletes the
execCLIMutex.
With this explanation: ACK
10:38 a.m.
New subject: [libvirt] [PATCH 18/26] Convert nwfilter ebtablesRemoveBasicRules to virFirewall
Convert the nwfilter ebtablesRemoveBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 95 ++++++++++++++++---------------
tests/nwfilterebiptablestest.c | 52 +++++++++++++++++
2 files changed, 100 insertions(+), 47 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index da4d096..7740960 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -206,7 +206,7 @@ static const char *m_physdev_out_old_str = "-m physdev
--physdev-out";
static int ebtablesRemoveBasicRules(const char *ifname);
static int ebiptablesDriverInit(bool privileged);
static void ebiptablesDriverShutdown(void);
-static void ebtablesCleanAll(const char *ifname);
+static int ebtablesCleanAll(const char *ifname);
static int ebiptablesAllTeardown(const char *ifname);
static virMutex execCLIMutex = VIR_MUTEX_INITIALIZER;
@@ -2901,14 +2901,6 @@ _ebtablesRemoveRootChainFW(virFirewallPtr fw,
static void
-ebtablesRemoveRootChain(virBufferPtr buf,
- bool incoming, const char *ifname)
-{
- _ebtablesRemoveRootChain(buf, incoming, ifname, false);
-}
-
-
-static void
ebtablesRemoveRootChainFW(virFirewallPtr fw,
bool incoming, const char *ifname)
{
@@ -2925,6 +2917,14 @@ ebtablesRemoveTmpRootChain(virBufferPtr buf,
static void
+ebtablesRemoveTmpRootChainFW(virFirewallPtr fw,
+ bool incoming, const char *ifname)
+{
+ _ebtablesRemoveRootChainFW(fw, incoming, ifname, 1);
+}
+
+
+static void
_ebtablesUnlinkRootChain(virBufferPtr buf,
bool incoming, const char *ifname,
bool isTempChain)
@@ -2978,14 +2978,6 @@ _ebtablesUnlinkRootChainFW(virFirewallPtr fw,
static void
-ebtablesUnlinkRootChain(virBufferPtr buf,
- bool incoming, const char *ifname)
-{
- _ebtablesUnlinkRootChain(buf, incoming, ifname, false);
-}
-
-
-static void
ebtablesUnlinkRootChainFW(virFirewallPtr fw,
bool incoming, const char *ifname)
{
@@ -3001,6 +2993,14 @@ ebtablesUnlinkTmpRootChain(virBufferPtr buf,
}
+static void
+ebtablesUnlinkTmpRootChainFW(virFirewallPtr fw,
+ int incoming, const char *ifname)
+{
+ _ebtablesUnlinkRootChainFW(fw, incoming, ifname, 1);
+}
+
+
static int
ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
int *nRuleInstances,
@@ -3166,8 +3166,8 @@ _ebtablesRemoveSubChainsFW(virFirewallPtr fw,
}
static void
-ebtablesRemoveSubChains(virBufferPtr buf,
- const char *ifname)
+ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname)
{
char chains[3] = {
CHAINPREFIX_HOST_IN,
@@ -3175,25 +3175,25 @@ ebtablesRemoveSubChains(virBufferPtr buf,
0
};
- _ebtablesRemoveSubChains(buf, ifname, chains);
+ _ebtablesRemoveSubChainsFW(fw, ifname, chains);
}
static void
-ebtablesRemoveSubChainsFW(virFirewallPtr fw,
- const char *ifname)
+ebtablesRemoveTmpSubChains(virBufferPtr buf,
+ const char *ifname)
{
char chains[3] = {
- CHAINPREFIX_HOST_IN,
- CHAINPREFIX_HOST_OUT,
+ CHAINPREFIX_HOST_IN_TEMP,
+ CHAINPREFIX_HOST_OUT_TEMP,
0
};
- _ebtablesRemoveSubChainsFW(fw, ifname, chains);
+ _ebtablesRemoveSubChains(buf, ifname, chains);
}
static void
-ebtablesRemoveTmpSubChains(virBufferPtr buf,
- const char *ifname)
+ebtablesRemoveTmpSubChainsFW(virFirewallPtr fw,
+ const char *ifname)
{
char chains[3] = {
CHAINPREFIX_HOST_IN_TEMP,
@@ -3201,7 +3201,7 @@ ebtablesRemoveTmpSubChains(virBufferPtr buf,
0
};
- _ebtablesRemoveSubChains(buf, ifname, chains);
+ _ebtablesRemoveSubChainsFW(fw, ifname, chains);
}
static void
@@ -3668,34 +3668,35 @@ ebtablesApplyDropAllRules(const char *ifname)
static int
ebtablesRemoveBasicRules(const char *ifname)
{
- ebtablesCleanAll(ifname);
- return 0;
+ return ebtablesCleanAll(ifname);
}
-static void
+static int
ebtablesCleanAll(const char *ifname)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
-
- if (!ebtables_cmd_path)
- return;
+ virFirewallPtr fw = virFirewallNew();
+ int ret = -1;
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- ebtablesUnlinkRootChain(&buf, true, ifname);
- ebtablesUnlinkRootChain(&buf, false, ifname);
- ebtablesRemoveSubChains(&buf, ifname);
- ebtablesRemoveRootChain(&buf, true, ifname);
- ebtablesRemoveRootChain(&buf, false, ifname);
+ ebtablesUnlinkRootChainFW(fw, true, ifname);
+ ebtablesUnlinkRootChainFW(fw, false, ifname);
+ ebtablesRemoveSubChainsFW(fw, ifname);
+ ebtablesRemoveRootChainFW(fw, true, ifname);
+ ebtablesRemoveRootChainFW(fw, false, ifname);
- ebtablesUnlinkTmpRootChain(&buf, true, ifname);
- ebtablesUnlinkTmpRootChain(&buf, false, ifname);
- ebtablesRemoveTmpSubChains(&buf, ifname);
- ebtablesRemoveTmpRootChain(&buf, true, ifname);
- ebtablesRemoveTmpRootChain(&buf, false, ifname);
+ ebtablesUnlinkTmpRootChainFW(fw, true, ifname);
+ ebtablesUnlinkTmpRootChainFW(fw, false, ifname);
+ ebtablesRemoveTmpSubChainsFW(fw, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, true, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, false, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
+ virMutexLock(&execCLIMutex);
+ ret = virFirewallApply(fw);
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
+ return ret;
}
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
index 85077f1..11b7fb5 100644
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@@ -164,6 +164,53 @@ testNWFilterEBIPTablesTearOldRules(const void *opaque
ATTRIBUTE_UNUSED)
static int
+testNWFilterEBIPTablesRemoveBasicRules(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-P-vnet0\n";
+ const char *actual = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.removeBasicRules("vnet0") < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&buf);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ return ret;
+}
+
+
+static int
mymain(void)
{
int ret = 0;
@@ -183,6 +230,11 @@ mymain(void)
NULL) < 0)
ret = -1;
+ if (virtTestRun("ebiptablesRemoveBasicRules",
+ testNWFilterEBIPTablesRemoveBasicRules,
+ NULL) < 0)
+ ret = -1;
+
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.9.0
8:45 a.m.
New subject: [libvirt] [PATCH 18/26] Convert nwfilter ebtablesRemoveBasicRules to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebtablesRemoveBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
static void
-ebtablesRemoveSubChainsFW(virFirewallPtr fw,
- const char *ifname)
+ebtablesRemoveTmpSubChains(virBufferPtr buf,
+ const char *ifname)
{
char chains[3] = {
- CHAINPREFIX_HOST_IN,
- CHAINPREFIX_HOST_OUT,
+ CHAINPREFIX_HOST_IN_TEMP,
+ CHAINPREFIX_HOST_OUT_TEMP,
0
};
- _ebtablesRemoveSubChainsFW(fw, ifname, chains);
+ _ebtablesRemoveSubChains(buf, ifname, chains);
}
This is really the only odd part about this patch, a conversion in the
other direction. Maybe not-yet converted code needs it at this point.
ACK
9:07 a.m.
New subject: [libvirt] [PATCH 18/26] Convert nwfilter ebtablesRemoveBasicRules to virFirewall
On Wed, Apr 16, 2014 at 09:45:56AM -0400, Stefan Berger wrote:
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
>Convert the nwfilter ebtablesRemoveBasicRules method to use the
>virFirewall object APIs instead of creating shell scripts
>using virBuffer APIs. This provides a performance improvement
>through allowing direct use of firewalld dbus APIs and will
>facilitate automated testing.
>
>Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
>
>
> static void
>-ebtablesRemoveSubChainsFW(virFirewallPtr fw,
>- const char *ifname)
>+ebtablesRemoveTmpSubChains(virBufferPtr buf,
>+ const char *ifname)
> {
> char chains[3] = {
>- CHAINPREFIX_HOST_IN,
>- CHAINPREFIX_HOST_OUT,
>+ CHAINPREFIX_HOST_IN_TEMP,
>+ CHAINPREFIX_HOST_OUT_TEMP,
> 0
> };
>
>- _ebtablesRemoveSubChainsFW(fw, ifname, chains);
>+ _ebtablesRemoveSubChains(buf, ifname, chains);
> }
This is really the only odd part about this patch, a conversion in
the other direction. Maybe not-yet converted code needs it at this
point.
This is just 'diff' producing a very misleading patch context - we're
not actually reverting the previous change.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:38 a.m.
New subject: [libvirt] [PATCH 19/26] Convert nwfilter ebiptablesTearNewRules to virFirewall
Convert the nwfilter ebiptablesTearNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
---
src/nwfilter/nwfilter_ebiptables_driver.c | 88 ++++++++++++++++++++++---------
tests/nwfilterebiptablestest.c | 65 +++++++++++++++++++++++
2 files changed, 128 insertions(+), 25 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 7740960..4093bd9 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -707,6 +707,18 @@ iptablesRemoveTmpRootChain(virBufferPtr buf,
static void
+iptablesRemoveTmpRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ char prefix,
+ bool incoming,
+ const char *ifname)
+{
+ _iptablesRemoveRootChainFW(fw, layer, prefix,
+ incoming, ifname, 1);
+}
+
+
+static void
iptablesRemoveTmpRootChains(virBufferPtr buf,
const char *ifname)
{
@@ -717,6 +729,17 @@ iptablesRemoveTmpRootChains(virBufferPtr buf,
static void
+iptablesRemoveTmpRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
+{
+ iptablesRemoveTmpRootChainFW(fw, layer, 'F', false, ifname);
+ iptablesRemoveTmpRootChainFW(fw, layer, 'F', true, ifname);
+ iptablesRemoveTmpRootChainFW(fw, layer, 'H', true, ifname);
+}
+
+
+static void
iptablesRemoveRootChainsFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *ifname)
@@ -914,6 +937,18 @@ iptablesUnlinkTmpRootChain(virBufferPtr buf,
static void
+iptablesUnlinkTmpRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *basechain,
+ char prefix,
+ bool incoming, const char *ifname)
+{
+ _iptablesUnlinkRootChainFW(fw, layer,
+ basechain, prefix, incoming, ifname, 1);
+}
+
+
+static void
iptablesUnlinkRootChainsFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *ifname)
@@ -935,6 +970,17 @@ iptablesUnlinkTmpRootChains(virBufferPtr buf,
static void
+iptablesUnlinkTmpRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
+{
+ iptablesUnlinkTmpRootChainFW(fw, layer, VIRT_OUT_CHAIN, 'F', false, ifname);
+ iptablesUnlinkTmpRootChainFW(fw, layer, VIRT_IN_CHAIN, 'F', true, ifname);
+ iptablesUnlinkTmpRootChainFW(fw, layer, HOST_IN_CHAIN, 'H', true, ifname);
+}
+
+
+static void
iptablesRenameTmpRootChainFW(virFirewallPtr fw,
virFirewallLayer layer,
char prefix,
@@ -4236,36 +4282,28 @@ ebiptablesApplyNewRules(const char *ifname,
static int
ebiptablesTearNewRules(const char *ifname)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
-
- if (iptables_cmd_path) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesUnlinkTmpRootChains(&buf, ifname);
- iptablesRemoveTmpRootChains(&buf, ifname);
- }
-
- if (ip6tables_cmd_path) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+ virFirewallPtr fw = virFirewallNew();
+ int ret = -1;
- iptablesUnlinkTmpRootChains(&buf, ifname);
- iptablesRemoveTmpRootChains(&buf, ifname);
- }
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ iptablesUnlinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- ebtablesUnlinkTmpRootChain(&buf, true, ifname);
- ebtablesUnlinkTmpRootChain(&buf, false, ifname);
+ iptablesUnlinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRemoveTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
- ebtablesRemoveTmpSubChains(&buf, ifname);
- ebtablesRemoveTmpRootChain(&buf, true, ifname);
- ebtablesRemoveTmpRootChain(&buf, false, ifname);
- }
-
- ebiptablesExecCLI(&buf, true, NULL);
+ ebtablesUnlinkTmpRootChainFW(fw, true, ifname);
+ ebtablesUnlinkTmpRootChainFW(fw, false, ifname);
+ ebtablesRemoveTmpSubChainsFW(fw, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, true, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, false, ifname);
- return 0;
+ virMutexLock(&execCLIMutex);
+ ret = virFirewallApply(fw);
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
+ return ret;
}
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
index 11b7fb5..d728e4c 100644
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@@ -211,6 +211,66 @@ testNWFilterEBIPTablesRemoveBasicRules(const void *opaque
ATTRIBUTE_UNUSED)
static int
+testNWFilterEBIPTablesTearNewRules(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g
FP-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g
FJ-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HJ-vnet0\n"
+ "/usr/sbin/iptables -F FP-vnet0\n"
+ "/usr/sbin/iptables -X FP-vnet0\n"
+ "/usr/sbin/iptables -F FJ-vnet0\n"
+ "/usr/sbin/iptables -X FJ-vnet0\n"
+ "/usr/sbin/iptables -F HJ-vnet0\n"
+ "/usr/sbin/iptables -X HJ-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g
FP-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g
FJ-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HJ-vnet0\n"
+ "/usr/sbin/ip6tables -F FP-vnet0\n"
+ "/usr/sbin/ip6tables -X FP-vnet0\n"
+ "/usr/sbin/ip6tables -F FJ-vnet0\n"
+ "/usr/sbin/ip6tables -X FJ-vnet0\n"
+ "/usr/sbin/ip6tables -F HJ-vnet0\n"
+ "/usr/sbin/ip6tables -X HJ-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-P-vnet0\n";
+
+ const char *actual = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.tearNewRules("vnet0") < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&buf);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ return ret;
+}
+
+
+static int
mymain(void)
{
int ret = 0;
@@ -235,6 +295,11 @@ mymain(void)
NULL) < 0)
ret = -1;
+ if (virtTestRun("ebiptablesTearNewRules",
+ testNWFilterEBIPTablesTearNewRules,
+ NULL) < 0)
+ ret = -1;
+
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.9.0
8:48 a.m.
New subject: [libvirt] [PATCH 19/26] Convert nwfilter ebiptablesTearNewRules to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebiptablesTearNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
NIt: Signed-off-by...
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 20/26] Convert nwfilter ebtablesApplyBasicRules to virFirewall
Convert the nwfilter ebtablesApplyBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 113 +++++++++++++++++-------------
tests/nwfilterebiptablestest.c | 74 +++++++++++++++++++
2 files changed, 137 insertions(+), 50 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 4093bd9..d9c6822 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2877,6 +2877,21 @@ ebtablesCreateTmpRootChain(virBufferPtr buf,
static void
+ebtablesCreateTmpRootChainFW(virFirewallPtr fw,
+ int incoming, const char *ifname)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-N", chain, NULL);
+}
+
+
+static void
ebtablesLinkTmpRootChain(virBufferPtr buf,
bool incoming, const char *ifname)
{
@@ -2900,6 +2915,24 @@ ebtablesLinkTmpRootChain(virBufferPtr buf,
static void
+ebtablesLinkTmpRootChainFW(virFirewallPtr fw,
+ int incoming, const char *ifname)
+{
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
+ incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+ incoming ? "-i" : "-o",
+ ifname, "-j", chain, NULL);
+}
+
+
+static void
_ebtablesRemoveRootChain(virBufferPtr buf,
bool incoming, const char *ifname,
bool isTempChain)
@@ -3421,74 +3454,54 @@ static int
ebtablesApplyBasicRules(const char *ifname,
const virMacAddr *macaddr)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = virFirewallNew();
char chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = CHAINPREFIX_HOST_IN_TEMP;
char macaddr_str[VIR_MAC_STRING_BUFLEN];
- if (!ebtables_cmd_path) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("cannot create rules since ebtables tool is "
- "missing."));
- return -1;
- }
-
virMacAddrFormat(macaddr, macaddr_str);
- ebiptablesAllTeardown(ifname);
+ if (ebiptablesAllTeardown(ifname) < 0)
+ goto error;
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ virFirewallStartTransaction(fw, 0);
- ebtablesCreateTmpRootChain(&buf, true, ifname);
+ ebtablesCreateTmpRootChainFW(fw, true, ifname);
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -s ! %s -j DROP")
CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain, macaddr_str,
- CMD_STOPONERR(true));
-
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -p IPv4 -j ACCEPT")
CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain,
- CMD_STOPONERR(true));
-
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -p ARP -j ACCEPT")
CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain,
- CMD_STOPONERR(true));
-
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain,
- CMD_STOPONERR(true));
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-s", "!", macaddr_str,
+ "-j", "DROP", NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-p", "IPv4",
+ "-j", "ACCEPT", NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-p", "ARP",
+ "-j", "ACCEPT", NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-j", "DROP", NULL);
- ebtablesLinkTmpRootChain(&buf, true, ifname);
- ebtablesRenameTmpRootChain(&buf, true, ifname);
+ ebtablesLinkTmpRootChainFW(fw, true, ifname);
+ ebtablesRenameTmpRootChainFW(fw, true, ifname);
- if (ebiptablesExecCLI(&buf, false, NULL) < 0)
+ virMutexLock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0) {
+ virMutexUnlock(&execCLIMutex);
goto tear_down_tmpebchains;
+ }
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
return 0;
tear_down_tmpebchains:
ebtablesCleanAll(ifname);
-
- virReportError(VIR_ERR_BUILD_FIREWALL,
- "%s",
- _("Some rules could not be created."));
-
+ error:
+ virFirewallFree(fw);
return -1;
}
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
index d728e4c..22460fe 100644
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@@ -271,6 +271,75 @@ testNWFilterEBIPTablesTearNewRules(const void *opaque
ATTRIBUTE_UNUSED)
static int
+testNWFilterEBIPTablesApplyBasicRules(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/iptables -F FO-vnet0\n"
+ "/usr/sbin/iptables -X FO-vnet0\n"
+ "/usr/sbin/iptables -F FI-vnet0\n"
+ "/usr/sbin/iptables -X FI-vnet0\n"
+ "/usr/sbin/iptables -F HI-vnet0\n"
+ "/usr/sbin/iptables -X HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/ip6tables -F FO-vnet0\n"
+ "/usr/sbin/ip6tables -X FO-vnet0\n"
+ "/usr/sbin/ip6tables -F FI-vnet0\n"
+ "/usr/sbin/ip6tables -X FI-vnet0\n"
+ "/usr/sbin/ip6tables -F HI-vnet0\n"
+ "/usr/sbin/ip6tables -X HI-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -N libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s '!'
10:20:30:40:50:60 -j DROP\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
+ "/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j
libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
+ const char *actual = NULL;
+ int ret = -1;
+ virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.applyBasicRules("vnet0", &mac) < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&buf);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ return ret;
+}
+
+
+static int
mymain(void)
{
int ret = 0;
@@ -300,6 +369,11 @@ mymain(void)
NULL) < 0)
ret = -1;
+ if (virtTestRun("ebiptablesApplyBasicRules",
+ testNWFilterEBIPTablesApplyBasicRules,
+ NULL) < 0)
+ ret = -1;
+
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.9.0
8:53 a.m.
New subject: [libvirt] [PATCH 20/26] Convert nwfilter ebtablesApplyBasicRules to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebtablesApplyBasicRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
Stefan
10:38 a.m.
New subject: [libvirt] [PATCH 21/26] Convert nwfilter ebtablesApplyDHCPOnlyRules to virFirewall
Convert the nwfilter ebtablesApplyDHCPOnlyRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 120 ++++++++++++------------------
tests/nwfilterebiptablestest.c | 92 +++++++++++++++++++++++
2 files changed, 140 insertions(+), 72 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index d9c6822..62866ac 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -3529,127 +3529,103 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
virNWFilterVarValuePtr dhcpsrvrs,
bool leaveTemporary)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
char chain_in [MAX_CHAINNAME_LENGTH],
chain_out[MAX_CHAINNAME_LENGTH];
char macaddr_str[VIR_MAC_STRING_BUFLEN];
unsigned int idx = 0;
unsigned int num_dhcpsrvrs;
-
- if (!ebtables_cmd_path) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("cannot create rules since ebtables tool is "
- "missing."));
- return -1;
- }
+ virFirewallPtr fw = virFirewallNew();
virMacAddrFormat(macaddr, macaddr_str);
- ebiptablesAllTeardown(ifname);
+ if (ebiptablesAllTeardown(ifname) < 0)
+ goto error;
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ virFirewallStartTransaction(fw, 0);
- ebtablesCreateTmpRootChain(&buf, true, ifname);
- ebtablesCreateTmpRootChain(&buf, false, ifname);
+ ebtablesCreateTmpRootChainFW(fw, true, ifname);
+ ebtablesCreateTmpRootChainFW(fw, false, ifname);
PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s"
- " -s %s"
- " -p ipv4 --ip-protocol udp"
- " --ip-sport 68 --ip-dport 67"
- " -j ACCEPT") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain_in,
- macaddr_str,
- CMD_STOPONERR(true));
-
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-s", macaddr_str,
+ "-p", "ipv4", "--ip-protocol",
"udp",
+ "--ip-sport", "68", "--ip-dport",
"67",
+ "-j", "ACCEPT", NULL);
- chain_in,
- CMD_STOPONERR(true));
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-j", "DROP", NULL);
num_dhcpsrvrs = (dhcpsrvrs != NULL)
? virNWFilterVarValueGetCardinality(dhcpsrvrs)
: 0;
while (true) {
- char *srcIPParam = NULL;
+ const char *dhcpserver = NULL;
int ctr;
- if (idx < num_dhcpsrvrs) {
- const char *dhcpserver;
-
+ if (idx < num_dhcpsrvrs)
dhcpserver = virNWFilterVarValueGetNthValue(dhcpsrvrs, idx);
- if (virAsprintf(&srcIPParam, "--ip-src %s", dhcpserver) <
0)
- goto tear_down_tmpebchains;
- }
-
/*
* create two rules allowing response to MAC address of VM
* or to broadcast MAC address
*/
for (ctr = 0; ctr < 2; ctr++) {
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s"
- " -d %s"
- " -p ipv4 --ip-protocol udp"
- " %s"
- " --ip-sport 67 --ip-dport 68"
- " -j ACCEPT") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain_out,
- (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
- srcIPParam != NULL ? srcIPParam : "",
- CMD_STOPONERR(true));
+ if (dhcpserver)
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain_out,
+ "-d", (ctr == 0) ? macaddr_str :
"ff:ff:ff:ff:ff:ff",
+ "-p", "ipv4",
"--ip-protocol", "udp",
+ "--ip-src", dhcpserver,
+ "--ip-sport", "67",
"--ip-dport", "68",
+ "-j", "ACCEPT", NULL);
+ else
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain_out,
+ "-d", (ctr == 0) ? macaddr_str :
"ff:ff:ff:ff:ff:ff",
+ "-p", "ipv4",
"--ip-protocol", "udp",
+ "--ip-sport", "67",
"--ip-dport", "68",
+ "-j", "ACCEPT", NULL);
}
- VIR_FREE(srcIPParam);
-
idx++;
if (idx >= num_dhcpsrvrs)
break;
}
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain_out,
- CMD_STOPONERR(true));
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-j", "DROP", NULL);
- ebtablesLinkTmpRootChain(&buf, true, ifname);
- ebtablesLinkTmpRootChain(&buf, false, ifname);
+ ebtablesLinkTmpRootChainFW(fw, true, ifname);
+ ebtablesLinkTmpRootChainFW(fw, false, ifname);
if (!leaveTemporary) {
- ebtablesRenameTmpRootChain(&buf, true, ifname);
- ebtablesRenameTmpRootChain(&buf, false, ifname);
+ ebtablesRenameTmpRootChainFW(fw, true, ifname);
+ ebtablesRenameTmpRootChainFW(fw, false, ifname);
}
- if (ebiptablesExecCLI(&buf, false, NULL) < 0)
+ virMutexLock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0) {
+ virMutexUnlock(&execCLIMutex);
goto tear_down_tmpebchains;
+ }
+ virMutexUnlock(&execCLIMutex);
+
+ virFirewallFree(fw);
return 0;
tear_down_tmpebchains:
ebtablesCleanAll(ifname);
-
- virReportError(VIR_ERR_BUILD_FIREWALL,
- "%s",
- _("Some rules could not be created."));
-
+ error:
+ virFirewallFree(fw);
return -1;
}
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
index 22460fe..3010668 100644
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@@ -340,6 +340,93 @@ testNWFilterEBIPTablesApplyBasicRules(const void *opaque
ATTRIBUTE_UNUSED)
static int
+testNWFilterEBIPTablesApplyDHCPOnlyRules(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/iptables -F FO-vnet0\n"
+ "/usr/sbin/iptables -X FO-vnet0\n"
+ "/usr/sbin/iptables -F FI-vnet0\n"
+ "/usr/sbin/iptables -X FI-vnet0\n"
+ "/usr/sbin/iptables -F HI-vnet0\n"
+ "/usr/sbin/iptables -X HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/ip6tables -F FO-vnet0\n"
+ "/usr/sbin/ip6tables -X FO-vnet0\n"
+ "/usr/sbin/ip6tables -F FI-vnet0\n"
+ "/usr/sbin/ip6tables -X FI-vnet0\n"
+ "/usr/sbin/ip6tables -F HI-vnet0\n"
+ "/usr/sbin/ip6tables -X HI-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -N libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -N libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4
--ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4
--ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4
--ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4
--ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4
--ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4
--ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4
--ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
+ "/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j
libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -A POSTROUTING -o vnet0 -j
libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+ const char *actual = NULL;
+ int ret = -1;
+ virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
+ const char *servers[] = { "192.168.122.1", "10.0.0.1",
"10.0.0.2" };
+ virNWFilterVarValue val = {
+ .valType = NWFILTER_VALUE_TYPE_ARRAY,
+ .u = {
+ .array = {
+ .values = (char **)servers,
+ .nValues = 3,
+ }
+ }
+ };
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.applyDHCPOnlyRules("vnet0", &mac, &val,
false) < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&buf);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ return ret;
+}
+
+
+static int
mymain(void)
{
int ret = 0;
@@ -374,6 +461,11 @@ mymain(void)
NULL) < 0)
ret = -1;
+ if (virtTestRun("ebiptablesApplyDHCPOnlyRules",
+ testNWFilterEBIPTablesApplyDHCPOnlyRules,
+ NULL) < 0)
+ ret = -1;
+
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.9.0
9 a.m.
New subject: [libvirt] [PATCH 21/26] Convert nwfilter ebtablesApplyDHCPOnlyRules to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebtablesApplyDHCPOnlyRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 22/26] Convert nwfilter ebtablesApplyDropAllRules to virFirewall
Convert the nwfilter ebtablesApplyDropAllRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 93 ++++++++-----------------------
tests/nwfilterebiptablestest.c | 75 +++++++++++++++++++++++++
2 files changed, 99 insertions(+), 69 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 62866ac..db6e324 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -3284,31 +3284,6 @@ ebtablesRemoveTmpSubChainsFW(virFirewallPtr fw,
}
static void
-ebtablesRenameTmpSubChain(virBufferPtr buf,
- bool incoming,
- const char *ifname,
- const char *protocol)
-{
- char tmpchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
- char tmpChainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
- char chainPrefix = incoming ? CHAINPREFIX_HOST_IN
- : CHAINPREFIX_HOST_OUT;
-
- if (protocol) {
- PRINT_CHAIN(tmpchain, tmpChainPrefix, ifname, protocol);
- PRINT_CHAIN(chain, chainPrefix, ifname, protocol);
- } else {
- PRINT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
- PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- }
-
- virBufferAsprintf(buf,
- "$EBT -t nat -E %s %s" CMD_SEPARATOR,
- tmpchain, chain);
-}
-
-static void
ebtablesRenameTmpSubChainFW(virFirewallPtr fw,
int incoming,
const char *ifname,
@@ -3333,14 +3308,6 @@ ebtablesRenameTmpSubChainFW(virFirewallPtr fw,
}
static void
-ebtablesRenameTmpRootChain(virBufferPtr buf,
- bool incoming,
- const char *ifname)
-{
- ebtablesRenameTmpSubChain(buf, incoming, ifname, NULL);
-}
-
-static void
ebtablesRenameTmpRootChainFW(virFirewallPtr fw,
bool incoming,
const char *ifname)
@@ -3642,60 +3609,48 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
static int
ebtablesApplyDropAllRules(const char *ifname)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
char chain_in [MAX_CHAINNAME_LENGTH],
chain_out[MAX_CHAINNAME_LENGTH];
+ virFirewallPtr fw = virFirewallNew();
- if (!ebtables_cmd_path) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("cannot create rules since ebtables tool is "
- "missing."));
- return -1;
- }
-
- ebiptablesAllTeardown(ifname);
+ if (ebiptablesAllTeardown(ifname) < 0)
+ goto error;
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ virFirewallStartTransaction(fw, 0);
- ebtablesCreateTmpRootChain(&buf, true, ifname);
- ebtablesCreateTmpRootChain(&buf, false, ifname);
+ ebtablesCreateTmpRootChainFW(fw, true, ifname);
+ ebtablesCreateTmpRootChainFW(fw, false, ifname);
PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain_in,
- CMD_STOPONERR(true));
-
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-j", "DROP", NULL);
- chain_out,
- CMD_STOPONERR(true));
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-j", "DROP", NULL);
- ebtablesLinkTmpRootChain(&buf, true, ifname);
- ebtablesLinkTmpRootChain(&buf, false, ifname);
- ebtablesRenameTmpRootChain(&buf, true, ifname);
- ebtablesRenameTmpRootChain(&buf, false, ifname);
+ ebtablesLinkTmpRootChainFW(fw, true, ifname);
+ ebtablesLinkTmpRootChainFW(fw, false, ifname);
+ ebtablesRenameTmpRootChainFW(fw, true, ifname);
+ ebtablesRenameTmpRootChainFW(fw, false, ifname);
- if (ebiptablesExecCLI(&buf, false, NULL) < 0)
+ virMutexLock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0) {
+ virMutexUnlock(&execCLIMutex);
goto tear_down_tmpebchains;
+ }
+ virMutexUnlock(&execCLIMutex);
+ virFirewallFree(fw);
return 0;
tear_down_tmpebchains:
ebtablesCleanAll(ifname);
-
- virReportError(VIR_ERR_BUILD_FIREWALL,
- "%s",
- _("Some rules could not be created."));
-
+ error:
+ virFirewallFree(fw);
return -1;
}
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
index 3010668..f994331 100644
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@@ -426,6 +426,76 @@ testNWFilterEBIPTablesApplyDHCPOnlyRules(const void *opaque
ATTRIBUTE_UNUSED)
}
+
+static int
+testNWFilterEBIPTablesApplyDropAllRules(const void *opaque ATTRIBUTE_UNUSED)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ const char *expected =
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/iptables -F FO-vnet0\n"
+ "/usr/sbin/iptables -X FO-vnet0\n"
+ "/usr/sbin/iptables -F FI-vnet0\n"
+ "/usr/sbin/iptables -X FI-vnet0\n"
+ "/usr/sbin/iptables -F HI-vnet0\n"
+ "/usr/sbin/iptables -X HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g
FO-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g
FI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HI-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/ip6tables -F FO-vnet0\n"
+ "/usr/sbin/ip6tables -X FO-vnet0\n"
+ "/usr/sbin/ip6tables -F FI-vnet0\n"
+ "/usr/sbin/ip6tables -X FI-vnet0\n"
+ "/usr/sbin/ip6tables -F HI-vnet0\n"
+ "/usr/sbin/ip6tables -X HI-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j
libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j
libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-O-vnet0\n"
+ "/usr/sbin/ebtables -t nat -N libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -N libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
+ "/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
+ "/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j
libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -A POSTROUTING -o vnet0 -j
libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+ "/usr/sbin/ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+ const char *actual = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (ebiptables_driver.applyDropAllRules("vnet0") < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actual = virBufferCurrentContent(&buf);
+
+ if (STRNEQ_NULLABLE(actual, expected)) {
+ virtTestDifference(stderr, actual, expected);
+ goto cleanup;
+ }
+
+ ret = 0;
+ cleanup:
+ virCommandSetDryRun(NULL, NULL, NULL);
+ virBufferFreeAndReset(&buf);
+ return ret;
+}
+
+
static int
mymain(void)
{
@@ -466,6 +536,11 @@ mymain(void)
NULL) < 0)
ret = -1;
+ if (virtTestRun("ebiptablesApplyDropAllRules",
+ testNWFilterEBIPTablesApplyDropAllRules,
+ NULL) < 0)
+ ret = -1;
+
cleanup:
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
--
1.9.0
9:03 a.m.
New subject: [libvirt] [PATCH 22/26] Convert nwfilter ebtablesApplyDropAllRules to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebtablesApplyDropAllRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 23/26] Convert nwfilter ebiptablesApplyNewRules to virFirewall
Convert the nwfilter ebtablesApplyNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/conf/nwfilter_conf.c | 22 +-
src/conf/nwfilter_conf.h | 7 +-
src/nwfilter/nwfilter_ebiptables_driver.c | 2748 +++++++++++------------------
src/nwfilter/nwfilter_ebiptables_driver.h | 17 -
4 files changed, 1090 insertions(+), 1704 deletions(-)
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index 968e045..f57dcef 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -962,13 +962,16 @@ printTCPFlags(virBufferPtr buf, uint8_t flags)
}
-void
-virNWFilterPrintTCPFlags(virBufferPtr buf,
- uint8_t mask, char sep, uint8_t flags)
+char *
+virNWFilterPrintTCPFlags(uint8_t flags)
{
- printTCPFlags(buf, mask);
- virBufferAddChar(buf, sep);
- printTCPFlags(buf, flags);
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ printTCPFlags(&buf, flags);
+ if (virBufferError(&buf)) {
+ virReportOOMError();
+ return NULL;
+ }
+ return virBufferContentAndReset(&buf);
}
@@ -977,10 +980,9 @@ tcpFlagsFormatter(virBufferPtr buf,
virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED,
nwItemDesc *item)
{
- virNWFilterPrintTCPFlags(buf,
- item->u.tcpFlags.mask,
- '/',
- item->u.tcpFlags.flags);
+ printTCPFlags(buf, item->u.tcpFlags.mask);
+ virBufferAddLit(buf, "/");
+ printTCPFlags(buf, item->u.tcpFlags.flags);
return true;
}
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 9f9deab..3c7985c 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -82,8 +82,8 @@ enum virNWFilterEntryItemFlags {
# define HAS_ENTRY_ITEM(data) \
(((data)->flags) & NWFILTER_ENTRY_ITEM_FLAG_EXISTS)
-# define ENTRY_GET_NEG_SIGN(data) \
- ((((data)->flags) & NWFILTER_ENTRY_ITEM_FLAG_IS_NEG) ? "!" :
"")
+# define ENTRY_WANT_NEG_SIGN(data) \
+ (((data)->flags) & NWFILTER_ENTRY_ITEM_FLAG_IS_NEG)
/* datatypes appearing in rule attributes */
enum attrDatatype {
@@ -673,8 +673,7 @@ void virNWFilterCallbackDriversLock(void);
void virNWFilterCallbackDriversUnlock(void);
-void virNWFilterPrintTCPFlags(virBufferPtr buf, uint8_t mask,
- char sep, uint8_t flags);
+char *virNWFilterPrintTCPFlags(uint8_t flags);
bool virNWFilterRuleIsProtocolIPv4(virNWFilterRuleDefPtr rule);
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index db6e324..835e068 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -105,65 +105,6 @@ static enum ctdirStatus iptables_ctdir_corrected;
#define PRINT_CHAIN(buf, prefix, ifname, suffix) \
snprintf(buf, sizeof(buf), "%c-%s-%s", prefix, ifname, suffix)
-/* The collect_chains() script recursively determines all names
- * of ebtables (nat) chains that are 'children' of a given 'root' chain.
- * The typical output of an ebtables call is as follows:
- *
- * #> ebtables -t nat -L libvirt-I-tck-test205002
- * Bridge table: nat
- *
- * Bridge chain: libvirt-I-tck-test205002, entries: 5, policy: ACCEPT
- * -p IPv4 -j I-tck-test205002-ipv4
- * -p ARP -j I-tck-test205002-arp
- * -p 0x8035 -j I-tck-test205002-rarp
- * -p 0x835 -j ACCEPT
- * -j DROP
- */
-static const char ebtables_script_func_collect_chains[] =
- "collect_chains()\n"
- "{\n"
- " for tmp2 in $*; do\n"
- " for tmp in $($EBT -t nat -L $tmp2 | \\\n"
- " sed -n \"/Bridge chain/,\\$ s/.*-j
\\\\([%s]-.*\\\\)/\\\\1/p\");\n"
- " do\n"
- " echo $tmp\n"
- " collect_chains $tmp\n"
- " done\n"
- " done\n"
- "}\n";
-
-static const char ebiptables_script_func_rm_chains[] =
- "rm_chains()\n"
- "{\n"
- " for tmp in $*; do $EBT -t nat -F $tmp; done\n"
- " for tmp in $*; do $EBT -t nat -X $tmp; done\n"
- "}\n";
-
-static const char ebiptables_script_func_rename_chains[] =
- "rename_chain()\n"
- "{\n"
- " $EBT -t nat -F $2\n"
- " $EBT -t nat -X $2\n"
- " $EBT -t nat -E $1 $2\n"
- "}\n"
- "rename_chains()\n"
- "{\n"
- " for tmp in $*; do\n"
- " case $tmp in\n"
- " %c*) rename_chain $tmp %c${tmp#?} ;;\n"
- " %c*) rename_chain $tmp %c${tmp#?} ;;\n"
- " esac\n"
- " done\n"
- "}\n";
-
-static const char ebiptables_script_set_ifs[] =
- "tmp='\n'\n"
- "IFS=' ''\t'$tmp\n";
-
-#define NWFILTER_FUNC_COLLECT_CHAINS ebtables_script_func_collect_chains
-#define NWFILTER_FUNC_RM_CHAINS ebiptables_script_func_rm_chains
-#define NWFILTER_FUNC_RENAME_CHAINS ebiptables_script_func_rename_chains
-#define NWFILTER_FUNC_SET_IFS ebiptables_script_set_ifs
#define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
virBufferAsprintf(BUFPTR, "EBT=\"%s\"\n", ebtables_cmd_path);
@@ -180,29 +121,12 @@ static const char ebiptables_script_set_ifs[] =
#define PRINT_IPT_ROOT_CHAIN(buf, prefix, ifname) \
snprintf(buf, sizeof(buf), "%c%c-%s", prefix[0], prefix[1], ifname)
-#define PHYSDEV_IN "--physdev-in"
-
-static const char *m_state_out_str = "-m state --state NEW,ESTABLISHED";
-static const char *m_state_in_str = "-m state --state ESTABLISHED";
-static const char *m_state_out_str_new = "-m conntrack --ctstate
NEW,ESTABLISHED";
-static const char *m_state_in_str_new = "-m conntrack --ctstate ESTABLISHED";
-
-static const char *m_physdev_in_str = "-m physdev --physdev-in";
-static const char *m_physdev_out_str = "-m physdev --physdev-is-bridged
--physdev-out";
-static const char *m_physdev_out_old_str = "-m physdev --physdev-out";
-
-#define MATCH_STATE_OUT m_state_out_str
-#define MATCH_STATE_IN m_state_in_str
-#define MATCH_PHYSDEV_IN m_physdev_in_str
-#define MATCH_PHYSDEV_OUT m_physdev_out_str
-#define MATCH_PHYSDEV_OUT_OLD m_physdev_out_old_str
+static bool newMatchState;
#define MATCH_PHYSDEV_IN_FW "-m", "physdev",
"--physdev-in"
#define MATCH_PHYSDEV_OUT_FW "-m", "physdev",
"--physdev-is-bridged", "--physdev-out"
#define MATCH_PHYSDEV_OUT_OLD_FW "-m", "physdev",
"--physdev-out"
-#define COMMENT_VARNAME "comment"
-
static int ebtablesRemoveBasicRules(const char *ifname);
static int ebiptablesDriverInit(bool privileged);
static void ebiptablesDriverShutdown(void);
@@ -455,55 +379,39 @@ printDataTypeAsHex(virNWFilterVarCombIterPtr vars,
}
-static void
-printCommentVar(virBufferPtr dest, const char *buf)
-{
- size_t i, len = strlen(buf);
-
- virBufferAddLit(dest, COMMENT_VARNAME "='");
-
- if (len > IPTABLES_MAX_COMMENT_LENGTH)
- len = IPTABLES_MAX_COMMENT_LENGTH;
-
- for (i = 0; i < len; i++) {
- if (buf[i] == '\'')
- virBufferAddLit(dest, "'\\''");
- else
- virBufferAddChar(dest, buf[i]);
- }
- virBufferAddLit(dest, "'" CMD_SEPARATOR);
-}
-
-
static int
-ebtablesHandleEthHdr(virBufferPtr buf,
+ebtablesHandleEthHdr(virFirewallPtr fw,
+ virFirewallRulePtr fwrule,
virNWFilterVarCombIterPtr vars,
ethHdrDataDefPtr ethHdr,
bool reverse)
{
char macaddr[VIR_MAC_STRING_BUFLEN];
+ char macmask[VIR_MAC_STRING_BUFLEN];
+ int ret = -1;
if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACAddr)) {
if (printDataType(vars,
macaddr, sizeof(macaddr),
ðHdr->dataSrcMACAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " %s %s %s",
- reverse ? "-d" : "-s",
- ENTRY_GET_NEG_SIGN(ðHdr->dataSrcMACAddr),
- macaddr);
+ virFirewallRuleAddArgList(fw, fwrule,
+ reverse ? "-d" : "-s",
+ NULL);
+ if (ENTRY_WANT_NEG_SIGN(ðHdr->dataSrcMACAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACMask)) {
if (printDataType(vars,
- macaddr, sizeof(macaddr),
+ macmask, sizeof(macmask),
ðHdr->dataSrcMACMask) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- "/%s",
- macaddr);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", macaddr, macmask);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, macaddr);
}
}
@@ -511,96 +419,80 @@ ebtablesHandleEthHdr(virBufferPtr buf,
if (printDataType(vars,
macaddr, sizeof(macaddr),
ðHdr->dataDstMACAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " %s %s %s",
- reverse ? "-s" : "-d",
- ENTRY_GET_NEG_SIGN(ðHdr->dataDstMACAddr),
- macaddr);
+ virFirewallRuleAddArgList(fw, fwrule,
+ reverse ? "-s" : "-d",
+ NULL);
+ if (ENTRY_WANT_NEG_SIGN(ðHdr->dataDstMACAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(ðHdr->dataDstMACMask)) {
if (printDataType(vars,
- macaddr, sizeof(macaddr),
+ macmask, sizeof(macmask),
ðHdr->dataDstMACMask) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- "/%s",
- macaddr);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", macaddr, macmask);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, macaddr);
}
}
- return 0;
-
- err_exit:
- virBufferFreeAndReset(buf);
-
- return -1;
+ ret = 0;
+ cleanup:
+ return ret;
}
/************************ iptables support ************************/
-static void
-iptablesLinkIPTablesBaseChain(virBufferPtr buf,
- const char *udchain,
- const char *syschain,
- unsigned int pos)
-{
- virBufferAsprintf(buf,
- "res=$($IPT -L %s -n --line-number | %s '%s')\n"
- "if [ $? -ne 0 ]; then\n"
- " $IPT -I %s %d -j %s\n"
- "else\n"
- " set dummy $res; r=$2\n"
- " if [ \"${r}\" != \"%d\" ];
then\n"
- " " CMD_DEF("$IPT -I %s %d -j %s")
CMD_SEPARATOR
- " " CMD_EXEC
- " %s"
- " r=$(( $r + 1 ))\n"
- " " CMD_DEF("$IPT -D %s ${r}")
CMD_SEPARATOR
- " " CMD_EXEC
- " %s"
- " fi\n"
- "fi\n",
-
- syschain, grep_cmd_path, udchain,
-
- syschain, pos, udchain,
-
- pos,
-
- syschain, pos, udchain,
- CMD_STOPONERR(true),
-
- syschain,
- CMD_STOPONERR(true));
-}
-
static void
-iptablesCreateBaseChains(virBufferPtr buf)
-{
- virBufferAddLit(buf, "$IPT -N " VIRT_IN_CHAIN CMD_SEPARATOR
- "$IPT -N " VIRT_OUT_CHAIN CMD_SEPARATOR
- "$IPT -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
- "$IPT -N " HOST_IN_CHAIN CMD_SEPARATOR);
- iptablesLinkIPTablesBaseChain(buf,
- VIRT_IN_CHAIN, "FORWARD", 1);
- iptablesLinkIPTablesBaseChain(buf,
- VIRT_OUT_CHAIN, "FORWARD", 2);
- iptablesLinkIPTablesBaseChain(buf,
- VIRT_IN_POST_CHAIN, "FORWARD", 3);
- iptablesLinkIPTablesBaseChain(buf,
- HOST_IN_CHAIN, "INPUT", 1);
+iptablesCreateBaseChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer)
+{
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_IN_CHAIN, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_OUT_CHAIN, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-N", HOST_IN_CHAIN, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j",
VIRT_IN_CHAIN, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j",
VIRT_OUT_CHAIN, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j",
VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "INPUT", "-j",
HOST_IN_CHAIN, NULL);
+ virFirewallAddRule(fw, layer,
+ "-I", "FORWARD", "1",
"-j", VIRT_IN_CHAIN, NULL);
+ virFirewallAddRule(fw, layer,
+ "-I", "FORWARD", "2",
"-j", VIRT_OUT_CHAIN, NULL);
+ virFirewallAddRule(fw, layer,
+ "-I", "FORWARD", "3",
"-j", VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddRule(fw, layer,
+ "-I", "INPUT", "1", "-j",
HOST_IN_CHAIN, NULL);
}
static void
-iptablesCreateTmpRootChain(virBufferPtr buf,
- char prefix,
- bool incoming, const char *ifname)
+iptablesCreateTmpRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ char prefix,
+ bool incoming, const char *ifname)
{
char chain[MAX_CHAINNAME_LENGTH];
char chainPrefix[2] = {
@@ -611,50 +503,19 @@ iptablesCreateTmpRootChain(virBufferPtr buf,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virBufferAsprintf(buf,
- CMD_DEF("$IPT -N %s") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- chain,
- CMD_STOPONERR(true));
-}
-
-
-static void
-iptablesCreateTmpRootChains(virBufferPtr buf,
- const char *ifname)
-{
- iptablesCreateTmpRootChain(buf, 'F', false, ifname);
- iptablesCreateTmpRootChain(buf, 'F', true, ifname);
- iptablesCreateTmpRootChain(buf, 'H', true, ifname);
+ virFirewallAddRule(fw, layer,
+ "-N", chain, NULL);
}
static void
-_iptablesRemoveRootChain(virBufferPtr buf,
- char prefix,
- bool incoming, const char *ifname,
- bool isTempChain)
+iptablesCreateTmpRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
{
- char chain[MAX_CHAINNAME_LENGTH];
- char chainPrefix[2] = {
- prefix,
- };
-
- if (isTempChain)
- chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
- else
- chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
- : CHAINPREFIX_HOST_OUT;
-
- PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
-
- virBufferAsprintf(buf,
- "$IPT -F %s" CMD_SEPARATOR
- "$IPT -X %s" CMD_SEPARATOR,
- chain,
- chain);
+ iptablesCreateTmpRootChainFW(fw, layer, 'F', false, ifname);
+ iptablesCreateTmpRootChainFW(fw, layer, 'F', true, ifname);
+ iptablesCreateTmpRootChainFW(fw, layer, 'H', true, ifname);
}
@@ -679,8 +540,12 @@ _iptablesRemoveRootChainFW(virFirewallPtr fw,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, layer, "-F", chain, NULL);
- virFirewallAddRule(fw, layer, "-X", chain, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-F", chain, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-X", chain, NULL);
}
@@ -696,17 +561,6 @@ iptablesRemoveRootChainFW(virFirewallPtr fw,
static void
-iptablesRemoveTmpRootChain(virBufferPtr buf,
- char prefix,
- bool incoming,
- const char *ifname)
-{
- _iptablesRemoveRootChain(buf, prefix,
- incoming, ifname, true);
-}
-
-
-static void
iptablesRemoveTmpRootChainFW(virFirewallPtr fw,
virFirewallLayer layer,
char prefix,
@@ -719,16 +573,6 @@ iptablesRemoveTmpRootChainFW(virFirewallPtr fw,
static void
-iptablesRemoveTmpRootChains(virBufferPtr buf,
- const char *ifname)
-{
- iptablesRemoveTmpRootChain(buf, 'F', false, ifname);
- iptablesRemoveTmpRootChain(buf, 'F', true, ifname);
- iptablesRemoveTmpRootChain(buf, 'H', true, ifname);
-}
-
-
-static void
iptablesRemoveTmpRootChainsFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *ifname)
@@ -751,10 +595,11 @@ iptablesRemoveRootChainsFW(virFirewallPtr fw,
static void
-iptablesLinkTmpRootChain(virBufferPtr buf,
- const char *basechain,
- char prefix,
- bool incoming, const char *ifname)
+iptablesLinkTmpRootChainFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *basechain,
+ char prefix,
+ bool incoming, const char *ifname)
{
char chain[MAX_CHAINNAME_LENGTH];
char chainPrefix[2] = {
@@ -762,51 +607,49 @@ iptablesLinkTmpRootChain(virBufferPtr buf,
incoming ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP
};
- const char *match = incoming ? MATCH_PHYSDEV_IN
- : MATCH_PHYSDEV_OUT;
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virBufferAsprintf(buf,
- CMD_DEF("$IPT -A %s "
- "%s %s -g %s") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- basechain,
- match, ifname, chain,
-
- CMD_STOPONERR(true));
+ if (incoming)
+ virFirewallAddRule(fw, layer,
+ "-A", basechain,
+ MATCH_PHYSDEV_IN_FW,
+ ifname,
+ "-g", chain, NULL);
+ else
+ virFirewallAddRule(fw, layer,
+ "-A", basechain,
+ MATCH_PHYSDEV_OUT_FW,
+ ifname,
+ "-g", chain, NULL);
}
static void
-iptablesLinkTmpRootChains(virBufferPtr buf,
- const char *ifname)
+iptablesLinkTmpRootChainsFW(virFirewallPtr fw,
+ virFirewallLayer layer,
+ const char *ifname)
{
- iptablesLinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', false, ifname);
- iptablesLinkTmpRootChain(buf, VIRT_IN_CHAIN, 'F', true, ifname);
- iptablesLinkTmpRootChain(buf, HOST_IN_CHAIN, 'H', true, ifname);
+ iptablesLinkTmpRootChainFW(fw, layer, VIRT_OUT_CHAIN, 'F', false, ifname);
+ iptablesLinkTmpRootChainFW(fw, layer, VIRT_IN_CHAIN, 'F', true, ifname);
+ iptablesLinkTmpRootChainFW(fw, layer, HOST_IN_CHAIN, 'H', true, ifname);
}
static void
-iptablesSetupVirtInPost(virBufferPtr buf,
- const char *ifname)
-{
- const char *match = MATCH_PHYSDEV_IN;
- virBufferAsprintf(buf,
- "res=$($IPT -n -L " VIRT_IN_POST_CHAIN
- " | grep \"\\%s %s\")\n"
- "if [ \"${res}\" = \"\" ]; then "
- CMD_DEF("$IPT"
- " -A " VIRT_IN_POST_CHAIN
- " %s %s -j ACCEPT") CMD_SEPARATOR
- CMD_EXEC
- "%s"
- "fi\n",
- PHYSDEV_IN, ifname,
- match, ifname,
- CMD_STOPONERR(true));
+iptablesSetupVirtInPostFW(virFirewallPtr fw ATTRIBUTE_UNUSED,
+ virFirewallLayer layer ATTRIBUTE_UNUSED,
+ const char *ifname ATTRIBUTE_UNUSED)
+{
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
+ virFirewallAddRule(fw, layer,
+ "-A", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
}
@@ -821,49 +664,6 @@ iptablesClearVirtInPostFW(virFirewallPtr fw,
ifname, "-j", "ACCEPT", NULL);
}
-static void
-_iptablesUnlinkRootChain(virBufferPtr buf,
- const char *basechain,
- char prefix,
- bool incoming, const char *ifname,
- bool isTempChain)
-{
- char chain[MAX_CHAINNAME_LENGTH];
- char chainPrefix[2] = {
- prefix,
- };
- if (isTempChain)
- chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
- else
- chainPrefix[1] = incoming ? CHAINPREFIX_HOST_IN
- : CHAINPREFIX_HOST_OUT;
- const char *match = incoming ? MATCH_PHYSDEV_IN
- : MATCH_PHYSDEV_OUT;
- const char *old_match = incoming ? NULL
- : MATCH_PHYSDEV_OUT_OLD;
-
- PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
-
- virBufferAsprintf(buf,
- "$IPT -D %s "
- "%s %s -g %s" CMD_SEPARATOR,
- basechain,
- match, ifname, chain);
-
- /*
- * Previous versions of libvirt may have created a rule
- * with the --physdev-is-bridged missing. Remove this one
- * as well.
- */
- if (old_match)
- virBufferAsprintf(buf,
- "$IPT -D %s "
- "%s %s -g %s" CMD_SEPARATOR,
- basechain,
- old_match, ifname, chain);
-}
-
static void
_iptablesUnlinkRootChainFW(virFirewallPtr fw,
@@ -887,17 +687,19 @@ _iptablesUnlinkRootChainFW(virFirewallPtr fw,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
if (incoming)
- virFirewallAddRule(fw, layer,
- "-D", basechain,
- MATCH_PHYSDEV_IN_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_IN_FW, ifname,
+ "-g", chain,
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "-D", basechain,
- MATCH_PHYSDEV_OUT_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_FW, ifname,
+ "-g", chain,
+ NULL);
/*
* Previous versions of libvirt may have created a rule
@@ -905,11 +707,12 @@ _iptablesUnlinkRootChainFW(virFirewallPtr fw,
* as well.
*/
if (!incoming)
- virFirewallAddRule(fw, layer,
- "-D", basechain,
- MATCH_PHYSDEV_OUT_OLD_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_OLD_FW, ifname,
+ "-g", chain,
+ NULL);
}
@@ -926,17 +729,6 @@ iptablesUnlinkRootChainFW(virFirewallPtr fw,
static void
-iptablesUnlinkTmpRootChain(virBufferPtr buf,
- const char *basechain,
- char prefix,
- bool incoming, const char *ifname)
-{
- _iptablesUnlinkRootChain(buf,
- basechain, prefix, incoming, ifname, true);
-}
-
-
-static void
iptablesUnlinkTmpRootChainFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *basechain,
@@ -960,16 +752,6 @@ iptablesUnlinkRootChainsFW(virFirewallPtr fw,
static void
-iptablesUnlinkTmpRootChains(virBufferPtr buf,
- const char *ifname)
-{
- iptablesUnlinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', false, ifname);
- iptablesUnlinkTmpRootChain(buf, VIRT_IN_CHAIN, 'F', true, ifname);
- iptablesUnlinkTmpRootChain(buf, HOST_IN_CHAIN, 'H', true, ifname);
-}
-
-
-static void
iptablesUnlinkTmpRootChainsFW(virFirewallPtr fw,
virFirewallLayer layer,
const char *ifname)
@@ -1018,24 +800,17 @@ iptablesRenameTmpRootChainsFW(virFirewallPtr fw,
}
-static void
-iptablesInstCommand(virBufferPtr buf,
- const char *cmdstr)
-{
- virBufferAdd(buf, cmdstr, -1);
- virBufferAsprintf(buf, CMD_SEPARATOR "%s",
- CMD_STOPONERR(true));
-}
-
-
static int
-iptablesHandleSrcMacAddr(virBufferPtr buf,
+iptablesHandleSrcMacAddr(virFirewallPtr fw,
+ virFirewallRulePtr fwrule,
virNWFilterVarCombIterPtr vars,
nwItemDescPtr srcMacAddr,
bool directionIn,
bool *srcmacskipped)
{
char macaddr[VIR_MAC_STRING_BUFLEN];
+ int ret = -1;
+
*srcmacskipped = false;
if (HAS_ENTRY_ITEM(srcMacAddr)) {
@@ -1047,40 +822,43 @@ iptablesHandleSrcMacAddr(virBufferPtr buf,
if (printDataType(vars,
macaddr, sizeof(macaddr),
srcMacAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " -m mac %s --mac-source %s",
- ENTRY_GET_NEG_SIGN(srcMacAddr),
- macaddr);
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "mac",
+ NULL);
+ if (ENTRY_WANT_NEG_SIGN(srcMacAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "--mac-source",
+ macaddr,
+ NULL);
}
- return 0;
-
- err_exit:
- virBufferFreeAndReset(buf);
-
- return -1;
+ ret = 0;
+ cleanup:
+ return ret;
}
static int
-iptablesHandleIpHdr(virBufferPtr buf,
- virBufferPtr afterStateMatch,
+iptablesHandleIpHdr(virFirewallPtr fw,
+ virFirewallRulePtr fwrule,
virNWFilterVarCombIterPtr vars,
ipHdrDataDefPtr ipHdr,
bool directionIn,
- bool *skipRule, bool *skipMatch,
- virBufferPtr prefix)
+ bool *skipRule, bool *skipMatch)
{
char ipaddr[INET6_ADDRSTRLEN],
+ ipaddralt[INET6_ADDRSTRLEN],
number[MAX(INT_BUFSIZE_BOUND(uint32_t),
INT_BUFSIZE_BOUND(int))];
- char str[MAX_IPSET_NAME_LENGTH];
const char *src = "--source";
const char *dst = "--destination";
const char *srcrange = "--src-range";
const char *dstrange = "--dst-range";
+ int ret = -1;
+
if (directionIn) {
src = "--destination";
dst = "--source";
@@ -1088,138 +866,116 @@ iptablesHandleIpHdr(virBufferPtr buf,
dstrange = "--src-range";
}
- if (HAS_ENTRY_ITEM(&ipHdr->dataIPSet) &&
- HAS_ENTRY_ITEM(&ipHdr->dataIPSetFlags)) {
-
- if (printDataType(vars,
- str, sizeof(str),
- &ipHdr->dataIPSet) < 0)
- goto err_exit;
-
- virBufferAsprintf(afterStateMatch,
- " -m set --match-set \"%s\" ",
- str);
-
- if (printDataTypeDirection(vars,
- str, sizeof(str),
- &ipHdr->dataIPSetFlags, directionIn) < 0)
- goto err_exit;
-
- virBufferAdd(afterStateMatch, str, -1);
- }
-
if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPAddr)) {
-
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataSrcIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " %s %s %s",
- ENTRY_GET_NEG_SIGN(&ipHdr->dataSrcIPAddr),
- src,
- ipaddr);
+ if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, src);
if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataSrcIPMask) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- "/%s",
- number);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipaddr);
}
} else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) {
-
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataSrcIPFrom) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " -m iprange %s %s %s",
- ENTRY_GET_NEG_SIGN(&ipHdr->dataSrcIPFrom),
- srcrange,
- ipaddr);
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "iprange",
+ NULL);
+ if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, srcrange);
if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) {
if (printDataType(vars,
- ipaddr, sizeof(ipaddr),
+ ipaddralt, sizeof(ipaddralt),
&ipHdr->dataSrcIPTo) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- "-%s",
- ipaddr);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s-%s", ipaddr, ipaddralt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipaddr);
}
}
if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPAddr)) {
-
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataDstIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " %s %s %s",
- ENTRY_GET_NEG_SIGN(&ipHdr->dataDstIPAddr),
- dst,
- ipaddr);
+ if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, dst);
if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) {
-
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataDstIPMask) < 0)
- goto err_exit;
-
- virBufferAsprintf(buf,
- "/%s",
- number);
+ goto cleanup;
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipaddr);
}
} else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) {
-
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&ipHdr->dataDstIPFrom) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " -m iprange %s %s %s",
- ENTRY_GET_NEG_SIGN(&ipHdr->dataDstIPFrom),
- dstrange,
- ipaddr);
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "iprange",
+ NULL);
+ if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, dstrange);
if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) {
-
if (printDataType(vars,
- ipaddr, sizeof(ipaddr),
+ ipaddralt, sizeof(ipaddralt),
&ipHdr->dataDstIPTo) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- "-%s",
- ipaddr);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s-%s", ipaddr, ipaddralt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipaddr);
}
}
if (HAS_ENTRY_ITEM(&ipHdr->dataDSCP)) {
-
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataDSCP) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(buf,
- " -m dscp %s --dscp %s",
- ENTRY_GET_NEG_SIGN(&ipHdr->dataDSCP),
- number);
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "dscp",
+ NULL);
+ if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "--dscp", number,
+ NULL);
}
if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
@@ -1227,47 +983,93 @@ iptablesHandleIpHdr(virBufferPtr buf,
/* only support for limit in outgoing dir. */
*skipRule = true;
} else {
+ *skipMatch = true;
+ }
+ }
+
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
+
+static int
+iptablesHandleIpHdrAfterStateMatch(virFirewallPtr fw,
+ virFirewallRulePtr fwrule,
+ virNWFilterVarCombIterPtr vars,
+ ipHdrDataDefPtr ipHdr,
+ bool directionIn)
+{
+ char number[MAX(INT_BUFSIZE_BOUND(uint32_t),
+ INT_BUFSIZE_BOUND(int))];
+ char str[MAX_IPSET_NAME_LENGTH];
+ int ret = -1;
+
+ if (HAS_ENTRY_ITEM(&ipHdr->dataIPSet) &&
+ HAS_ENTRY_ITEM(&ipHdr->dataIPSetFlags)) {
+
+ if (printDataType(vars,
+ str, sizeof(str),
+ &ipHdr->dataIPSet) < 0)
+ goto cleanup;
+
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "set",
+ "--match-set", str,
+ NULL);
+
+ if (printDataTypeDirection(vars,
+ str, sizeof(str),
+ &ipHdr->dataIPSetFlags, directionIn) < 0)
+ goto cleanup;
+
+ virFirewallRuleAddArg(fw, fwrule, str);
+ }
+
+ if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
+ if (!directionIn) {
if (printDataType(vars,
number, sizeof(number),
&ipHdr->dataConnlimitAbove) < 0)
- goto err_exit;
+ goto cleanup;
/* place connlimit after potential -m state --state ...
since this is the most useful order */
- virBufferAsprintf(afterStateMatch,
- " -m connlimit %s --connlimit-above %s",
- ENTRY_GET_NEG_SIGN(&ipHdr->dataConnlimitAbove),
- number);
- *skipMatch = true;
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "connlimit",
+ NULL);
+ if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "--connlimit-above", number,
+ NULL);
}
}
if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
- printCommentVar(prefix, ipHdr->dataComment.u.string);
-
/* keep comments behind everything else -- they are packet eval.
no-ops */
- virBufferAddLit(afterStateMatch,
- " -m comment --comment \"$" COMMENT_VARNAME
"\"");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "comment",
+ "--comment", ipHdr->dataComment.u.string,
+ NULL);
}
- return 0;
-
- err_exit:
- virBufferFreeAndReset(buf);
- virBufferFreeAndReset(afterStateMatch);
-
- return -1;
+ ret = 0;
+ cleanup:
+ return ret;
}
static int
-iptablesHandlePortData(virBufferPtr buf,
+iptablesHandlePortData(virFirewallPtr fw,
+ virFirewallRulePtr fwrule,
virNWFilterVarCombIterPtr vars,
portDataDefPtr portData,
bool directionIn)
{
char portstr[20];
+ char portstralt[20];
const char *sport = "--sport";
const char *dport = "--dport";
if (directionIn) {
@@ -1281,21 +1083,20 @@ iptablesHandlePortData(virBufferPtr buf,
&portData->dataSrcPortStart) < 0)
goto err_exit;
- virBufferAsprintf(buf,
- " %s %s %s",
- ENTRY_GET_NEG_SIGN(&portData->dataSrcPortStart),
- sport,
- portstr);
+ if (ENTRY_WANT_NEG_SIGN(&portData->dataSrcPortStart))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, sport);
if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) {
if (printDataType(vars,
- portstr, sizeof(portstr),
+ portstralt, sizeof(portstralt),
&portData->dataSrcPortEnd) < 0)
goto err_exit;
- virBufferAsprintf(buf,
- ":%s",
- portstr);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s:%s", portstr, portstralt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, portstr);
}
}
@@ -1305,21 +1106,20 @@ iptablesHandlePortData(virBufferPtr buf,
&portData->dataDstPortStart) < 0)
goto err_exit;
- virBufferAsprintf(buf,
- " %s %s %s",
- ENTRY_GET_NEG_SIGN(&portData->dataDstPortStart),
- dport,
- portstr);
+ if (ENTRY_WANT_NEG_SIGN(&portData->dataDstPortStart))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, dport);
if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) {
if (printDataType(vars,
- portstr, sizeof(portstr),
+ portstralt, sizeof(portstralt),
&portData->dataDstPortEnd) < 0)
goto err_exit;
- virBufferAsprintf(buf,
- ":%s",
- portstr);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s:%s", portstr, portstralt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, portstr);
}
}
@@ -1331,9 +1131,10 @@ iptablesHandlePortData(virBufferPtr buf,
static void
-iptablesEnforceDirection(bool directionIn,
- virNWFilterRuleDefPtr rule,
- virBufferPtr buf)
+iptablesEnforceDirection(virFirewallPtr fw,
+ virFirewallRulePtr fwrule,
+ bool directionIn,
+ virNWFilterRuleDefPtr rule)
{
switch (iptables_ctdir_corrected) {
case CTDIR_STATUS_UNKNOWN:
@@ -1347,14 +1148,20 @@ iptablesEnforceDirection(bool directionIn,
}
if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT)
- virBufferAsprintf(buf, " -m conntrack --ctdir %s",
- (directionIn) ? "Original"
- : "Reply");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "conntrack",
+ "--ctdir",
+ (directionIn ?
+ "Original" :
+ "Reply"),
+ NULL);
}
/*
* _iptablesCreateRuleInstance:
+ * @fw: the firewall ruleset instance
+ * @layer: the firewall layer
* @chainPrefix : The prefix to put in front of the name of the chain
* @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to
@@ -1362,11 +1169,8 @@ iptablesEnforceDirection(bool directionIn,
* @match : optional string for state match
* @accept_target : where to jump to on accepted traffic, i.e., "RETURN"
* "ACCEPT"
- * @isIPv6 : Whether this is an IPv6 rule
* @maySkipICMP : whether this rule may under certain circumstances skip
* the ICMP rule from being created
- * @templates: pointer to array to store rule template
- * @ntemplates: pointer to storage rule template count
*
* Convert a single rule into its representation for later instantiation
*
@@ -1374,287 +1178,267 @@ iptablesEnforceDirection(bool directionIn,
* pointed to by res, != 0 otherwise.
*/
static int
-_iptablesCreateRuleInstance(bool directionIn,
+_iptablesCreateRuleInstance(virFirewallPtr fw,
+ virFirewallLayer layer,
+ bool directionIn,
const char *chainPrefix,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
const char *match, bool defMatch,
const char *accept_target,
- bool isIPv6,
- bool maySkipICMP,
- char ***templates,
- size_t *ntemplates)
+ bool maySkipICMP)
{
char chain[MAX_CHAINNAME_LENGTH];
char number[MAX(INT_BUFSIZE_BOUND(uint32_t),
INT_BUFSIZE_BOUND(int))];
- virBuffer prefix = VIR_BUFFER_INITIALIZER;
- virBuffer buf = VIR_BUFFER_INITIALIZER;
- virBuffer afterStateMatch = VIR_BUFFER_INITIALIZER;
- virBufferPtr final = NULL;
+ char numberalt[MAX(INT_BUFSIZE_BOUND(uint32_t),
+ INT_BUFSIZE_BOUND(int))];
const char *target;
- const char *iptables_cmd = (isIPv6) ? ip6tables_cmd_path
- : iptables_cmd_path;
- unsigned int bufUsed;
bool srcMacSkipped = false;
bool skipRule = false;
bool skipMatch = false;
bool hasICMPType = false;
- char *template;
-
- if (!iptables_cmd) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("cannot create rule since %s tool is "
- "missing."),
- isIPv6 ? "ip6tables" : "iptables");
- goto err_exit;
- }
+ virFirewallRulePtr fwrule;
+ size_t fwruleargs;
+ int ret = -1;
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
switch (rule->prtclType) {
case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "tcp",
+ NULL);
- virBufferAddLit(&buf, " -p tcp");
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- bufUsed = virBufferUse(&buf);
-
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.tcpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.tcpHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPFlags)) {
- virBufferAsprintf(&buf, " %s --tcp-flags ",
- ENTRY_GET_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags));
- virNWFilterPrintTCPFlags(&buf,
- rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask,
- ' ',
- rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags);
+ char *flags;
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, "--tcp-flags");
+
+ if (!(flags =
virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask)))
+ goto cleanup;
+ virFirewallRuleAddArg(fw, fwrule, flags);
+ VIR_FREE(flags);
+ if (!(flags =
virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags)))
+ goto cleanup;
+ virFirewallRuleAddArg(fw, fwrule, flags);
+ VIR_FREE(flags);
}
- if (iptablesHandlePortData(&buf,
+ if (iptablesHandlePortData(fw, fwrule,
vars,
&rule->p.tcpHdrFilter.portData,
directionIn) < 0)
- goto err_exit;
+ goto cleanup;
if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPOption)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.tcpHdrFilter.dataTCPOption) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s --tcp-option %s",
-
ENTRY_GET_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption),
- number);
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "--tcp-option", number, NULL);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_UDP:
case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "udp",
+ NULL);
- virBufferAddLit(&buf, " -p udp");
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- bufUsed = virBufferUse(&buf);
-
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.udpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.udpHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
- if (iptablesHandlePortData(&buf,
+ if (iptablesHandlePortData(fw, fwrule,
vars,
&rule->p.udpHdrFilter.portData,
directionIn) < 0)
- goto err_exit;
+ goto cleanup;
break;
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
-
- virBufferAddLit(&buf, " -p udplite");
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "udplite",
+ NULL);
- bufUsed = virBufferUse(&buf);
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.udpliteHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.udpliteHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
break;
case VIR_NWFILTER_RULE_PROTOCOL_ESP:
case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "esp",
+ NULL);
- virBufferAddLit(&buf, " -p esp");
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- bufUsed = virBufferUse(&buf);
-
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.espHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.espHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
break;
case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "ah",
+ NULL);
- virBufferAddLit(&buf, " -p ah");
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- bufUsed = virBufferUse(&buf);
-
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.ahHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.ahHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
break;
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
-
- virBufferAddLit(&buf, " -p sctp");
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "sctp",
+ NULL);
- bufUsed = virBufferUse(&buf);
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.sctpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.sctpHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
- if (iptablesHandlePortData(&buf,
+ if (iptablesHandlePortData(fw, fwrule,
vars,
&rule->p.sctpHdrFilter.portData,
directionIn) < 0)
- goto err_exit;
+ goto cleanup;
break;
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ NULL);
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
- virBufferAddLit(&buf, " -p icmp");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-p", "icmp", NULL);
else
- virBufferAddLit(&buf, " -p icmpv6");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-p", "icmpv6", NULL);
- bufUsed = virBufferUse(&buf);
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.icmpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.icmpHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
const char *parm;
hasICMPType = true;
- if (maySkipICMP)
- goto exit_no_error;
+ if (maySkipICMP) {
+ virFirewallRemoveRule(fw, fwrule);
+ ret = 0;
+ goto cleanup;
+ }
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
parm = "--icmp-type";
@@ -1664,90 +1448,86 @@ _iptablesCreateRuleInstance(bool directionIn,
if (printDataType(vars,
number, sizeof(number),
&rule->p.icmpHdrFilter.dataICMPType) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- ENTRY_GET_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType),
- parm,
- number);
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, parm);
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) {
if (printDataType(vars,
- number, sizeof(number),
+ numberalt, sizeof(numberalt),
&rule->p.icmpHdrFilter.dataICMPCode) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- "/%s",
- number);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", number, numberalt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, number);
}
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
-
- virBufferAddLit(&buf, " -p igmp");
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "igmp",
+ NULL);
- bufUsed = virBufferUse(&buf);
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.igmpHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.igmpHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
break;
case VIR_NWFILTER_RULE_PROTOCOL_ALL:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$IPT -A %s",
- chain);
-
- virBufferAddLit(&buf, " -p all");
+ fwrule = virFirewallAddRule(fw, layer,
+ "-A", chain,
+ "-p", "all",
+ NULL);
- bufUsed = virBufferUse(&buf);
+ fwruleargs = virFirewallRuleGetArgCount(fwrule);
- if (iptablesHandleSrcMacAddr(&buf,
+ if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
&rule->p.allHdrFilter.dataSrcMACAddr,
directionIn,
&srcMacSkipped) < 0)
- goto err_exit;
+ goto cleanup;
- if (iptablesHandleIpHdr(&buf,
- &afterStateMatch,
+ if (iptablesHandleIpHdr(fw, fwrule,
vars,
&rule->p.allHdrFilter.ipHdr,
directionIn,
- &skipRule, &skipMatch,
- &prefix) < 0)
- goto err_exit;
+ &skipRule, &skipMatch) < 0)
+ goto cleanup;
break;
default:
- return -1;
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unexpected protocol %d"),
+ rule->prtclType);
+ goto cleanup;
}
- if ((srcMacSkipped && bufUsed == virBufferUse(&buf)) ||
- skipRule) {
- virBufferFreeAndReset(&buf);
- virBufferFreeAndReset(&prefix);
+ if ((srcMacSkipped &&
+ fwruleargs == virFirewallRuleGetArgCount(fwrule)) ||
+ skipRule) {
+ virFirewallRemoveRule(fw, fwrule);
return 0;
}
@@ -1758,81 +1538,36 @@ _iptablesCreateRuleInstance(bool directionIn,
skipMatch = defMatch;
}
- if (match && !skipMatch)
- virBufferAsprintf(&buf, " %s", match);
-
- if (defMatch && match != NULL && !skipMatch && !hasICMPType)
- iptablesEnforceDirection(directionIn,
- rule,
- &buf);
-
- if (virBufferError(&afterStateMatch)) {
- virBufferFreeAndReset(&buf);
- virBufferFreeAndReset(&prefix);
- virBufferFreeAndReset(&afterStateMatch);
- virReportOOMError();
- return -1;
- }
-
- if (virBufferUse(&afterStateMatch)) {
- char *s = virBufferContentAndReset(&afterStateMatch);
-
- virBufferAdd(&buf, s, -1);
-
- VIR_FREE(s);
- }
-
- virBufferAsprintf(&buf,
- " -j %s" CMD_DEF_POST CMD_SEPARATOR
- CMD_EXEC,
- target);
-
- if (virBufferError(&buf) || virBufferError(&prefix)) {
- virBufferFreeAndReset(&buf);
- virBufferFreeAndReset(&prefix);
- virReportOOMError();
- return -1;
- }
-
- if (virBufferUse(&prefix)) {
- char *s = virBufferContentAndReset(&buf);
-
- virBufferAdd(&prefix, s, -1);
-
- VIR_FREE(s);
-
- final = &prefix;
-
- if (virBufferError(&prefix)) {
- virBufferFreeAndReset(&prefix);
- virReportOOMError();
- return -1;
- }
- } else
- final = &buf;
-
-
- template = virBufferContentAndReset(final);
- if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
- VIR_FREE(template);
- return -1;
+ if (match && !skipMatch) {
+ if (newMatchState)
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "conntrack",
+ "--ctstate", match,
+ NULL);
+ else
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "state",
+ "--state", match,
+ NULL);
}
- return 0;
-
- err_exit:
- virBufferFreeAndReset(&buf);
- virBufferFreeAndReset(&prefix);
- virBufferFreeAndReset(&afterStateMatch);
+ if (defMatch && match != NULL && !skipMatch && !hasICMPType)
+ iptablesEnforceDirection(fw, fwrule,
+ directionIn,
+ rule);
- return -1;
+ if (iptablesHandleIpHdrAfterStateMatch(fw, fwrule,
+ vars,
+ &rule->p.allHdrFilter.ipHdr,
+ directionIn) < 0)
+ goto cleanup;
- exit_no_error:
- virBufferFreeAndReset(&buf);
- virBufferFreeAndReset(&prefix);
- virBufferFreeAndReset(&afterStateMatch);
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-j", target, NULL);
- return 0;
+ ret = 0;
+ cleanup:
+ return ret;
}
@@ -1841,7 +1576,7 @@ printStateMatchFlags(int32_t flags, char **bufptr)
{
virBuffer buf = VIR_BUFFER_INITIALIZER;
virNWFilterPrintStateMatchFlags(&buf,
- "-m state --state ",
+ "",
flags,
false);
if (virBufferError(&buf)) {
@@ -1854,12 +1589,11 @@ printStateMatchFlags(int32_t flags, char **bufptr)
}
static int
-iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
+iptablesCreateRuleInstanceStateCtrl(virFirewallPtr fw,
+ virFirewallLayer layer,
+ virNWFilterRuleDefPtr rule,
const char *ifname,
- virNWFilterVarCombIterPtr vars,
- bool isIPv6,
- char ***templates,
- size_t *ntemplates)
+ virNWFilterVarCombIterPtr vars)
{
int rc;
bool directionIn = false;
@@ -1893,17 +1627,16 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
if (create) {
- rc = _iptablesCreateRuleInstance(directionIn,
+ rc = _iptablesCreateRuleInstance(fw,
+ layer,
+ directionIn,
chainPrefix,
rule,
ifname,
vars,
matchState, false,
"RETURN",
- isIPv6,
- maySkipICMP,
- templates,
- ntemplates);
+ maySkipICMP);
VIR_FREE(matchState);
if (rc < 0)
@@ -1925,17 +1658,16 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
if (create) {
- rc = _iptablesCreateRuleInstance(!directionIn,
+ rc = _iptablesCreateRuleInstance(fw,
+ layer,
+ !directionIn,
chainPrefix,
rule,
ifname,
vars,
matchState, false,
"ACCEPT",
- isIPv6,
- maySkipICMP,
- templates,
- ntemplates);
+ maySkipICMP);
VIR_FREE(matchState);
@@ -1960,17 +1692,16 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
if (create) {
chainPrefix[0] = 'H';
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
- rc = _iptablesCreateRuleInstance(directionIn,
+ rc = _iptablesCreateRuleInstance(fw,
+ layer,
+ directionIn,
chainPrefix,
rule,
ifname,
vars,
matchState, false,
"RETURN",
- isIPv6,
- maySkipICMP,
- templates,
- ntemplates);
+ maySkipICMP);
VIR_FREE(matchState);
}
@@ -1979,12 +1710,11 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterRuleDefPtr rule,
static int
-iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
+iptablesCreateRuleInstance(virFirewallPtr fw,
+ virFirewallLayer layer,
+ virNWFilterRuleDefPtr rule,
const char *ifname,
- virNWFilterVarCombIterPtr vars,
- bool isIPv6,
- char ***templates,
- size_t *ntemplates)
+ virNWFilterVarCombIterPtr vars)
{
int rc;
bool directionIn = false;
@@ -1995,12 +1725,11 @@ iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
if (!(rule->flags & RULE_FLAG_NO_STATEMATCH) &&
(rule->flags & IPTABLES_STATE_FLAGS)) {
- return iptablesCreateRuleInstanceStateCtrl(rule,
+ return iptablesCreateRuleInstanceStateCtrl(fw,
+ layer,
+ rule,
ifname,
- vars,
- isIPv6,
- templates,
- ntemplates);
+ vars);
}
if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) ||
@@ -2019,66 +1748,63 @@ iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
maySkipICMP = directionIn || inout;
if (needState)
- matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
+ matchState = directionIn ? "ESTABLISHED" :
"NEW,ESTABLISHED";
else
matchState = NULL;
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
- rc = _iptablesCreateRuleInstance(directionIn,
+ rc = _iptablesCreateRuleInstance(fw,
+ layer,
+ directionIn,
chainPrefix,
rule,
ifname,
vars,
matchState, true,
"RETURN",
- isIPv6,
- maySkipICMP,
- templates,
- ntemplates);
+ maySkipICMP);
if (rc < 0)
return rc;
maySkipICMP = !directionIn || inout;
if (needState)
- matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN;
+ matchState = directionIn ? "NEW,ESTABLISHED" :
"ESTABLISHED";
else
matchState = NULL;
chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
- rc = _iptablesCreateRuleInstance(!directionIn,
+ rc = _iptablesCreateRuleInstance(fw,
+ layer,
+ !directionIn,
chainPrefix,
rule,
ifname,
vars,
matchState, true,
"ACCEPT",
- isIPv6,
- maySkipICMP,
- templates,
- ntemplates);
+ maySkipICMP);
if (rc < 0)
return rc;
maySkipICMP = directionIn;
if (needState)
- matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT;
+ matchState = directionIn ? "ESTABLISHED" :
"NEW,ESTABLISHED";
else
matchState = NULL;
chainPrefix[0] = 'H';
chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
- rc = _iptablesCreateRuleInstance(directionIn,
+ rc = _iptablesCreateRuleInstance(fw,
+ layer,
+ directionIn,
chainPrefix,
rule,
ifname,
vars,
matchState, true,
"RETURN",
- isIPv6,
- maySkipICMP,
- templates,
- ntemplates);
+ maySkipICMP);
return rc;
}
@@ -2088,14 +1814,13 @@ iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
/*
* ebtablesCreateRuleInstance:
+ * @fw: the firewall ruleset to add to
* @chainPrefix : The prefix to put in front of the name of the chain
* @chainSuffix: The suffix to put on the end of the name of the chain
* @rule: The rule of the filter to convert
* @ifname : The name of the interface to apply the rule to
* @vars : A map containing the variables to resolve
* @reverse : Whether to reverse src and dst attributes
- * @templates: pointer to array to store rule template
- * @ntemplates: pointer to storage rule template count
*
* Convert a single rule into its representation for later instantiation
*
@@ -2103,13 +1828,13 @@ iptablesCreateRuleInstance(virNWFilterRuleDefPtr rule,
* pointed to by res, != 0 otherwise.
*/
static int
-ebtablesCreateRuleInstance(char chainPrefix,
+ebtablesCreateRuleInstance(virFirewallPtr fw,
+ char chainPrefix,
const char *chainSuffix,
virNWFilterRuleDefPtr rule,
const char *ifname,
virNWFilterVarCombIterPtr vars,
- bool reverse,
- char **template)
+ bool reverse)
{
char macaddr[VIR_MAC_STRING_BUFLEN],
ipaddr[INET_ADDRSTRLEN],
@@ -2117,20 +1842,15 @@ ebtablesCreateRuleInstance(char chainPrefix,
ipv6addr[INET6_ADDRSTRLEN],
number[MAX(INT_BUFSIZE_BOUND(uint32_t),
INT_BUFSIZE_BOUND(int))],
- field[MAX(VIR_MAC_STRING_BUFLEN, INET6_ADDRSTRLEN)];
+ numberalt[MAX(INT_BUFSIZE_BOUND(uint32_t),
+ INT_BUFSIZE_BOUND(int))],
+ field[MAX(VIR_MAC_STRING_BUFLEN, INET6_ADDRSTRLEN)],
+ fieldalt[MAX(VIR_MAC_STRING_BUFLEN, INET6_ADDRSTRLEN)];
char chain[MAX_CHAINNAME_LENGTH];
- virBuffer buf = VIR_BUFFER_INITIALIZER;
const char *target;
bool hasMask = false;
-
- *template = NULL;
-
- if (!ebtables_cmd_path) {
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
- _("cannot create rule since ebtables tool is "
- "missing."));
- goto err_exit;
- }
+ virFirewallRulePtr fwrule;
+ int ret = -1;
if (STREQ(chainSuffix,
virNWFilterChainSuffixTypeToString(
@@ -2140,89 +1860,85 @@ ebtablesCreateRuleInstance(char chainPrefix,
PRINT_CHAIN(chain, chainPrefix, ifname,
chainSuffix);
+#define INST_ITEM(STRUCT, ITEM, CLI) \
+ if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
+ if (printDataType(vars, \
+ field, sizeof(field), \
+ &rule->p.STRUCT.ITEM) < 0) \
+ goto cleanup; \
+ virFirewallRuleAddArg(fw, fwrule, CLI); \
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
+ virFirewallRuleAddArg(fw, fwrule, "!"); \
+ virFirewallRuleAddArg(fw, fwrule, field); \
+ }
+
+#define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \
+ if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
+ if (printDataType(vars, \
+ field, sizeof(field), \
+ &rule->p.STRUCT.ITEM) < 0) \
+ goto cleanup; \
+ virFirewallRuleAddArg(fw, fwrule, CLI); \
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
+ virFirewallRuleAddArg(fw, fwrule, "!"); \
+ if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \
+ if (printDataType(vars, \
+ fieldalt, sizeof(fieldalt), \
+ &rule->p.STRUCT.ITEM_HI) < 0) \
+ goto cleanup; \
+ virFirewallRuleAddArgFormat(fw, fwrule, \
+ "%s%s%s", field, SEP, fieldalt); \
+ } else { \
+ virFirewallRuleAddArg(fw, fwrule, field); \
+ } \
+ }
+#define INST_ITEM_RANGE(S, I, I_HI, C) \
+ INST_ITEM_2PARMS(S, I, I_HI, C, ":")
+#define INST_ITEM_MASK(S, I, MASK, C) \
+ INST_ITEM_2PARMS(S, I, MASK, C, "/")
switch (rule->prtclType) {
case VIR_NWFILTER_RULE_PROTOCOL_MAC:
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat",
+ "-A", chain, NULL);
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -A %s",
- chain);
-
- if (ebtablesHandleEthHdr(&buf,
+ if (ebtablesHandleEthHdr(fw, fwrule,
vars,
&rule->p.ethHdrFilter.ethHdr,
reverse) < 0)
- goto err_exit;
+ goto cleanup;
if (HAS_ENTRY_ITEM(&rule->p.ethHdrFilter.dataProtocolID)) {
if (printDataTypeAsHex(vars,
number, sizeof(number),
&rule->p.ethHdrFilter.dataProtocolID) < 0)
- goto err_exit;
- virBufferAsprintf(&buf,
- " -p %s %s",
-
ENTRY_GET_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID),
- number);
+ goto cleanup;
+ virFirewallRuleAddArg(fw, fwrule, "-p");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, number);
}
- break;
+ break;
case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -A %s",
- chain);
-
-
- if (ebtablesHandleEthHdr(&buf,
+ if (ebtablesHandleEthHdr(fw, fwrule,
vars,
&rule->p.vlanHdrFilter.ethHdr,
reverse) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAddLit(&buf,
- " -p 0x8100");
-
-#define INST_ITEM(STRUCT, ITEM, CLI) \
- if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
- if (printDataType(vars, \
- field, sizeof(field), \
- &rule->p.STRUCT.ITEM) < 0) \
- goto err_exit; \
- virBufferAsprintf(&buf, \
- " " CLI " %s %s", \
- ENTRY_GET_NEG_SIGN(&rule->p.STRUCT.ITEM), \
- field); \
- }
-
-#define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \
- if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
- if (printDataType(vars, \
- field, sizeof(field), \
- &rule->p.STRUCT.ITEM) < 0) \
- goto err_exit; \
- virBufferAsprintf(&buf, \
- " " CLI " %s %s", \
- ENTRY_GET_NEG_SIGN(&rule->p.STRUCT.ITEM), \
- field); \
- if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \
- if (printDataType(vars, \
- field, sizeof(field), \
- &rule->p.STRUCT.ITEM_HI) < 0) \
- goto err_exit; \
- virBufferAsprintf(&buf, SEP "%s", field); \
- } \
- }
-#define INST_ITEM_RANGE(S, I, I_HI, C) \
- INST_ITEM_2PARMS(S, I, I_HI, C, ":")
-#define INST_ITEM_MASK(S, I, MASK, C) \
- INST_ITEM_2PARMS(S, I, MASK, C, "/")
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-p", "0x8100", NULL);
INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id")
INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap")
- break;
+ break;
case VIR_NWFILTER_RULE_PROTOCOL_STP:
-
/* cannot handle inout direction with srcmask set in reverse dir.
since this clashes with -d below... */
if (reverse &&
@@ -2235,18 +1951,17 @@ ebtablesCreateRuleInstance(char chainPrefix,
return -1;
}
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -A %s",
- chain);
-
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
- if (ebtablesHandleEthHdr(&buf,
+ if (ebtablesHandleEthHdr(fw, fwrule,
vars,
&rule->p.stpHdrFilter.ethHdr,
reverse) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAddLit(&buf, " -d " NWFILTER_MAC_BGA);
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-d", NWFILTER_MAC_BGA, NULL);
INST_ITEM(stpHdrFilter, dataType, "--stp-type")
INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags")
@@ -2268,172 +1983,169 @@ ebtablesCreateRuleInstance(char chainPrefix,
"--stp-hello-time");
INST_ITEM_RANGE(stpHdrFilter, dataFwdDelay, dataFwdDelayHi,
"--stp-forward-delay");
- break;
+ break;
case VIR_NWFILTER_RULE_PROTOCOL_ARP:
case VIR_NWFILTER_RULE_PROTOCOL_RARP:
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -A %s",
- chain);
-
- if (ebtablesHandleEthHdr(&buf,
+ if (ebtablesHandleEthHdr(fw, fwrule,
vars,
&rule->p.arpHdrFilter.ethHdr,
reverse) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf, " -p 0x%x",
- (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP)
- ? l3_protocols[L3_PROTO_ARP_IDX].attr
- : l3_protocols[L3_PROTO_RARP_IDX].attr);
+ virFirewallRuleAddArg(fw, fwrule, "-p");
+ virFirewallRuleAddArgFormat(fw, fwrule, "0x%x",
+ (rule->prtclType ==
VIR_NWFILTER_RULE_PROTOCOL_ARP)
+ ? l3_protocols[L3_PROTO_ARP_IDX].attr
+ : l3_protocols[L3_PROTO_RARP_IDX].attr);
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) {
- if (printDataType(vars,
- number, sizeof(number),
- &rule->p.arpHdrFilter.dataHWType) < 0)
- goto err_exit;
- virBufferAsprintf(&buf,
- " --arp-htype %s %s",
- ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType),
- number);
+ if (printDataType(vars,
+ number, sizeof(number),
+ &rule->p.arpHdrFilter.dataHWType) < 0)
+ goto cleanup;
+ virFirewallRuleAddArg(fw, fwrule, "--arp-htype");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.arpHdrFilter.dataOpcode) < 0)
- goto err_exit;
- virBufferAsprintf(&buf,
- " --arp-opcode %s %s",
- ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode),
- number);
+ goto cleanup;
+ virFirewallRuleAddArg(fw, fwrule, "--arp-opcode");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) {
if (printDataTypeAsHex(vars,
number, sizeof(number),
&rule->p.arpHdrFilter.dataProtocolType) <
0)
- goto err_exit;
- virBufferAsprintf(&buf,
- " --arp-ptype %s %s",
-
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType),
- number);
+ goto cleanup;
+ virFirewallRuleAddArg(fw, fwrule, "--arp-ptype");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) {
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) {
if (printDataType(vars,
ipmask, sizeof(ipmask),
&rule->p.arpHdrFilter.dataARPSrcIPMask) < 0)
- goto err_exit;
+ goto cleanup;
hasMask = true;
}
- virBufferAsprintf(&buf,
- " %s %s %s/%s",
- reverse ? "--arp-ip-dst" : "--arp-ip-src",
-
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr),
- ipaddr,
- hasMask ? ipmask : "32");
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--arp-ip-dst" :
"--arp-ip-src");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, hasMask ? ipmask :
"32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&rule->p.arpHdrFilter.dataARPDstIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) {
if (printDataType(vars,
ipmask, sizeof(ipmask),
&rule->p.arpHdrFilter.dataARPDstIPMask) < 0)
- goto err_exit;
+ goto cleanup;
hasMask = true;
}
- virBufferAsprintf(&buf,
- " %s %s %s/%s",
- reverse ? "--arp-ip-src" : "--arp-ip-dst",
-
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr),
- ipaddr,
- hasMask ? ipmask : "32");
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--arp-ip-src" :
"--arp-ip-dst");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, hasMask ? ipmask :
"32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {
if (printDataType(vars,
macaddr, sizeof(macaddr),
&rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--arp-mac-dst" :
"--arp-mac-src",
-
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAddr),
- macaddr);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--arp-mac-dst" :
"--arp-mac-src");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, macaddr);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) {
if (printDataType(vars,
macaddr, sizeof(macaddr),
&rule->p.arpHdrFilter.dataARPDstMACAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--arp-mac-src" :
"--arp-mac-dst",
-
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr),
- macaddr);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--arp-mac-src" :
"--arp-mac-dst");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, macaddr);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) &&
rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) {
- virBufferAsprintf(&buf,
- " %s --arp-gratuitous",
-
ENTRY_GET_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP));
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, "--arp-gratuitous");
}
- break;
+ break;
case VIR_NWFILTER_RULE_PROTOCOL_IP:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -A %s",
- chain);
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
- if (ebtablesHandleEthHdr(&buf,
+ if (ebtablesHandleEthHdr(fw, fwrule,
vars,
&rule->p.ipHdrFilter.ethHdr,
reverse) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAddLit(&buf,
- " -p ipv4");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-p", "ipv4", NULL);
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) {
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip-destination" :
"--ip-source",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr),
- ipaddr);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip-destination" :
"--ip-source");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) {
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)
- < 0)
- goto err_exit;
- virBufferAsprintf(&buf,
- "/%s",
- number);
+ &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask) <
0)
+ goto cleanup;
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipaddr);
}
}
@@ -2442,23 +2154,22 @@ ebtablesCreateRuleInstance(char chainPrefix,
if (printDataType(vars,
ipaddr, sizeof(ipaddr),
&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip-source" :
"--ip-destination",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr),
- ipaddr);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip-source" :
"--ip-destination");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) {
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipHdrFilter.ipHdr.dataDstIPMask)
- < 0)
- goto err_exit;
- virBufferAsprintf(&buf,
- "/%s",
- number);
+ &rule->p.ipHdrFilter.ipHdr.dataDstIPMask) <
0)
+ goto cleanup;
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipaddr);
}
}
@@ -2466,65 +2177,59 @@ ebtablesCreateRuleInstance(char chainPrefix,
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipHdrFilter.ipHdr.dataProtocolID) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " --ip-protocol %s %s",
- ENTRY_GET_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtocolID),
- number);
+ virFirewallRuleAddArg(fw, fwrule, "--ip-protocol");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtocolID))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortStart)) {
-
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipHdrFilter.portData.dataSrcPortStart)
- < 0)
- goto err_exit;
+ &rule->p.ipHdrFilter.portData.dataSrcPortStart) <
0)
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip-destination-port" :
"--ip-source-port",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcPortStart),
- number);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip-destination-port" :
"--ip-source-port");
+ if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcPortStart))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEnd)) {
if (printDataType(vars,
- number, sizeof(number),
- &rule->p.ipHdrFilter.portData.dataSrcPortEnd)
- < 0)
- goto err_exit;
+ numberalt, sizeof(numberalt),
+ &rule->p.ipHdrFilter.portData.dataSrcPortEnd)
< 0)
+ goto cleanup;
- virBufferAsprintf(&buf,
- ":%s",
- number);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, number);
}
}
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortStart)) {
-
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipHdrFilter.portData.dataDstPortStart)
- < 0)
- goto err_exit;
+ &rule->p.ipHdrFilter.portData.dataDstPortStart) <
0)
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip-source-port" :
"--ip-destination-port",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstPortStart),
- number);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip-source-port" :
"--ip-destination-port");
+ if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstPortStart))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEnd)) {
if (printDataType(vars,
- number, sizeof(number),
- &rule->p.ipHdrFilter.portData.dataDstPortEnd)
- < 0)
- goto err_exit;
-
- virBufferAsprintf(&buf,
- ":%s",
- number);
+ numberalt, sizeof(numberalt),
+ &rule->p.ipHdrFilter.portData.dataDstPortEnd)
< 0)
+ goto cleanup;
+
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, number);
}
}
@@ -2532,50 +2237,48 @@ ebtablesCreateRuleInstance(char chainPrefix,
if (printDataTypeAsHex(vars,
number, sizeof(number),
&rule->p.ipHdrFilter.ipHdr.dataDSCP) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " --ip-tos %s %s",
- ENTRY_GET_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP),
- number);
+ virFirewallRuleAddArg(fw, fwrule, "--ip-tos");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, number);
}
- break;
+ break;
case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -A %s",
- chain);
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
- if (ebtablesHandleEthHdr(&buf,
+ if (ebtablesHandleEthHdr(fw, fwrule,
vars,
&rule->p.ipv6HdrFilter.ethHdr,
reverse) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAddLit(&buf,
- " -p ipv6");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-p", "ipv6", NULL);
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) {
if (printDataType(vars,
ipv6addr, sizeof(ipv6addr),
&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip6-destination" :
"--ip6-source",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr),
- ipv6addr);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip6-destination" :
"--ip6-source");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)) {
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)
- < 0)
- goto err_exit;
- virBufferAsprintf(&buf,
- "/%s",
- number);
+ &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask) <
0)
+ goto cleanup;
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipv6addr, number);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipv6addr);
}
}
@@ -2584,23 +2287,22 @@ ebtablesCreateRuleInstance(char chainPrefix,
if (printDataType(vars,
ipv6addr, sizeof(ipv6addr),
&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) < 0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip6-source" :
"--ip6-destination",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr),
- ipv6addr);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip6-source" :
"--ip6-destination");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)) {
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)
- < 0)
- goto err_exit;
- virBufferAsprintf(&buf,
- "/%s",
- number);
+ &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask) <
0)
+ goto cleanup;
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s/%s", ipv6addr, number);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, ipv6addr);
}
}
@@ -2608,38 +2310,36 @@ ebtablesCreateRuleInstance(char chainPrefix,
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID) <
0)
- goto err_exit;
+ goto cleanup;
- virBufferAsprintf(&buf,
- " --ip6-protocol %s %s",
- ENTRY_GET_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID),
- number);
+ virFirewallRuleAddArg(fw, fwrule, "--ip6-protocol");
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallRuleAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart)) {
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipv6HdrFilter.portData.dataSrcPortStart)
- < 0)
- goto err_exit;
+ &rule->p.ipv6HdrFilter.portData.dataSrcPortStart)
< 0)
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip6-destination-port" :
"--ip6-source-port",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart),
- number);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip6-destination-port" :
"--ip6-source-port");
+ if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)) {
if (printDataType(vars,
- number, sizeof(number),
- &rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)
- < 0)
- goto err_exit;
+ numberalt, sizeof(numberalt),
+ &rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)
< 0)
+ goto cleanup;
- virBufferAsprintf(&buf,
- ":%s",
- number);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, number);
}
}
@@ -2647,37 +2347,37 @@ ebtablesCreateRuleInstance(char chainPrefix,
if (printDataType(vars,
number, sizeof(number),
- &rule->p.ipv6HdrFilter.portData.dataDstPortStart)
- < 0)
- goto err_exit;
+ &rule->p.ipv6HdrFilter.portData.dataDstPortStart)
< 0)
+ goto cleanup;
- virBufferAsprintf(&buf,
- " %s %s %s",
- reverse ? "--ip6-source-port" :
"--ip6-destination-port",
-
ENTRY_GET_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDstPortStart),
- number);
+ virFirewallRuleAddArg(fw, fwrule,
+ reverse ? "--ip6-source-port" :
"--ip6-destination-port");
+ if
(ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDstPortStart))
+ virFirewallRuleAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPortEnd)) {
if (printDataType(vars,
- number, sizeof(number),
- &rule->p.ipv6HdrFilter.portData.dataDstPortEnd)
- < 0)
- goto err_exit;
+ numberalt, sizeof(numberalt),
+ &rule->p.ipv6HdrFilter.portData.dataDstPortEnd)
< 0)
+ goto cleanup;
- virBufferAsprintf(&buf,
- ":%s",
- number);
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
+ } else {
+ virFirewallRuleAddArg(fw, fwrule, number);
}
}
- break;
+ break;
case VIR_NWFILTER_RULE_PROTOCOL_NONE:
- virBufferAsprintf(&buf,
- CMD_DEF_PRE "$EBT -t nat -A %s",
- chain);
- break;
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
chain, NULL);
+ break;
default:
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unexpected rule protocol %d"),
+ rule->prtclType);
return -1;
}
@@ -2686,29 +2386,22 @@ ebtablesCreateRuleInstance(char chainPrefix,
/* REJECT not supported */
target = virNWFilterJumpTargetTypeToString(
VIR_NWFILTER_RULE_ACTION_DROP);
- break;
+ break;
default:
target = virNWFilterJumpTargetTypeToString(rule->action);
}
- virBufferAsprintf(&buf,
- " -j %s" CMD_DEF_POST CMD_SEPARATOR
- CMD_EXEC,
- target);
-
- if (virBufferError(&buf)) {
- virBufferFreeAndReset(&buf);
- virReportOOMError();
- return -1;
- }
-
- *template = virBufferContentAndReset(&buf);
- return 0;
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-j", target, NULL);
- err_exit:
- virBufferFreeAndReset(&buf);
+#undef INST_ITEM_RANGE
+#undef INST_ITEM_MASK
+#undef INST_ITEM_2PARMS
+#undef INST_ITEM
- return -1;
+ ret = 0;
+ cleanup:
+ return ret;
}
@@ -2727,84 +2420,61 @@ ebtablesCreateRuleInstance(char chainPrefix,
* pointed to by res, -1 otherwise
*/
static int
-ebiptablesCreateRuleInstance(const char *chainSuffix,
+ebiptablesCreateRuleInstance(virFirewallPtr fw,
+ const char *chainSuffix,
virNWFilterRuleDefPtr rule,
const char *ifname,
- virNWFilterVarCombIterPtr vars,
- char ***templates,
- size_t *ntemplates)
+ virNWFilterVarCombIterPtr vars)
{
- size_t i;
-
- *templates = NULL;
- *ntemplates = 0;
+ int ret = -1;
if (virNWFilterRuleIsProtocolEthernet(rule)) {
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
- char *template;
- if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_IN_TEMP,
+ if (ebtablesCreateRuleInstance(fw,
+ CHAINPREFIX_HOST_IN_TEMP,
chainSuffix,
rule,
ifname,
vars,
- rule->tt ==
VIR_NWFILTER_RULE_DIRECTION_INOUT,
- &template) < 0)
- goto error;
-
- if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
- VIR_FREE(template);
- goto error;
- }
+ rule->tt ==
VIR_NWFILTER_RULE_DIRECTION_INOUT) < 0)
+ goto cleanup;
}
if (rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
- char *template;
- if (ebtablesCreateRuleInstance(CHAINPREFIX_HOST_OUT_TEMP,
+ if (ebtablesCreateRuleInstance(fw,
+ CHAINPREFIX_HOST_OUT_TEMP,
chainSuffix,
rule,
ifname,
vars,
- false,
- &template) < 0)
- goto error;
-
- if (VIR_APPEND_ELEMENT(*templates, *ntemplates, template) < 0) {
- VIR_FREE(template);
- goto error;
- }
+ false) < 0)
+ goto cleanup;
}
} else {
- bool isIPv6;
+ virFirewallLayer layer;
if (virNWFilterRuleIsProtocolIPv6(rule)) {
- isIPv6 = true;
+ layer = VIR_FIREWALL_LAYER_IPV6;
} else if (virNWFilterRuleIsProtocolIPv4(rule)) {
- isIPv6 = false;
+ layer = VIR_FIREWALL_LAYER_IPV4;
} else {
virReportError(VIR_ERR_OPERATION_FAILED,
"%s", _("unexpected protocol type"));
- goto error;
+ goto cleanup;
}
- if (iptablesCreateRuleInstance(rule,
+ if (iptablesCreateRuleInstance(fw,
+ layer,
+ rule,
ifname,
- vars,
- isIPv6,
- templates,
- ntemplates) < 0)
- goto error;
+ vars) < 0)
+ goto cleanup;
}
- return 0;
-
- error:
- for (i = 0; i < *ntemplates; i++)
- VIR_FREE((*templates)[i]);
- VIR_FREE(*templates);
- *templates = NULL;
- *ntemplates = 0;
- return -1;
+ ret = 0;
+ cleanup:
+ return ret;
}
@@ -2839,6 +2509,7 @@ ebiptablesExecCLI(virBufferPtr buf, bool ignoreNonzero, char
**outbuf)
if (outbuf)
VIR_FREE(*outbuf);
+ VIR_INFO("Run [%s]", virBufferCurrentContent(buf));
cmd = virCommandNewArgList("/bin/sh", "-c", NULL);
virCommandAddArgBuffer(cmd, buf);
if (outbuf)
@@ -2857,26 +2528,6 @@ ebiptablesExecCLI(virBufferPtr buf, bool ignoreNonzero, char
**outbuf)
static void
-ebtablesCreateTmpRootChain(virBufferPtr buf,
- bool incoming, const char *ifname)
-{
- char chain[MAX_CHAINNAME_LENGTH];
- char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
-
- PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
-
- virBufferAsprintf(buf,
- CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- chain,
- CMD_STOPONERR(true));
-
-}
-
-
-static void
ebtablesCreateTmpRootChainFW(virFirewallPtr fw,
int incoming, const char *ifname)
{
@@ -2892,29 +2543,6 @@ ebtablesCreateTmpRootChainFW(virFirewallPtr fw,
static void
-ebtablesLinkTmpRootChain(virBufferPtr buf,
- bool incoming, const char *ifname)
-{
- char chain[MAX_CHAINNAME_LENGTH];
- char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
- char iodev = incoming ? 'i' : 'o';
-
- PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
-
- virBufferAsprintf(buf,
- CMD_DEF("$EBT -t nat -A %s -%c %s -j %s") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- incoming ? EBTABLES_CHAIN_INCOMING
- : EBTABLES_CHAIN_OUTGOING,
- iodev, ifname, chain,
-
- CMD_STOPONERR(true));
-}
-
-
-static void
ebtablesLinkTmpRootChainFW(virFirewallPtr fw,
int incoming, const char *ifname)
{
@@ -2933,30 +2561,6 @@ ebtablesLinkTmpRootChainFW(virFirewallPtr fw,
static void
-_ebtablesRemoveRootChain(virBufferPtr buf,
- bool incoming, const char *ifname,
- bool isTempChain)
-{
- char chain[MAX_CHAINNAME_LENGTH];
- char chainPrefix;
- if (isTempChain)
- chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
- else
- chainPrefix = incoming ? CHAINPREFIX_HOST_IN
- : CHAINPREFIX_HOST_OUT;
-
- PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
-
- virBufferAsprintf(buf,
- "$EBT -t nat -F %s" CMD_SEPARATOR
- "$EBT -t nat -X %s" CMD_SEPARATOR,
- chain,
- chain);
-}
-
-
-static void
_ebtablesRemoveRootChainFW(virFirewallPtr fw,
bool incoming, const char *ifname,
int isTempChain)
@@ -2988,14 +2592,6 @@ ebtablesRemoveRootChainFW(virFirewallPtr fw,
static void
-ebtablesRemoveTmpRootChain(virBufferPtr buf,
- bool incoming, const char *ifname)
-{
- _ebtablesRemoveRootChain(buf, incoming, ifname, true);
-}
-
-
-static void
ebtablesRemoveTmpRootChainFW(virFirewallPtr fw,
bool incoming, const char *ifname)
{
@@ -3004,33 +2600,6 @@ ebtablesRemoveTmpRootChainFW(virFirewallPtr fw,
static void
-_ebtablesUnlinkRootChain(virBufferPtr buf,
- bool incoming, const char *ifname,
- bool isTempChain)
-{
- char chain[MAX_CHAINNAME_LENGTH];
- char iodev = incoming ? 'i' : 'o';
- char chainPrefix;
-
- if (isTempChain) {
- chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
- } else {
- chainPrefix = incoming ? CHAINPREFIX_HOST_IN
- : CHAINPREFIX_HOST_OUT;
- }
-
- PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
-
- virBufferAsprintf(buf,
- "$EBT -t nat -D %s -%c %s -j %s" CMD_SEPARATOR,
- incoming ? EBTABLES_CHAIN_INCOMING
- : EBTABLES_CHAIN_OUTGOING,
- iodev, ifname, chain);
-}
-
-
-static void
_ebtablesUnlinkRootChainFW(virFirewallPtr fw,
bool incoming, const char *ifname,
int isTempChain)
@@ -3064,132 +2633,58 @@ ebtablesUnlinkRootChainFW(virFirewallPtr fw,
}
-static void
-ebtablesUnlinkTmpRootChain(virBufferPtr buf,
- bool incoming, const char *ifname)
-{
- _ebtablesUnlinkRootChain(buf, incoming, ifname, true);
-}
-
-
-static void
-ebtablesUnlinkTmpRootChainFW(virFirewallPtr fw,
- int incoming, const char *ifname)
-{
- _ebtablesUnlinkRootChainFW(fw, incoming, ifname, 1);
-}
-
-
-static int
-ebtablesCreateTmpSubChain(ebiptablesRuleInstPtr *inst,
- int *nRuleInstances,
- bool incoming,
- const char *ifname,
- enum l3_proto_idx protoidx,
- const char *filtername,
- virNWFilterChainPriority priority)
-{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
- ebiptablesRuleInstPtr tmp = *inst;
- size_t count = *nRuleInstances;
- char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
- char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
- : CHAINPREFIX_HOST_OUT_TEMP;
- char *protostr = NULL;
-
- PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
- PRINT_CHAIN(chain, chainPrefix, ifname,
- (filtername) ? filtername : l3_protocols[protoidx].val);
-
- switch (protoidx) {
- case L2_PROTO_MAC_IDX:
- ignore_value(VIR_STRDUP(protostr, ""));
- break;
- case L2_PROTO_STP_IDX:
- ignore_value(VIR_STRDUP(protostr, "-d " NWFILTER_MAC_BGA "
"));
- break;
- default:
- ignore_value(virAsprintf(&protostr, "-p 0x%04x ",
- l3_protocols[protoidx].attr));
- break;
- }
-
- if (!protostr)
- return -1;
-
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -F %s") CMD_SEPARATOR
- CMD_EXEC
- CMD_DEF("$EBT -t nat -X %s") CMD_SEPARATOR
- CMD_EXEC
- CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR
- CMD_EXEC
- "%s"
- CMD_DEF("$EBT -t nat -A %s %s-j %s")
- CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- chain,
- chain,
- chain,
-
- CMD_STOPONERR(true),
-
- rootchain, protostr, chain,
-
- CMD_STOPONERR(true));
-
- VIR_FREE(protostr);
-
- if (virBufferError(&buf) ||
- VIR_EXPAND_N(tmp, count, 1) < 0) {
- virReportOOMError();
- virBufferFreeAndReset(&buf);
- return -1;
- }
-
- *nRuleInstances = count;
- *inst = tmp;
-
- tmp[*nRuleInstances - 1].priority = priority;
- tmp[*nRuleInstances - 1].commandTemplate =
- virBufferContentAndReset(&buf);
- tmp[*nRuleInstances - 1].neededProtocolChain =
- virNWFilterChainSuffixTypeToString(VIR_NWFILTER_CHAINSUFFIX_ROOT);
-
- return 0;
+static void
+ebtablesUnlinkTmpRootChainFW(virFirewallPtr fw,
+ int incoming, const char *ifname)
+{
+ _ebtablesUnlinkRootChainFW(fw, incoming, ifname, 1);
}
static void
-_ebtablesRemoveSubChains(virBufferPtr buf,
- const char *ifname,
- const char *chains)
+ebtablesCreateTmpSubChainFW(virFirewallPtr fw,
+ bool incoming,
+ const char *ifname,
+ enum l3_proto_idx protoidx,
+ const char *filtername)
{
- char rootchain[MAX_CHAINNAME_LENGTH];
- size_t i;
+ char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
+ : CHAINPREFIX_HOST_OUT_TEMP;
+ virFirewallRulePtr fwrule;
+
+ PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
+ PRINT_CHAIN(chain, chainPrefix, ifname,
+ (filtername) ? filtername : l3_protocols[protoidx].val);
- NWFILTER_SET_EBTABLES_SHELLVAR(buf);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-F", chain,
NULL);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-X", chain,
NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-N", chain, NULL);
- virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS,
- chains);
- virBufferAdd(buf, NWFILTER_FUNC_RM_CHAINS, -1);
+ fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
rootchain, NULL);
- virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS);
- virBufferAddLit(buf, "chains=\"$(collect_chains");
- for (i = 0; chains[i] != 0; i++) {
- PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
- virBufferAsprintf(buf, " %s", rootchain);
+ switch (protoidx) {
+ case L2_PROTO_MAC_IDX:
+ break;
+ case L2_PROTO_STP_IDX:
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-d", NWFILTER_MAC_BGA, NULL);
+ break;
+ default:
+ virFirewallRuleAddArg(fw, fwrule, "-p");
+ virFirewallRuleAddArgFormat(fw, fwrule,
+ "0x%04x",
+ l3_protocols[protoidx].attr);
+ break;
}
- virBufferAddLit(buf, ")\"\n");
- for (i = 0; chains[i] != 0; i++) {
- PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
- virBufferAsprintf(buf,
- "$EBT -t nat -F %s\n",
- rootchain);
- }
- virBufferAddLit(buf, "rm_chains $chains\n");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-j", chain, NULL);
}
@@ -3257,18 +2752,6 @@ ebtablesRemoveSubChainsFW(virFirewallPtr fw,
_ebtablesRemoveSubChainsFW(fw, ifname, chains);
}
-static void
-ebtablesRemoveTmpSubChains(virBufferPtr buf,
- const char *ifname)
-{
- char chains[3] = {
- CHAINPREFIX_HOST_IN_TEMP,
- CHAINPREFIX_HOST_OUT_TEMP,
- 0
- };
-
- _ebtablesRemoveSubChains(buf, ifname, chains);
-}
static void
ebtablesRemoveTmpSubChainsFW(virFirewallPtr fw,
@@ -3381,15 +2864,6 @@ ebtablesRenameTmpSubAndRootChainsFW(virFirewallPtr fw,
ebtablesRenameTmpRootChainFW(fw, false, ifname);
}
-static void
-ebiptablesInstCommand(virBufferPtr buf,
- const char *cmdstr)
-{
- virBufferAdd(buf, cmdstr, -1);
- virBufferAsprintf(buf, CMD_SEPARATOR "%s",
- CMD_STOPONERR(true));
-}
-
/**
* ebiptablesCanApplyBasicRules
@@ -3691,33 +3165,6 @@ ebtablesCleanAll(const char *ifname)
static int
-ebiptablesRuleOrderSort(const void *a, const void *b)
-{
- const ebiptablesRuleInst *insta = a;
- const ebiptablesRuleInst *instb = b;
- const char *root = virNWFilterChainSuffixTypeToString(
- VIR_NWFILTER_CHAINSUFFIX_ROOT);
- bool root_a = STREQ(insta->neededProtocolChain, root);
- bool root_b = STREQ(instb->neededProtocolChain, root);
-
- /* ensure root chain commands appear before all others since
- we will need them to create the child chains */
- if (root_a) {
- if (root_b) {
- goto normal;
- }
- return -1; /* a before b */
- }
- if (root_b) {
- return 1; /* b before a */
- }
- normal:
- /* priorities are limited to range [-1000, 1000] */
- return insta->priority - instb->priority;
-}
-
-
-static int
virNWFilterRuleInstSort(const void *a, const void *b)
{
const virNWFilterRuleInst *insta = a;
@@ -3752,6 +3199,7 @@ virNWFilterRuleInstSortPtr(const void *a, const void *b)
return virNWFilterRuleInstSort(*insta, *instb);
}
+
static int
ebiptablesFilterOrderSort(const virHashKeyValuePair *a,
const virHashKeyValuePair *b)
@@ -3761,6 +3209,7 @@ ebiptablesFilterOrderSort(const virHashKeyValuePair *a,
*(virNWFilterChainPriority *)b->value;
}
+
static void
iptablesCheckBridgeNFCallEnabled(bool isIPv6)
{
@@ -3817,54 +3266,13 @@ ebtablesGetProtoIdxByFiltername(const char *filtername)
return -1;
}
-static int
-ebtablesCreateTmpRootAndSubChains(virBufferPtr buf,
- const char *ifname,
- virHashTablePtr chains,
- bool incoming,
- ebiptablesRuleInstPtr *inst,
- int *nRuleInstances)
-{
- int rc = 0;
- size_t i;
- virHashKeyValuePairPtr filter_names;
- const virNWFilterChainPriority *priority;
-
- ebtablesCreateTmpRootChain(buf, incoming, ifname);
-
- filter_names = virHashGetItems(chains,
- ebiptablesFilterOrderSort);
- if (filter_names == NULL)
- return -1;
-
- for (i = 0; filter_names[i].key; i++) {
- enum l3_proto_idx idx = ebtablesGetProtoIdxByFiltername(
- filter_names[i].key);
- if ((int)idx < 0)
- continue;
- priority = (const virNWFilterChainPriority *)filter_names[i].value;
- rc = ebtablesCreateTmpSubChain(inst, nRuleInstances,
- incoming, ifname, idx,
- filter_names[i].key,
- *priority);
- if (rc < 0)
- break;
- }
-
- VIR_FREE(filter_names);
- return rc;
-}
-
static int
-iptablesRuleInstCommand(virBufferPtr buf,
+iptablesRuleInstCommand(virFirewallPtr fw,
const char *ifname,
virNWFilterRuleInstPtr rule)
{
virNWFilterVarCombIterPtr vciter, tmp;
- char **cmds = NULL;
- size_t ncmds = 0;
- size_t i;
int ret = -1;
/* rule->vars holds all the variables names that this rule will access.
@@ -3878,38 +3286,28 @@ iptablesRuleInstCommand(virBufferPtr buf,
return -1;
do {
- if (ebiptablesCreateRuleInstance(rule->chainSuffix,
+ if (ebiptablesCreateRuleInstance(fw,
+ rule->chainSuffix,
rule->def,
ifname,
- tmp,
- &cmds,
- &ncmds) < 0)
+ tmp) < 0)
goto cleanup;
tmp = virNWFilterVarCombIterNext(tmp);
} while (tmp != NULL);
- for (i = 0; i < ncmds; i++)
- iptablesInstCommand(buf, cmds[i]);
-
ret = 0;
cleanup:
- for (i = 0; i < ncmds; i++)
- VIR_FREE(cmds[i]);
- VIR_FREE(cmds);
virNWFilterVarCombIterFree(vciter);
return ret;
}
static int
-ebtablesRuleInstCommand(virBufferPtr buf,
+ebtablesRuleInstCommand(virFirewallPtr fw,
const char *ifname,
virNWFilterRuleInstPtr rule)
{
virNWFilterVarCombIterPtr vciter, tmp;
- char **cmds = NULL;
- size_t ncmds = 0;
- size_t i;
int ret = -1;
/* rule->vars holds all the variables names that this rule will access.
@@ -3923,28 +3321,90 @@ ebtablesRuleInstCommand(virBufferPtr buf,
return -1;
do {
- if (ebiptablesCreateRuleInstance(rule->chainSuffix,
+ if (ebiptablesCreateRuleInstance(fw,
+ rule->chainSuffix,
rule->def,
ifname,
- tmp,
- &cmds,
- &ncmds) < 0)
+ tmp) < 0)
goto cleanup;
tmp = virNWFilterVarCombIterNext(tmp);
} while (tmp != NULL);
- for (i = 0; i < ncmds; i++)
- ebiptablesInstCommand(buf, cmds[i]);
-
ret = 0;
cleanup:
- for (i = 0; i < ncmds; i++)
- VIR_FREE(cmds[i]);
- VIR_FREE(cmds);
virNWFilterVarCombIterFree(vciter);
return ret;
}
+struct ebtablesSubChainInst {
+ virNWFilterChainPriority priority;
+ bool incoming;
+ enum l3_proto_idx protoidx;
+ const char *filtername;
+};
+
+
+static int
+ebtablesSubChainInstSort(const void *a, const void *b)
+{
+ const struct ebtablesSubChainInst **insta = (const struct ebtablesSubChainInst **)a;
+ const struct ebtablesSubChainInst **instb = (const struct ebtablesSubChainInst **)b;
+
+ /* priorities are limited to range [-1000, 1000] */
+ return (*insta)->priority - (*instb)->priority;
+}
+
+
+static int
+ebtablesGetSubChainInsts(virHashTablePtr chains,
+ bool incoming,
+ struct ebtablesSubChainInst ***insts,
+ size_t *ninsts)
+{
+ virHashKeyValuePairPtr filter_names;
+ size_t i;
+ int ret = -1;
+
+ filter_names = virHashGetItems(chains,
+ ebiptablesFilterOrderSort);
+ if (filter_names == NULL)
+ return -1;
+
+ for (i = 0; filter_names[i].key; i++) {
+ struct ebtablesSubChainInst *inst;
+ enum l3_proto_idx idx = ebtablesGetProtoIdxByFiltername(
+ filter_names[i].key);
+
+ if ((int)idx < 0)
+ continue;
+
+ if (VIR_ALLOC(inst) < 0)
+ goto cleanup;
+ inst->priority = *(const virNWFilterChainPriority *)filter_names[i].value;
+ inst->incoming = incoming;
+ inst->protoidx = idx;
+ inst->filtername = filter_names[i].key;
+
+ if (VIR_APPEND_ELEMENT(*insts, *ninsts, inst) < 0) {
+ VIR_FREE(inst);
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+
+ cleanup:
+ VIR_FREE(filter_names);
+ if (ret < 0) {
+ for (i = 0; i < *ninsts; i++) {
+ VIR_FREE(*insts[i]);
+ }
+ VIR_FREE(*insts);
+ *ninsts = 0;
+ }
+ return ret;
+
+}
static int
ebiptablesApplyNewRules(const char *ifname,
@@ -3952,74 +3412,33 @@ ebiptablesApplyNewRules(const char *ifname,
size_t nrules)
{
size_t i, j;
- virBuffer buf = VIR_BUFFER_INITIALIZER;
+ virFirewallPtr fw = virFirewallNew();
virHashTablePtr chains_in_set = virHashCreate(10, NULL);
virHashTablePtr chains_out_set = virHashCreate(10, NULL);
+ bool haveEbtables = false;
bool haveIptables = false;
bool haveIp6tables = false;
- ebiptablesRuleInstPtr ebtChains = NULL;
- int nEbtChains = 0;
char *errmsg = NULL;
+ struct ebtablesSubChainInst **subchains = NULL;
+ size_t nsubchains = 0;
+ int ret = -1;
if (!chains_in_set || !chains_out_set)
- goto exit_free_sets;
+ goto cleanup;
if (nrules)
qsort(rules, nrules, sizeof(rules[0]),
virNWFilterRuleInstSortPtr);
- /* scan the rules to see which chains need to be created */
- for (i = 0; i < nrules; i++) {
- if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
- const char *name = rules[i]->chainSuffix;
- if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
- rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
- if (virHashUpdateEntry(chains_in_set, name,
- &rules[i]->chainPriority) < 0)
- goto exit_free_sets;
- }
- if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
- rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
- if (virHashUpdateEntry(chains_out_set, name,
- &rules[i]->chainPriority) < 0)
- goto exit_free_sets;
- }
- }
- }
-
-
/* cleanup whatever may exist */
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
-
- ebtablesUnlinkTmpRootChain(&buf, true, ifname);
- ebtablesUnlinkTmpRootChain(&buf, false, ifname);
- ebtablesRemoveTmpSubChains(&buf, ifname);
- ebtablesRemoveTmpRootChain(&buf, true, ifname);
- ebtablesRemoveTmpRootChain(&buf, false, ifname);
- ebiptablesExecCLI(&buf, true, NULL);
- }
-
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
-
- /* create needed chains */
- if ((virHashSize(chains_in_set) > 0 &&
- ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set, true,
- &ebtChains, &nEbtChains) < 0) ||
- (virHashSize(chains_out_set) > 0 &&
- ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_out_set, false,
- &ebtChains, &nEbtChains) < 0)) {
- goto tear_down_tmpebchains;
- }
-
- if (nEbtChains > 0)
- qsort(&ebtChains[0], nEbtChains, sizeof(ebtChains[0]),
- ebiptablesRuleOrderSort);
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpebchains;
+ virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+ ebtablesUnlinkTmpRootChainFW(fw, true, ifname);
+ ebtablesUnlinkTmpRootChainFW(fw, false, ifname);
+ ebtablesRemoveTmpSubChainsFW(fw, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, true, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, false, ifname);
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ virFirewallStartTransaction(fw, 0);
/* walk the list of rules and increase the priority
* of rules in case the chain priority is of higher value;
@@ -4038,188 +3457,173 @@ ebiptablesApplyNewRules(const char *ifname,
}
}
- /* process ebtables commands; interleave commands from filters with
- commands for creating and connecting ebtables chains */
- j = 0;
for (i = 0; i < nrules; i++) {
if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
- while (j < nEbtChains &&
- ebtChains[j].priority <= rules[i]->priority) {
- ebiptablesInstCommand(&buf,
- ebtChains[j++].commandTemplate);
- }
- ebtablesRuleInstCommand(&buf,
- ifname,
- rules[i]);
+ haveEbtables = true;
} else {
if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
haveIptables = true;
- else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ else if (virNWFilterRuleIsProtocolIPv6(rules[i]->def))
haveIp6tables = true;
}
}
+ /* process ebtables commands; interleave commands from filters with
+ commands for creating and connecting ebtables chains */
+ if (haveEbtables) {
- while (j < nEbtChains)
- ebiptablesInstCommand(&buf,
- ebtChains[j++].commandTemplate);
+ /* scan the rules to see which chains need to be created */
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
+ const char *name = rules[i]->chainSuffix;
+ if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
+ rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
+ if (virHashUpdateEntry(chains_in_set, name,
+ &rules[i]->chainPriority) < 0)
+ goto cleanup;
+ }
+ if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
+ rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
+ if (virHashUpdateEntry(chains_out_set, name,
+ &rules[i]->chainPriority) < 0)
+ goto cleanup;
+ }
+ }
+ }
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpebchains;
+ /* create needed chains */
+ if (virHashSize(chains_in_set) > 0) {
+ ebtablesCreateTmpRootChainFW(fw, true, ifname);
+ if (ebtablesGetSubChainInsts(chains_in_set,
+ true,
+ &subchains,
+ &nsubchains) < 0)
+ goto cleanup;
+ }
+ if (virHashSize(chains_out_set) > 0) {
+ ebtablesCreateTmpRootChainFW(fw, false, ifname);
+ if (ebtablesGetSubChainInsts(chains_out_set,
+ false,
+ &subchains,
+ &nsubchains) < 0)
+ goto cleanup;
+ }
+
+ if (nsubchains > 0)
+ qsort(subchains, nsubchains, sizeof(subchains[0]),
+ ebtablesSubChainInstSort);
+
+ for (i = 0, j = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
+ while (j < nsubchains &&
+ subchains[j]->priority <= rules[i]->priority) {
+ ebtablesCreateTmpSubChainFW(fw,
+ subchains[j]->incoming,
+ ifname,
+ subchains[j]->protoidx,
+ subchains[j]->filtername);
+ j++;
+ }
+ if (ebtablesRuleInstCommand(fw,
+ ifname,
+ rules[i]) < 0)
+ goto cleanup;
+ }
+ }
+ while (j < nsubchains) {
+ ebtablesCreateTmpSubChainFW(fw,
+ subchains[j]->incoming,
+ ifname,
+ subchains[j]->protoidx,
+ subchains[j]->filtername);
+ j++;
+ }
+ }
if (haveIptables) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesUnlinkTmpRootChains(&buf, ifname);
- iptablesRemoveTmpRootChains(&buf, ifname);
-
- iptablesCreateBaseChains(&buf);
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpebchains;
-
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ iptablesUnlinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- iptablesCreateTmpRootChains(&buf, ifname);
+ iptablesCreateBaseChainsFW(fw, VIR_FIREWALL_LAYER_IPV4);
+ iptablesCreateTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpiptchains;
-
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesLinkTmpRootChains(&buf, ifname);
- iptablesSetupVirtInPost(&buf, ifname);
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpiptchains;
-
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ iptablesLinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesSetupVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
for (i = 0; i < nrules; i++) {
- if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
- iptablesRuleInstCommand(&buf,
- ifname,
- rules[i]);
+ if (virNWFilterRuleIsProtocolIPv4(rules[i]->def)) {
+ if (iptablesRuleInstCommand(fw,
+ ifname,
+ rules[i]) < 0)
+ goto cleanup;
+ }
}
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpiptchains;
-
iptablesCheckBridgeNFCallEnabled(false);
}
if (haveIp6tables) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
-
- iptablesUnlinkTmpRootChains(&buf, ifname);
- iptablesRemoveTmpRootChains(&buf, ifname);
-
- iptablesCreateBaseChains(&buf);
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpiptchains;
-
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
-
- iptablesCreateTmpRootChains(&buf, ifname);
+ iptablesUnlinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRemoveTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpip6tchains;
+ iptablesCreateBaseChainsFW(fw, VIR_FIREWALL_LAYER_IPV6);
+ iptablesCreateTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
-
- iptablesLinkTmpRootChains(&buf, ifname);
- iptablesSetupVirtInPost(&buf, ifname);
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpip6tchains;
-
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
+ iptablesLinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesSetupVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
for (i = 0; i < nrules; i++) {
- if (virNWFilterRuleIsProtocolIPv6(rules[i]->def))
- iptablesRuleInstCommand(&buf,
- ifname,
- rules[i]);
+ if (virNWFilterRuleIsProtocolIPv6(rules[i]->def)) {
+ if (iptablesRuleInstCommand(fw,
+ ifname,
+ rules[i]) < 0)
+ goto cleanup;
+ }
}
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpip6tchains;
-
iptablesCheckBridgeNFCallEnabled(true);
}
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
-
if (virHashSize(chains_in_set) != 0)
- ebtablesLinkTmpRootChain(&buf, true, ifname);
+ ebtablesLinkTmpRootChainFW(fw, true, ifname);
if (virHashSize(chains_out_set) != 0)
- ebtablesLinkTmpRootChain(&buf, false, ifname);
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_ebsubchains_and_unlink;
-
- virHashFree(chains_in_set);
- virHashFree(chains_out_set);
-
- for (i = 0; i < nEbtChains; i++)
- VIR_FREE(ebtChains[i].commandTemplate);
- VIR_FREE(ebtChains);
-
- VIR_FREE(errmsg);
-
- return 0;
-
- tear_down_ebsubchains_and_unlink:
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ ebtablesLinkTmpRootChainFW(fw, false, ifname);
- ebtablesUnlinkTmpRootChain(&buf, true, ifname);
- ebtablesUnlinkTmpRootChain(&buf, false, ifname);
- }
-
- tear_down_tmpip6tchains:
+ virFirewallStartRollback(fw, 0);
+ ebtablesUnlinkTmpRootChainFW(fw, true, ifname);
+ ebtablesUnlinkTmpRootChainFW(fw, false, ifname);
if (haveIp6tables) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
-
- iptablesUnlinkTmpRootChains(&buf, ifname);
- iptablesRemoveTmpRootChains(&buf, ifname);
+ iptablesUnlinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
+ iptablesRemoveTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV6, ifname);
}
- tear_down_tmpiptchains:
if (haveIptables) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesUnlinkTmpRootChains(&buf, ifname);
- iptablesRemoveTmpRootChains(&buf, ifname);
+ iptablesUnlinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
}
- tear_down_tmpebchains:
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
+ ebtablesRemoveTmpSubChainsFW(fw, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, true, ifname);
+ ebtablesRemoveTmpRootChainFW(fw, false, ifname);
- ebtablesRemoveTmpSubChains(&buf, ifname);
- ebtablesRemoveTmpRootChain(&buf, true, ifname);
- ebtablesRemoveTmpRootChain(&buf, false, ifname);
+ virMutexLock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0) {
+ virMutexUnlock(&execCLIMutex);
+ goto cleanup;
}
+ virMutexUnlock(&execCLIMutex);
- ebiptablesExecCLI(&buf, true, NULL);
-
- virReportError(VIR_ERR_BUILD_FIREWALL,
- _("Some rules could not be created for "
- "interface %s%s%s"),
- ifname,
- errmsg ? ": " : "",
- errmsg ? errmsg : "");
+ ret = 0;
- exit_free_sets:
+ cleanup:
+ for (i = 0; i < nsubchains; i++)
+ VIR_FREE(subchains[i]);
+ VIR_FREE(subchains);
+ virFirewallFree(fw);
virHashFree(chains_in_set);
virHashFree(chains_out_set);
- for (i = 0; i < nEbtChains; i++)
- VIR_FREE(ebtChains[i].commandTemplate);
- VIR_FREE(ebtChains);
-
VIR_FREE(errmsg);
-
- return -1;
+ return ret;
}
@@ -4544,10 +3948,8 @@ ebiptablesDriverProbeStateMatch(void)
* since version 1.4.16 '-m state --state ...' will be converted to
* '-m conntrack --ctstate ...'
*/
- if (thisversion >= 1 * 1000000 + 4 * 1000 + 16) {
- m_state_out_str = m_state_out_str_new;
- m_state_in_str = m_state_in_str_new;
- }
+ if (thisversion >= 1 * 1000000 + 4 * 1000 + 16)
+ newMatchState = true;
cleanup:
VIR_FREE(cmdout);
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.h
b/src/nwfilter/nwfilter_ebiptables_driver.h
index 8a17452..098d5dd 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.h
+++ b/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -27,23 +27,6 @@
# define MAX_CHAINNAME_LENGTH 32 /* see linux/netfilter_bridge/ebtables.h */
-enum RuleType {
- RT_EBTABLES,
- RT_IPTABLES,
- RT_IP6TABLES,
-};
-
-typedef struct _ebiptablesRuleInst ebiptablesRuleInst;
-typedef ebiptablesRuleInst *ebiptablesRuleInstPtr;
-struct _ebiptablesRuleInst {
- char *commandTemplate;
- const char *neededProtocolChain;
- virNWFilterChainPriority chainPriority;
- char chainprefix; /* I for incoming, O for outgoing */
- virNWFilterRulePriority priority;
- enum RuleType ruleType;
-};
-
extern virNWFilterTechDriver ebiptables_driver;
# define EBIPTABLES_DRIVER_ID "ebiptables"
--
1.9.0
2:38 p.m.
New subject: [libvirt] [PATCH 23/26] Convert nwfilter ebiptablesApplyNewRules to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Convert the nwfilter ebtablesApplyNewRules method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
[...]
@@ -679,8 +540,12 @@ _iptablesRemoveRootChainFW(virFirewallPtr fw,
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, layer, "-F", chain, NULL);
- virFirewallAddRule(fw, layer, "-X", chain, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-F", chain, NULL);
+ virFirewallAddRuleFull(fw, layer,
+ true, NULL, NULL,
+ "-X", chain, NULL);
}
Looks like I didn't spot this in a previous patch. We have to ignore the
errors here... on -F, -X and -D probably everywhere.
@@ -1088,138 +866,116 @@ iptablesHandleIpHdr(virBufferPtr buf,
dstrange = "--src-range";
}
- if (HAS_ENTRY_ITEM(&ipHdr->dataIPSet) &&
- HAS_ENTRY_ITEM(&ipHdr->dataIPSetFlags)) {
-
- if (printDataType(vars,
- str, sizeof(str),
- &ipHdr->dataIPSet) < 0)
- goto err_exit;
-
- virBufferAsprintf(afterStateMatch,
- " -m set --match-set \"%s\" ",
- str);
-
- if (printDataTypeDirection(vars,
- str, sizeof(str),
- &ipHdr->dataIPSetFlags, directionIn) < 0)
- goto err_exit;
-
- virBufferAdd(afterStateMatch, str, -1);
- }
-
You are removing this entirely? ... ah I see it further below... Oh, I
see, you moved it because of the afterStateMatch buffer that this part
is using.
}
if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
- printCommentVar(prefix, ipHdr->dataComment.u.string);
-
/* keep comments behind everything else -- they are packet eval.
no-ops */
- virBufferAddLit(afterStateMatch,
- " -m comment --comment \"$" COMMENT_VARNAME
"\"");
+ virFirewallRuleAddArgList(fw, fwrule,
+ "-m", "comment",
+ "--comment",
ipHdr->dataComment.u.string,
+ NULL);
}
The interesting part about comments was before to ensure that $(foo)
never executes in a subshell. With TCK passing it seems this concern is
addressed.
@@ -4038,188 +3457,173 @@ ebiptablesApplyNewRules(const char
*ifname,
}
}
- /* process ebtables commands; interleave commands from filters with
- commands for creating and connecting ebtables chains */
- j = 0;
for (i = 0; i < nrules; i++) {
if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
- while (j < nEbtChains &&
- ebtChains[j].priority <= rules[i]->priority) {
- ebiptablesInstCommand(&buf,
- ebtChains[j++].commandTemplate);
- }
- ebtablesRuleInstCommand(&buf,
- ifname,
- rules[i]);
+ haveEbtables = true;
} else {
if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
haveIptables = true;
- else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ else if (virNWFilterRuleIsProtocolIPv6(rules[i]->def))
haveIp6tables = true;
Ah, this is probably the reason why IPv6 rules didn't work in TCK and
23/26 now fixes it. That's probably a typo introduced in 8/26. If you
want to go back to 8/26 to fix this ... unless this has other negative
side effects during the surgery. Up to you.
}
}
+ /* process ebtables commands; interleave commands from filters with
+ commands for creating and connecting ebtables chains */
+ if (haveEbtables) {
- while (j < nEbtChains)
- ebiptablesInstCommand(&buf,
- ebtChains[j++].commandTemplate);
+ /* scan the rules to see which chains need to be created */
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
+ const char *name = rules[i]->chainSuffix;
+ if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_OUT ||
+ rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
+ if (virHashUpdateEntry(chains_in_set, name,
+ &rules[i]->chainPriority) < 0)
+ goto cleanup;
+ }
+ if (rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_IN ||
+ rules[i]->def->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT) {
+ if (virHashUpdateEntry(chains_out_set, name,
+ &rules[i]->chainPriority) < 0)
+ goto cleanup;
+ }
+ }
+ }
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpebchains;
+ /* create needed chains */
+ if (virHashSize(chains_in_set) > 0) {
+ ebtablesCreateTmpRootChainFW(fw, true, ifname);
+ if (ebtablesGetSubChainInsts(chains_in_set,
+ true,
+ &subchains,
+ &nsubchains) < 0)
+ goto cleanup;
+ }
+ if (virHashSize(chains_out_set) > 0) {
+ ebtablesCreateTmpRootChainFW(fw, false, ifname);
+ if (ebtablesGetSubChainInsts(chains_out_set,
+ false,
+ &subchains,
+ &nsubchains) < 0)
+ goto cleanup;
+ }
+
+ if (nsubchains > 0)
+ qsort(subchains, nsubchains, sizeof(subchains[0]),
+ ebtablesSubChainInstSort);
+
+ for (i = 0, j = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
+ while (j < nsubchains &&
+ subchains[j]->priority <= rules[i]->priority) {
+ ebtablesCreateTmpSubChainFW(fw,
+ subchains[j]->incoming,
+ ifname,
+ subchains[j]->protoidx,
+ subchains[j]->filtername);
+ j++;
+ }
+ if (ebtablesRuleInstCommand(fw,
+ ifname,
+ rules[i]) < 0)
+ goto cleanup;
+ }
+ }
+ while (j < nsubchains) {
+ ebtablesCreateTmpSubChainFW(fw,
+ subchains[j]->incoming,
+ ifname,
+ subchains[j]->protoidx,
+ subchains[j]->filtername);
+ j++;
+ }
+ }
if (haveIptables) {
Based on your comment in another patch, now I am surprised to still see
this check 'haveIptables' here. Wouldn't the rpm also solve this here as
well?
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesUnlinkTmpRootChains(&buf, ifname);
- iptablesRemoveTmpRootChains(&buf, ifname);
-
- iptablesCreateBaseChains(&buf);
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpebchains;
-
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ iptablesUnlinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesRemoveTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- iptablesCreateTmpRootChains(&buf, ifname);
+ iptablesCreateBaseChainsFW(fw, VIR_FIREWALL_LAYER_IPV4);
+ iptablesCreateTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpiptchains;
-
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- iptablesLinkTmpRootChains(&buf, ifname);
- iptablesSetupVirtInPost(&buf, ifname);
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpiptchains;
-
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+ iptablesLinkTmpRootChainsFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
+ iptablesSetupVirtInPostFW(fw, VIR_FIREWALL_LAYER_IPV4, ifname);
for (i = 0; i < nrules; i++) {
- if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
- iptablesRuleInstCommand(&buf,
- ifname,
- rules[i]);
+ if (virNWFilterRuleIsProtocolIPv4(rules[i]->def)) {
+ if (iptablesRuleInstCommand(fw,
+ ifname,
+ rules[i]) < 0)
+ goto cleanup;
+ }
}
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0)
- goto tear_down_tmpiptchains;
-
iptablesCheckBridgeNFCallEnabled(false);
}
if (haveIp6tables) {
... also this here.
Tentative ACK
3:45 a.m.
New subject: [libvirt] [PATCH 23/26] Convert nwfilter ebiptablesApplyNewRules to virFirewall
On Wed, Apr 16, 2014 at 03:38:39PM -0400, Stefan Berger wrote:
> }
>
> if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
>- printCommentVar(prefix, ipHdr->dataComment.u.string);
>-
> /* keep comments behind everything else -- they are packet eval.
> no-ops */
>- virBufferAddLit(afterStateMatch,
>- " -m comment --comment \"$" COMMENT_VARNAME
"\"");
>+ virFirewallRuleAddArgList(fw, fwrule,
>+ "-m", "comment",
>+ "--comment",
ipHdr->dataComment.u.string,
>+ NULL);
> }
The interesting part about comments was before to ensure that $(foo)
never executes in a subshell. With TCK passing it seems this
concern is addressed.
Well the way we execute iptables now means that the shell is never
involved in any part of the stack, so the issue goes away entirely.
> } else {
> if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
> haveIptables = true;
>- else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
>+ else if (virNWFilterRuleIsProtocolIPv6(rules[i]->def))
> haveIp6tables = true;
Ah, this is probably the reason why IPv6 rules didn't work in TCK
and 23/26 now fixes it. That's probably a typo introduced in 8/26.
If you want to go back to 8/26 to fix this ... unless this has other
negative side effects during the surgery. Up to you.
Yep, easy to fix the original. Thanks for finding this.
>
> if (haveIptables) {
Based on your comment in another patch, now I am surprised to still
see this check 'haveIptables' here. Wouldn't the rpm also solve this
here as well?
This boolean is about whether any iptables rules are defined for
the filter. It lets us avoid creating the base chains if there
are no rules to put in them.
>
> if (haveIp6tables) {
... also this here.
Likewise.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:38 a.m.
New subject: [libvirt] [PATCH 24/26] Convert ebiptablesDriverProbeStateMatch to virFirewall
Conver the ebiptablesDriverProbeStateMatch initialization
check to use the virFirewall APIs for querying iptables
version.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 68 +++++++++++++++++++------------
1 file changed, 43 insertions(+), 25 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 835e068..8f237a2 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -3915,45 +3915,62 @@ ebiptablesDriverProbeCtdir(void)
iptables_ctdir_corrected = CTDIR_STATUS_OLD;
}
-static void
-ebiptablesDriverProbeStateMatch(void)
-{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
- char *cmdout = NULL, *version;
- unsigned long thisversion;
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- virBufferAsprintf(&buf,
- "$IPT --version");
+static int
+ebiptablesDriverProbeStateMatchQuery(virFirewallPtr fw ATTRIBUTE_UNUSED,
+ const char *const *lines,
+ void *opaque)
+{
+ unsigned long *version = opaque;
+ char *tmp;
- if (ebiptablesExecCLI(&buf, false, &cmdout) < 0) {
- VIR_ERROR(_("Testing of iptables command failed: %s"),
- cmdout);
- return;
+ if (!lines || !lines[0]) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No output from iptables --version"));
+ return -1;
}
/*
* we expect output in the format
- * iptables v1.4.16
+ * 'iptables v1.4.16'
*/
- if (!(version = strchr(cmdout, 'v')) ||
- virParseVersionString(version + 1, &thisversion, true) < 0) {
- VIR_ERROR(_("Could not determine iptables version from string %s"),
- cmdout);
- goto cleanup;
+ if (!(tmp = strchr(lines[0], 'v')) ||
+ virParseVersionString(tmp + 1, version, true) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Cannot parse version string '%s'"),
+ lines[0]);
+ return -1;
}
+ return 0;
+}
+
+
+static int
+ebiptablesDriverProbeStateMatch(void)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ unsigned long version;
+ virFirewallPtr fw = virFirewallNew();
+
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ virFirewallStartTransaction(fw, 0);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false, ebiptablesDriverProbeStateMatchQuery, &version,
+ "--version", NULL);
+
+ if (virFirewallApply(fw) < 0)
+ return -1;
+
/*
* since version 1.4.16 '-m state --state ...' will be converted to
* '-m conntrack --ctstate ...'
*/
- if (thisversion >= 1 * 1000000 + 4 * 1000 + 16)
+ if (version >= 1 * 1000000 + 4 * 1000 + 16)
newMatchState = true;
- cleanup:
- VIR_FREE(cmdout);
- return;
+ return 0;
}
static int
@@ -3992,7 +4009,8 @@ ebiptablesDriverInit(bool privileged)
if (iptables_cmd_path) {
ebiptablesDriverProbeCtdir();
- ebiptablesDriverProbeStateMatch();
+ if (ebiptablesDriverProbeStateMatch() < 0)
+ return -1;
}
ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;
--
1.9.0
2:43 p.m.
New subject: [libvirt] [PATCH 24/26] Convert ebiptablesDriverProbeStateMatch to virFirewall
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Conver the ebiptablesDriverProbeStateMatch initialization
check to use the virFirewall APIs for querying iptables
version.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 68 +++++++++++++++++++------------
1 file changed, 43 insertions(+), 25 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 835e068..8f237a2 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -3915,45 +3915,62 @@ ebiptablesDriverProbeCtdir(void)
iptables_ctdir_corrected = CTDIR_STATUS_OLD;
}
-static void
-ebiptablesDriverProbeStateMatch(void)
-{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
- char *cmdout = NULL, *version;
- unsigned long thisversion;
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- virBufferAsprintf(&buf,
- "$IPT --version");
+static int
+ebiptablesDriverProbeStateMatchQuery(virFirewallPtr fw ATTRIBUTE_UNUSED,
+ const char *const *lines,
+ void *opaque)
+{
+ unsigned long *version = opaque;
+ char *tmp;
- if (ebiptablesExecCLI(&buf, false, &cmdout) < 0) {
- VIR_ERROR(_("Testing of iptables command failed: %s"),
- cmdout);
- return;
+ if (!lines || !lines[0]) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No output from iptables --version"));
+ return -1;
}
/*
* we expect output in the format
- * iptables v1.4.16
+ * 'iptables v1.4.16'
*/
- if (!(version = strchr(cmdout, 'v')) ||
- virParseVersionString(version + 1, &thisversion, true) < 0) {
- VIR_ERROR(_("Could not determine iptables version from string %s"),
- cmdout);
- goto cleanup;
+ if (!(tmp = strchr(lines[0], 'v')) ||
+ virParseVersionString(tmp + 1, version, true) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Cannot parse version string '%s'"),
+ lines[0]);
+ return -1;
}
+ return 0;
+}
+
+
+static int
+ebiptablesDriverProbeStateMatch(void)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ unsigned long version;
+ virFirewallPtr fw = virFirewallNew();
+
+ NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
+
+ virFirewallStartTransaction(fw, 0);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false, ebiptablesDriverProbeStateMatchQuery, &version,
+ "--version", NULL);
+
+ if (virFirewallApply(fw) < 0)
+ return -1;
+
/*
* since version 1.4.16 '-m state --state ...' will be converted to
* '-m conntrack --ctstate ...'
*/
- if (thisversion >= 1 * 1000000 + 4 * 1000 + 16)
+ if (version >= 1 * 1000000 + 4 * 1000 + 16)
newMatchState = true;
- cleanup:
- VIR_FREE(cmdout);
- return;
+ return 0;
}
static int
@@ -3992,7 +4009,8 @@ ebiptablesDriverInit(bool privileged)
if (iptables_cmd_path) {
ebiptablesDriverProbeCtdir();
- ebiptablesDriverProbeStateMatch();
+ if (ebiptablesDriverProbeStateMatch() < 0)
+ return -1;
}
ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 25/26] Remove last trace of direct firewall command exection
Remove all the left over code related to the direct invocation
of firewall-cmd/iptables/ip6tables/ebtables. This is all handled
by the virFirewallPtr APIs now.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/nwfilter/nwfilter_ebiptables_driver.c | 301 +-----------------------------
1 file changed, 8 insertions(+), 293 deletions(-)
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 8f237a2..702deb6 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -59,23 +59,6 @@ VIR_LOG_INIT("nwfilter.nwfilter_ebiptables_driver");
#define CHAINPREFIX_HOST_IN_TEMP 'J'
#define CHAINPREFIX_HOST_OUT_TEMP 'P'
-/* This file generates a temporary shell script. Since ebiptables is
- Linux-specific, we can be reasonably certain that /bin/sh is more
- or less POSIX-compliant, so we can use $() and $(()). However, we
- cannot assume that /bin/sh is bash, so stick to POSIX syntax. */
-
-#define CMD_SEPARATOR "\n"
-#define CMD_DEF_PRE "cmd='"
-#define CMD_DEF_POST "'"
-#define CMD_DEF(X) CMD_DEF_PRE X CMD_DEF_POST
-#define CMD_EXEC "eval res=\\$\\(\"${cmd} 2>&1\"\\)"
CMD_SEPARATOR
-#define CMD_STOPONERR(X) \
- X ? "if [ $? -ne 0 ]; then" \
- " echo \"Failure to execute command '${cmd}' :
'${res}'.\";" \
- " exit 1;" \
- "fi" CMD_SEPARATOR \
- : ""
-
#define PROC_BRIDGE_NF_CALL_IPTABLES \
"/proc/sys/net/bridge/bridge-nf-call-iptables"
@@ -84,11 +67,6 @@ VIR_LOG_INIT("nwfilter.nwfilter_ebiptables_driver");
#define BRIDGE_NF_CALL_ALERT_INTERVAL 10 /* seconds */
-static char *ebtables_cmd_path;
-static char *iptables_cmd_path;
-static char *ip6tables_cmd_path;
-static char *grep_cmd_path;
-
/*
* --ctdir original vs. --ctdir reply's meaning was inverted in netfilter
* at some point (Linux 2.6.39)
@@ -105,14 +83,6 @@ static enum ctdirStatus iptables_ctdir_corrected;
#define PRINT_CHAIN(buf, prefix, ifname, suffix) \
snprintf(buf, sizeof(buf), "%c-%s-%s", prefix, ifname, suffix)
-
-#define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
- virBufferAsprintf(BUFPTR, "EBT=\"%s\"\n", ebtables_cmd_path);
-#define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \
- virBufferAsprintf(BUFPTR, "IPT=\"%s\"\n", iptables_cmd_path);
-#define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \
- virBufferAsprintf(BUFPTR, "IPT=\"%s\"\n", ip6tables_cmd_path);
-
#define VIRT_IN_CHAIN "libvirt-in"
#define VIRT_OUT_CHAIN "libvirt-out"
#define VIRT_IN_POST_CHAIN "libvirt-in-post"
@@ -133,8 +103,6 @@ static void ebiptablesDriverShutdown(void);
static int ebtablesCleanAll(const char *ifname);
static int ebiptablesAllTeardown(const char *ifname);
-static virMutex execCLIMutex = VIR_MUTEX_INITIALIZER;
-
struct ushort_map {
unsigned short attr;
const char *val;
@@ -2478,55 +2446,6 @@ ebiptablesCreateRuleInstance(virFirewallPtr fw,
}
-/**
- * ebiptablesExecCLI:
- * @buf: pointer to virBuffer containing the string with the commands to
- * execute.
- * @ignoreNonzero: true if non-zero status is not fatal
- * @outbuf: Optional pointer to a string that will hold the buffer with
- * output of the executed command. The actual buffer holding
- * the message will be newly allocated by this function and
- * any passed in buffer freed first.
- *
- * Returns 0 in case of success, < 0 in case of an error. The returned
- * value is NOT the result of running the commands inside the shell
- * script.
- *
- * Execute a sequence of commands (held in the given buffer) as a /bin/sh
- * script. Depending on ignoreNonzero, this function will fail if the
- * script has unexpected status.
- */
-static int
-ebiptablesExecCLI(virBufferPtr buf, bool ignoreNonzero, char **outbuf)
-{
- int rc = -1;
- virCommandPtr cmd;
- int status;
-
- if (!virBufferError(buf) && !virBufferUse(buf))
- return 0;
-
- if (outbuf)
- VIR_FREE(*outbuf);
-
- VIR_INFO("Run [%s]", virBufferCurrentContent(buf));
- cmd = virCommandNewArgList("/bin/sh", "-c", NULL);
- virCommandAddArgBuffer(cmd, buf);
- if (outbuf)
- virCommandSetOutputBuffer(cmd, outbuf);
-
- virMutexLock(&execCLIMutex);
-
- rc = virCommandRun(cmd, ignoreNonzero ? &status : NULL);
-
- virMutexUnlock(&execCLIMutex);
-
- virCommandFree(cmd);
-
- return rc;
-}
-
-
static void
ebtablesCreateTmpRootChainFW(virFirewallPtr fw,
int incoming, const char *ifname)
@@ -2875,7 +2794,7 @@ ebtablesRenameTmpSubAndRootChainsFW(virFirewallPtr fw,
static int
ebiptablesCanApplyBasicRules(void)
{
- return ebtables_cmd_path != NULL;
+ return true;
}
/**
@@ -2929,12 +2848,8 @@ ebtablesApplyBasicRules(const char *ifname,
ebtablesLinkTmpRootChainFW(fw, true, ifname);
ebtablesRenameTmpRootChainFW(fw, true, ifname);
- virMutexLock(&execCLIMutex);
- if (virFirewallApply(fw) < 0) {
- virMutexUnlock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0)
goto tear_down_tmpebchains;
- }
- virMutexUnlock(&execCLIMutex);
virFirewallFree(fw);
return 0;
@@ -3052,12 +2967,8 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
ebtablesRenameTmpRootChainFW(fw, false, ifname);
}
- virMutexLock(&execCLIMutex);
- if (virFirewallApply(fw) < 0) {
- virMutexUnlock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0)
goto tear_down_tmpebchains;
- }
- virMutexUnlock(&execCLIMutex);
virFirewallFree(fw);
@@ -3111,12 +3022,8 @@ ebtablesApplyDropAllRules(const char *ifname)
ebtablesRenameTmpRootChainFW(fw, true, ifname);
ebtablesRenameTmpRootChainFW(fw, false, ifname);
- virMutexLock(&execCLIMutex);
- if (virFirewallApply(fw) < 0) {
- virMutexUnlock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0)
goto tear_down_tmpebchains;
- }
- virMutexUnlock(&execCLIMutex);
virFirewallFree(fw);
return 0;
@@ -3156,9 +3063,7 @@ ebtablesCleanAll(const char *ifname)
ebtablesRemoveTmpRootChainFW(fw, true, ifname);
ebtablesRemoveTmpRootChainFW(fw, false, ifname);
- virMutexLock(&execCLIMutex);
ret = virFirewallApply(fw);
- virMutexUnlock(&execCLIMutex);
virFirewallFree(fw);
return ret;
}
@@ -3605,12 +3510,8 @@ ebiptablesApplyNewRules(const char *ifname,
ebtablesRemoveTmpRootChainFW(fw, true, ifname);
ebtablesRemoveTmpRootChainFW(fw, false, ifname);
- virMutexLock(&execCLIMutex);
- if (virFirewallApply(fw) < 0) {
- virMutexUnlock(&execCLIMutex);
+ if (virFirewallApply(fw) < 0)
goto cleanup;
- }
- virMutexUnlock(&execCLIMutex);
ret = 0;
@@ -3647,9 +3548,7 @@ ebiptablesTearNewRules(const char *ifname)
ebtablesRemoveTmpRootChainFW(fw, true, ifname);
ebtablesRemoveTmpRootChainFW(fw, false, ifname);
- virMutexLock(&execCLIMutex);
ret = virFirewallApply(fw);
- virMutexUnlock(&execCLIMutex);
virFirewallFree(fw);
return ret;
}
@@ -3678,9 +3577,7 @@ ebiptablesTearOldRules(const char *ifname)
ebtablesRemoveRootChainFW(fw, false, ifname);
ebtablesRenameTmpSubAndRootChainsFW(fw, ifname);
- virMutexLock(&execCLIMutex);
ret = virFirewallApply(fw);
- virMutexUnlock(&execCLIMutex);
virFirewallFree(fw);
return ret;
}
@@ -3719,9 +3616,7 @@ ebiptablesAllTeardown(const char *ifname)
ebtablesRemoveRootChainFW(fw, true, ifname);
ebtablesRemoveRootChainFW(fw, false, ifname);
- virMutexLock(&execCLIMutex);
ret = virFirewallApply(fw);
- virMutexUnlock(&execCLIMutex);
virFirewallFree(fw);
return ret;
}
@@ -3746,149 +3641,6 @@ virNWFilterTechDriver ebiptables_driver = {
.removeBasicRules = ebtablesRemoveBasicRules,
};
-/*
- * ebiptablesDriverInitWithFirewallD
- *
- * Try to use firewall-cmd by testing it once; if it works, have ebtables
- * and ip6tables commands use firewall-cmd.
- */
-static int
-ebiptablesDriverInitWithFirewallD(void)
-{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
- char *firewall_cmd_path;
- char *output = NULL;
- int ret = -1;
-
- if (!virNWFilterDriverIsWatchingFirewallD())
- return -1;
-
- firewall_cmd_path = virFindFileInPath("firewall-cmd");
-
- if (firewall_cmd_path) {
- virBufferAsprintf(&buf, "FWC=%s\n", firewall_cmd_path);
- virBufferAsprintf(&buf,
- CMD_DEF("$FWC --state") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- CMD_STOPONERR(true));
-
- if (ebiptablesExecCLI(&buf, false, &output) < 0) {
- VIR_INFO("firewalld support disabled for nwfilter");
- } else {
- VIR_INFO("firewalld support enabled for nwfilter");
-
- if (virAsprintf(&ebtables_cmd_path,
- "%s --direct --passthrough eb",
- firewall_cmd_path) < 0 ||
- virAsprintf(&iptables_cmd_path,
- "%s --direct --passthrough ipv4",
- firewall_cmd_path) < 0 ||
- virAsprintf(&ip6tables_cmd_path,
- "%s --direct --passthrough ipv6",
- firewall_cmd_path) < 0) {
- VIR_FREE(ebtables_cmd_path);
- VIR_FREE(iptables_cmd_path);
- VIR_FREE(ip6tables_cmd_path);
- ret = -1;
- goto err_exit;
- }
- ret = 0;
- }
- }
-
- err_exit:
- VIR_FREE(firewall_cmd_path);
- VIR_FREE(output);
-
- return ret;
-}
-
-static void
-ebiptablesDriverInitCLITools(void)
-{
- ebtables_cmd_path = virFindFileInPath("ebtables");
- if (!ebtables_cmd_path)
- VIR_WARN("Could not find 'ebtables' executable");
-
- iptables_cmd_path = virFindFileInPath("iptables");
- if (!iptables_cmd_path)
- VIR_WARN("Could not find 'iptables' executable");
-
- ip6tables_cmd_path = virFindFileInPath("ip6tables");
- if (!ip6tables_cmd_path)
- VIR_WARN("Could not find 'ip6tables' executable");
-}
-
-/*
- * ebiptablesDriverTestCLITools
- *
- * Test the CLI tools. If one is found not to be working, free the buffer
- * holding its path as a sign that the tool cannot be used.
- */
-static int
-ebiptablesDriverTestCLITools(void)
-{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
- char *errmsg = NULL;
- int ret = 0;
-
- if (ebtables_cmd_path) {
- NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
- /* basic probing */
- virBufferAsprintf(&buf,
- CMD_DEF("$EBT -t nat -L") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- CMD_STOPONERR(true));
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0) {
- VIR_FREE(ebtables_cmd_path);
- VIR_ERROR(_("Testing of ebtables command failed: %s"),
- errmsg);
- ret = -1;
- }
- }
-
- if (iptables_cmd_path) {
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
- virBufferAsprintf(&buf,
- CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- CMD_STOPONERR(true));
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0) {
- VIR_FREE(iptables_cmd_path);
- VIR_ERROR(_("Testing of iptables command failed: %s"),
- errmsg);
- ret = -1;
- }
- }
-
- if (ip6tables_cmd_path) {
- NWFILTER_SET_IP6TABLES_SHELLVAR(&buf);
-
- virBufferAsprintf(&buf,
- CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR
- CMD_EXEC
- "%s",
- CMD_STOPONERR(true));
-
- if (ebiptablesExecCLI(&buf, false, &errmsg) < 0) {
- VIR_FREE(ip6tables_cmd_path);
- VIR_ERROR(_("Testing of ip6tables command failed: %s"),
- errmsg);
- ret = -1;
- }
- }
-
- VIR_FREE(errmsg);
-
- return ret;
-}
-
static void
ebiptablesDriverProbeCtdir(void)
{
@@ -3949,12 +3701,9 @@ ebiptablesDriverProbeStateMatchQuery(virFirewallPtr fw
ATTRIBUTE_UNUSED,
static int
ebiptablesDriverProbeStateMatch(void)
{
- virBuffer buf = VIR_BUFFER_INITIALIZER;
unsigned long version;
virFirewallPtr fw = virFirewallNew();
- NWFILTER_SET_IPTABLES_SHELLVAR(&buf);
-
virFirewallStartTransaction(fw, 0);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
false, ebiptablesDriverProbeStateMatchQuery, &version,
@@ -3979,39 +3728,9 @@ ebiptablesDriverInit(bool privileged)
if (!privileged)
return 0;
- grep_cmd_path = virFindFileInPath("grep");
-
- /*
- * check whether we can run with firewalld's tools --
- * if not, we just fall back to eb/iptables command
- * line tools.
- */
- if (ebiptablesDriverInitWithFirewallD() < 0)
- ebiptablesDriverInitCLITools();
-
- /* make sure tools are available and work */
- ebiptablesDriverTestCLITools();
-
- /* ip(6)tables support needs awk & grep, ebtables doesn't */
- if ((iptables_cmd_path != NULL || ip6tables_cmd_path != NULL) &&
- !grep_cmd_path) {
- VIR_ERROR(_("essential tools to support ip(6)tables "
- "firewalls could not be located"));
- VIR_FREE(iptables_cmd_path);
- VIR_FREE(ip6tables_cmd_path);
- }
-
- if (!ebtables_cmd_path && !iptables_cmd_path && !ip6tables_cmd_path)
{
- VIR_ERROR(_("firewall tools were not found or cannot be used"));
- ebiptablesDriverShutdown();
- return -ENOTSUP;
- }
-
- if (iptables_cmd_path) {
- ebiptablesDriverProbeCtdir();
- if (ebiptablesDriverProbeStateMatch() < 0)
- return -1;
- }
+ ebiptablesDriverProbeCtdir();
+ if (ebiptablesDriverProbeStateMatch() < 0)
+ return -1;
ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;
@@ -4022,9 +3741,5 @@ ebiptablesDriverInit(bool privileged)
static void
ebiptablesDriverShutdown(void)
{
- VIR_FREE(grep_cmd_path);
- VIR_FREE(ebtables_cmd_path);
- VIR_FREE(iptables_cmd_path);
- VIR_FREE(ip6tables_cmd_path);
ebiptables_driver.flags = 0;
}
--
1.9.0
2:47 p.m.
New subject: [libvirt] [PATCH 25/26] Remove last trace of direct firewall command exection
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Remove all the left over code related to the direct invocation
of firewall-cmd/iptables/ip6tables/ebtables. This is all handled
by the virFirewallPtr APIs now.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
ACK
10:38 a.m.
New subject: [libvirt] [PATCH 26/26] Add a test suite for nwfilter ebiptables tech driver
Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/conf/nwfilter_params.c | 15 +
src/conf/nwfilter_params.h | 1 +
src/libvirt_private.syms | 2 +
tests/Makefile.am | 7 +
tests/nwfilterxml2firewalldata/ah-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/ah-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/ah-linux.args | 18 +
tests/nwfilterxml2firewalldata/ah.xml | 18 +
tests/nwfilterxml2firewalldata/all-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/all-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/all-linux.args | 18 +
tests/nwfilterxml2firewalldata/all.xml | 18 +
tests/nwfilterxml2firewalldata/arp-linux.args | 11 +
tests/nwfilterxml2firewalldata/arp.xml | 32 ++
tests/nwfilterxml2firewalldata/comment-linux.args | 49 ++
tests/nwfilterxml2firewalldata/comment.xml | 71 +++
.../nwfilterxml2firewalldata/conntrack-linux.args | 7 +
tests/nwfilterxml2firewalldata/conntrack.xml | 12 +
tests/nwfilterxml2firewalldata/esp-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/esp-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/esp-linux.args | 18 +
tests/nwfilterxml2firewalldata/esp.xml | 18 +
.../nwfilterxml2firewalldata/example-1-linux.args | 13 +
tests/nwfilterxml2firewalldata/example-1.xml | 24 +
.../nwfilterxml2firewalldata/example-2-linux.args | 20 +
tests/nwfilterxml2firewalldata/example-2.xml | 37 ++
tests/nwfilterxml2firewalldata/hex-data-linux.args | 28 ++
tests/nwfilterxml2firewalldata/hex-data.xml | 56 +++
.../icmp-direction-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp-direction.xml | 15 +
.../icmp-direction2-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp-direction2.xml | 15 +
.../icmp-direction3-linux.args | 6 +
tests/nwfilterxml2firewalldata/icmp-direction3.xml | 10 +
tests/nwfilterxml2firewalldata/icmp-linux.args | 9 +
tests/nwfilterxml2firewalldata/icmp.xml | 13 +
tests/nwfilterxml2firewalldata/icmpv6-linux.args | 12 +
tests/nwfilterxml2firewalldata/icmpv6.xml | 19 +
tests/nwfilterxml2firewalldata/igmp-linux.args | 18 +
tests/nwfilterxml2firewalldata/igmp.xml | 18 +
tests/nwfilterxml2firewalldata/ip-linux.args | 8 +
tests/nwfilterxml2firewalldata/ip.xml | 28 ++
tests/nwfilterxml2firewalldata/ipset-linux.args | 36 ++
tests/nwfilterxml2firewalldata/ipset.xml | 25 +
.../ipt-no-macspoof-linux.args | 2 +
tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml | 14 +
tests/nwfilterxml2firewalldata/ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/ipv6.xml | 43 ++
tests/nwfilterxml2firewalldata/iter1-linux.args | 18 +
tests/nwfilterxml2firewalldata/iter1.xml | 6 +
tests/nwfilterxml2firewalldata/iter2-linux.args | 342 +++++++++++++
tests/nwfilterxml2firewalldata/iter2.xml | 23 +
tests/nwfilterxml2firewalldata/iter3-linux.args | 30 ++
tests/nwfilterxml2firewalldata/iter3.xml | 13 +
tests/nwfilterxml2firewalldata/mac-linux.args | 8 +
tests/nwfilterxml2firewalldata/mac.xml | 19 +
tests/nwfilterxml2firewalldata/rarp-linux.args | 12 +
tests/nwfilterxml2firewalldata/rarp.xml | 28 ++
tests/nwfilterxml2firewalldata/ref-rule.xml | 18 +
tests/nwfilterxml2firewalldata/ref.xml | 4 +
.../nwfilterxml2firewalldata/sctp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/sctp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/sctp-linux.args | 20 +
tests/nwfilterxml2firewalldata/sctp.xml | 22 +
tests/nwfilterxml2firewalldata/stp-linux.args | 18 +
tests/nwfilterxml2firewalldata/stp.xml | 26 +
tests/nwfilterxml2firewalldata/target-linux.args | 75 +++
tests/nwfilterxml2firewalldata/target.xml | 66 +++
tests/nwfilterxml2firewalldata/target2-linux.args | 13 +
tests/nwfilterxml2firewalldata/target2.xml | 18 +
tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/tcp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/tcp-linux.args | 22 +
tests/nwfilterxml2firewalldata/tcp.xml | 34 ++
tests/nwfilterxml2firewalldata/udp-ipv6-linux.args | 22 +
tests/nwfilterxml2firewalldata/udp-ipv6.xml | 22 +
tests/nwfilterxml2firewalldata/udp-linux.args | 20 +
tests/nwfilterxml2firewalldata/udp.xml | 22 +
.../udplite-ipv6-linux.args | 20 +
tests/nwfilterxml2firewalldata/udplite-ipv6.xml | 19 +
tests/nwfilterxml2firewalldata/udplite-linux.args | 18 +
tests/nwfilterxml2firewalldata/udplite.xml | 18 +
tests/nwfilterxml2firewalldata/vlan-linux.args | 14 +
tests/nwfilterxml2firewalldata/vlan.xml | 38 ++
tests/nwfilterxml2firewalltest.c | 534 +++++++++++++++++++++
85 files changed, 2609 insertions(+)
create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/ah-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ah.xml
create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/all-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/all.xml
create mode 100644 tests/nwfilterxml2firewalldata/arp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/arp.xml
create mode 100644 tests/nwfilterxml2firewalldata/comment-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/comment.xml
create mode 100644 tests/nwfilterxml2firewalldata/conntrack-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/conntrack.xml
create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/esp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/esp.xml
create mode 100644 tests/nwfilterxml2firewalldata/example-1-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/example-1.xml
create mode 100644 tests/nwfilterxml2firewalldata/example-2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/example-2.xml
create mode 100644 tests/nwfilterxml2firewalldata/hex-data-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/hex-data.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmp.xml
create mode 100644 tests/nwfilterxml2firewalldata/icmpv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/icmpv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/igmp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/igmp.xml
create mode 100644 tests/nwfilterxml2firewalldata/ip-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ip.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipset-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipset.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
create mode 100644 tests/nwfilterxml2firewalldata/ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter1-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter1.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter2.xml
create mode 100644 tests/nwfilterxml2firewalldata/iter3-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/iter3.xml
create mode 100644 tests/nwfilterxml2firewalldata/mac-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/mac.xml
create mode 100644 tests/nwfilterxml2firewalldata/rarp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/rarp.xml
create mode 100644 tests/nwfilterxml2firewalldata/ref-rule.xml
create mode 100644 tests/nwfilterxml2firewalldata/ref.xml
create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/sctp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/sctp.xml
create mode 100644 tests/nwfilterxml2firewalldata/stp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/stp.xml
create mode 100644 tests/nwfilterxml2firewalldata/target-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/target.xml
create mode 100644 tests/nwfilterxml2firewalldata/target2-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/target2.xml
create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/tcp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/tcp.xml
create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/udp-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udp.xml
create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6.xml
create mode 100644 tests/nwfilterxml2firewalldata/udplite-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/udplite.xml
create mode 100644 tests/nwfilterxml2firewalldata/vlan-linux.args
create mode 100644 tests/nwfilterxml2firewalldata/vlan.xml
create mode 100644 tests/nwfilterxml2firewalltest.c
diff --git a/src/conf/nwfilter_params.c b/src/conf/nwfilter_params.c
index 7655033..ac4d4a8 100644
--- a/src/conf/nwfilter_params.c
+++ b/src/conf/nwfilter_params.c
@@ -252,6 +252,21 @@ virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value)
return rc;
}
+
+int
+virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value)
+{
+ char *valdup;
+ if (VIR_STRDUP(valdup, value) < 0)
+ return -1;
+ if (virNWFilterVarValueAddValue(val, valdup) < 0) {
+ VIR_FREE(valdup);
+ return -1;
+ }
+ return 0;
+}
+
+
static int
virNWFilterVarValueDelNthValue(virNWFilterVarValuePtr val, unsigned int pos)
{
diff --git a/src/conf/nwfilter_params.h b/src/conf/nwfilter_params.h
index f9efc42..08e448f 100644
--- a/src/conf/nwfilter_params.h
+++ b/src/conf/nwfilter_params.h
@@ -60,6 +60,7 @@ unsigned int virNWFilterVarValueGetCardinality(const virNWFilterVarValue
*);
bool virNWFilterVarValueEqual(const virNWFilterVarValue *a,
const virNWFilterVarValue *b);
int virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value);
+int virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value);
int virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value);
typedef struct _virNWFilterHashTable virNWFilterHashTable;
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 18be0e1..67edd20 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -578,6 +578,7 @@ virNWFilterConfLayerInit;
virNWFilterConfLayerShutdown;
virNWFilterDefFormat;
virNWFilterDefFree;
+virNWFilterDefParseFile;
virNWFilterDefParseString;
virNWFilterInstFiltersOnAllVMs;
virNWFilterJumpTargetTypeToString;
@@ -630,6 +631,7 @@ virNWFilterVarCombIterFree;
virNWFilterVarCombIterGetVarValue;
virNWFilterVarCombIterNext;
virNWFilterVarValueAddValue;
+virNWFilterVarValueAddValueCopy;
virNWFilterVarValueCopy;
virNWFilterVarValueCreateSimple;
virNWFilterVarValueCreateSimpleCopyValue;
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 9547c02..4a71f37 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -270,6 +270,7 @@ test_programs += nwfilterxml2xmltest
if WITH_NWFILTER
test_programs += nwfilterebiptablestest
+test_programs += nwfilterxml2firewalltest
endif WITH_NWFILTER
if WITH_STORAGE
@@ -696,6 +697,12 @@ nwfilterebiptablestest_SOURCES = \
nwfilterebiptablestest.c \
testutils.c testutils.h
nwfilterebiptablestest_LDADD = ../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
+
+nwfilterxml2firewalltest_SOURCES = \
+ nwfilterxml2firewalltest.c \
+ testutils.c testutils.h
+nwfilterxml2firewalltest_LDADD = \
+ ../src/libvirt_driver_nwfilter_impl.la $(LDADDS)
endif WITH_NWFILTER
secretxml2xmltest_SOURCES = \
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
new file mode 100644
index 0000000..aa7a70d
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6.xml
b/tests/nwfilterxml2firewalldata/ah-ipv6.xml
new file mode 100644
index 0000000..95ebbc9
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ah-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args
b/tests/nwfilterxml2firewalldata/ah-linux.args
new file mode 100644
index 0000000..a0f5fb6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p ah --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ah.xml
b/tests/nwfilterxml2firewalldata/ah.xml
new file mode 100644
index 0000000..287c10b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ah.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ah srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <ah srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
new file mode 100644
index 0000000..6559434
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p all --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6.xml
b/tests/nwfilterxml2firewalldata/all-ipv6.xml
new file mode 100644
index 0000000..5cf3519
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/all-linux.args
b/tests/nwfilterxml2firewalldata/all-linux.args
new file mode 100644
index 0000000..c8116f5
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/all.xml
b/tests/nwfilterxml2firewalldata/all.xml
new file mode 100644
index 0000000..a66923c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/all.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/arp-linux.args
b/tests/nwfilterxml2firewalldata/arp-linux.args
new file mode 100644
index 0000000..469b75a
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/arp-linux.args
@@ -0,0 +1,11 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 12 --arp-opcode 1 \
+--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x806 --arp-gratuitous -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/arp.xml
b/tests/nwfilterxml2firewalldata/arp.xml
new file mode 100644
index 0000000..d0abf94
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/arp.xml
@@ -0,0 +1,32 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='12'
+ protocoltype='34'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='1' hwtype='255' protocoltype='255'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='11' hwtype='256' protocoltype='256'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='65535' hwtype='65535' protocoltype='65535'
/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <arp gratuitous='true'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args
b/tests/nwfilterxml2firewalldata/comment-linux.args
new file mode 100644
index 0000000..e776d22
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/comment-linux.args
@@ -0,0 +1,49 @@
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
+--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \
+--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
+--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
+--ip6-destination-port 13107:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
+--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \
+--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -m comment \
+--comment 'udp rule' -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \
+--comment 'tcp/ipv6 rule' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \
+--state NEW,ESTABLISHED -m comment --comment 'tcp/ipv6 rule' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \
+--comment 'tcp/ipv6 rule' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \
+--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3
spaces'\''' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp -m state --state NEW,ESTABLISHED -m comment \
+--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3
spaces'\''' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \
+--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3
spaces'\''' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \
+--comment 'comment with lone '\'', `, ", `, \, $x, and two
spaces' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m state --state NEW,ESTABLISHED -m comment \
+--comment 'comment with lone '\'', `, ", `, \, $x, and two
spaces' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \
+--comment 'comment with lone '\'', `, ", `, \, $x, and two
spaces' -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \
+--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f
${tmp}' -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p ah -m state --state NEW,ESTABLISHED -m comment \
+--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f
${tmp}' -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \
+--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f
${tmp}' -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/comment.xml
b/tests/nwfilterxml2firewalldata/comment.xml
new file mode 100644
index 0000000..a154a17
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/comment.xml
@@ -0,0 +1,71 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <rule action='accept' direction='in'>
+ <mac protocolid='0x1234' comment='mac rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='0x123' srcportend='0x234'
+ dstportstart='0x3456' dstportend='0x4567'
+ dscp='0x32' comment='ip rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='tcp'
+ srcportstart='0x111' srcportend='400'
+ dstportstart='0x3333' dstportend='65535' comment='ipv6
rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='0x12'
+ protocoltype='0x56'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'
+ comment='arp rule'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='0x22'
+ srcportstart='0x123' srcportend='400'
+ dstportstart='0x234' dstportend='0x444'
+ comment='udp rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x39'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'
+ comment='tcp/ipv6 rule'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <udp-ipv6
comment='`ls`;${COLUMNS};$(ls);"test";&'3
spaces''/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <sctp-ipv6 comment='comment with lone ', `, ", `, \, $x, and
two spaces'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <ah-ipv6 comment='tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat <
${tmp}; rm -f ${tmp}'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args
b/tests/nwfilterxml2firewalldata/conntrack-linux.args
new file mode 100644
index 0000000..96b29ac
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args
@@ -0,0 +1,7 @@
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/conntrack.xml
b/tests/nwfilterxml2firewalldata/conntrack.xml
new file mode 100644
index 0000000..0682b25
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/conntrack.xml
@@ -0,0 +1,12 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <icmp connlimit-above='1'/>
+ </rule>
+ <rule action='drop' direction='out' priority='500'>
+ <tcp connlimit-above='2'/>
+ </rule>
+ <rule action='accept' direction='out' priority='500'>
+ <all/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
new file mode 100644
index 0000000..d8c3a3c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p esp --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6.xml
b/tests/nwfilterxml2firewalldata/esp-ipv6.xml
new file mode 100644
index 0000000..295d0f9
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <esp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args
b/tests/nwfilterxml2firewalldata/esp-linux.args
new file mode 100644
index 0000000..aeee6eb
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p esp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/esp.xml
b/tests/nwfilterxml2firewalldata/esp.xml
new file mode 100644
index 0000000..1f75df1
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/esp.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <esp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <esp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args
b/tests/nwfilterxml2firewalldata/example-1-linux.args
new file mode 100644
index 0000000..647980b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.args
@@ -0,0 +1,13 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP
diff --git a/tests/nwfilterxml2firewalldata/example-1.xml
b/tests/nwfilterxml2firewalldata/example-1.xml
new file mode 100644
index 0000000..ad15a98
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-1.xml
@@ -0,0 +1,24 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <!-- allow incoming ssh connections -->
+ <rule action='accept' direction='in' priority='100'>
+ <tcp dstportstart='22'/>
+ </rule>
+
+ <!-- allow incoming ICMP (ping) packets -->
+ <rule action='accept' direction='in' priority='200'>
+ <icmp/>
+ </rule>
+
+ <!-- allow all outgoing traffic -->
+ <rule action='accept' direction='in' priority='300'>
+ <all/>
+ </rule>
+
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='1000'>
+ <all/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args
b/tests/nwfilterxml2firewalldata/example-2-linux.args
new file mode 100644
index 0000000..445aa73
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-2-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \
+--comment 'out: existing and related (ftp) connections' -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \
+--comment 'out: existing and related (ftp) connections' -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m comment \
+--comment 'in: existing connections' -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 21:22 -m state --state NEW -m comment \
+--comment 'in: ftp and ssh' -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state NEW -m comment \
+--comment 'in: icmp' -j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \
+--comment 'out: DNS lookups' -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \
+--comment 'out: DNS lookups' -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment \
+--comment 'inout: drop all non-accepted traffic' -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment \
+--comment 'inout: drop all non-accepted traffic' -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment \
+--comment 'inout: drop all non-accepted traffic' -j DROP
diff --git a/tests/nwfilterxml2firewalldata/example-2.xml
b/tests/nwfilterxml2firewalldata/example-2.xml
new file mode 100644
index 0000000..7bda4e6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/example-2.xml
@@ -0,0 +1,37 @@
+<filter name='tck-testcase'>
+ <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid>
+
+ <!-- VM outgoing: allow all established and related connections -->
+ <rule action='accept' direction='out' priority='100'>
+ <all state='ESTABLISHED,RELATED'
+ comment='out: existing and related (ftp) connections'/>
+ </rule>
+
+ <!-- VM incoming: allow all established connections -->
+ <rule action='accept' direction='in' priority='100'>
+ <all state='ESTABLISHED'
+ comment='in: existing connections'/>
+ </rule>
+
+ <!-- allow incoming ssh and ftp traffic -->
+ <rule action='accept' direction='in' priority='200'>
+ <tcp dstportstart='21' dstportend='22' state='NEW'
+ comment='in: ftp and ssh'/>
+ </rule>
+
+ <!-- allow incoming ICMP (ping) packets -->
+ <rule action='accept' direction='in' priority='300'>
+ <icmp state='NEW' comment='in: icmp'/>
+ </rule>
+
+ <!-- allow outgong DNS lookups -->
+ <rule action='accept' direction='out' priority='300'>
+ <udp dstportstart='53' state='NEW' comment='out: DNS
lookups'/>
+ </rule>
+
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='1000'>
+ <all comment='inout: drop all non-accepted traffic'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args
b/tests/nwfilterxml2firewalldata/hex-data-linux.args
new file mode 100644
index 0000000..209c863
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args
@@ -0,0 +1,28 @@
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
+--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \
+--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
+--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
+--ip6-destination-port 13107:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
+--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \
+--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \
+--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/hex-data.xml
b/tests/nwfilterxml2firewalldata/hex-data.xml
new file mode 100644
index 0000000..45df451
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/hex-data.xml
@@ -0,0 +1,56 @@
+<filter name='tck-testcase'>
+ <uuid>01a992d2-f8c8-7c27-f69b-ab0a9d377379</uuid>
+
+ <rule action='accept' direction='in'>
+ <mac protocolid='0x1234'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='0x123' srcportend='0x234'
+ dstportstart='0x3456' dstportend='0x4567'
+ dscp='0x32'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='tcp'
+ srcportstart='0x111' srcportend='400'
+ dstportstart='0x3333' dstportend='65535'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='0x12'
+ protocoltype='0x56'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='0x22'
+ srcportstart='0x123' srcportend='400'
+ dstportstart='0x234' dstportend='0x444'/>
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='0x39'
+ srcportstart='0x20' srcportend='0x21'
+ dstportstart='0x100' dstportend='0x1111'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
new file mode 100644
index 0000000..b4df953
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
@@ -0,0 +1,9 @@
+/usr/sbin/iptables -A FP-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -j DROP
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction.xml
b/tests/nwfilterxml2firewalldata/icmp-direction.xml
new file mode 100644
index 0000000..e2184e8
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction.xml
@@ -0,0 +1,15 @@
+<filter name='tck-testcase'>
+ <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid>
+ <!-- allow incoming ICMP Echo Reply -->
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <!-- allow outgoing ICMP Echo Request -->
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <!-- drop all other ICMP traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
new file mode 100644
index 0000000..fe1e316
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
@@ -0,0 +1,9 @@
+/usr/sbin/iptables -A FP-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p icmp -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -j DROP
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2.xml
b/tests/nwfilterxml2firewalldata/icmp-direction2.xml
new file mode 100644
index 0000000..a552985
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2.xml
@@ -0,0 +1,15 @@
+<filter name='tck-testcase'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <!-- allow incoming ICMP Echo Request -->
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <!-- allow outgoing ICMP Echo Reply -->
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <!-- drop all other ICMP traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
new file mode 100644
index 0000000..31fa70e
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
@@ -0,0 +1,6 @@
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3.xml
b/tests/nwfilterxml2firewalldata/icmp-direction3.xml
new file mode 100644
index 0000000..c592903
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3.xml
@@ -0,0 +1,10 @@
+<filter name='tck-testcase'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <icmp/>
+ </rule>
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <all/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args
b/tests/nwfilterxml2firewalldata/icmp-linux.args
new file mode 100644
index 0000000..b09941d
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp-linux.args
@@ -0,0 +1,9 @@
+/usr/sbin/iptables -A FJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 --icmp-type 255/255 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/icmp.xml
b/tests/nwfilterxml2firewalldata/icmp.xml
new file mode 100644
index 0000000..fff5d42
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmp.xml
@@ -0,0 +1,13 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <icmp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' type='12' code='11'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <icmp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' type='255' code='255'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args
b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
new file mode 100644
index 0000000..f4dd2af
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
@@ -0,0 +1,12 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \
+--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A HJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \
+--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/icmpv6.xml
b/tests/nwfilterxml2firewalldata/icmpv6.xml
new file mode 100644
index 0000000..9d24826
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/icmpv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <icmpv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2' type='12' code='11'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <icmpv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33' type='255' code='255'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <icmpv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33' type='255' code='255'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args
b/tests/nwfilterxml2firewalldata/igmp-linux.args
new file mode 100644
index 0000000..b3b3ba3
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p igmp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/igmp.xml
b/tests/nwfilterxml2firewalldata/igmp.xml
new file mode 100644
index 0000000..0f4dcd4
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/igmp.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <igmp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <igmp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <igmp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ip-linux.args
b/tests/nwfilterxml2firewalldata/ip-linux.args
new file mode 100644
index 0000000..a577a60
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ip-linux.args
@@ -0,0 +1,8 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \
+--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 20:22 \
+--ip-destination-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv4 --ip-source 10.1.2.3/17 \
+--ip-destination 10.1.2.3/24 --ip-protocol 17 --ip-tos 0x3f -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv4 --ip-source 10.1.2.3/31 \
+--ip-destination 10.1.2.3/25 --ip-protocol 255 --ip-tos 0x3f -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/ip.xml
b/tests/nwfilterxml2firewalldata/ip.xml
new file mode 100644
index 0000000..da362a1
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ip.xml
@@ -0,0 +1,28 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ srcipaddr='10.1.2.3' srcipmask='255.255.255.255'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ protocol='udp'
+ srcportstart='20' srcportend='22'
+ dstportstart='100' dstportend='101'
+ />
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <ip srcipaddr='10.1.2.3' srcipmask='255.255.128.0'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.0'
+ protocol='17' dscp='63'
+ />
+ </rule>
+
+ <rule action='accept' direction='in'>
+ <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.128'
+ protocol='255' dscp='63'
+ />
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args
b/tests/nwfilterxml2firewalldata/ipset-linux.args
new file mode 100644
index 0000000..4eeb208
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
@@ -0,0 +1,36 @@
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment in+NONE -j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment out+NONE -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment out+NONE -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst,src -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst,src -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src,dst -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \
+--match-set tck_test src,dst -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \
+--match-set tck_test dst,src -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \
+--comment inout -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \
+--comment inout -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \
+--comment inout -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/ipset.xml
b/tests/nwfilterxml2firewalldata/ipset.xml
new file mode 100644
index 0000000..cc8ccc4
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipset.xml
@@ -0,0 +1,25 @@
+<!-- #ipset help && iptables -t match-set -h && ipset list tck_test ||
ipset create tck_test hash:ip# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all ipset='tck_test' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='in+NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='out+NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,DST,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst'
comment='inout'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
new file mode 100644
index 0000000..f74f449
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
@@ -0,0 +1,2 @@
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac '!' --mac-source 12:34:56:78:9a:bc
-j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac '!' --mac-source aa:aa:aa:aa:aa:aa
-j DROP
diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
b/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
new file mode 100644
index 0000000..2e8f2ce
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml
@@ -0,0 +1,14 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='drop' direction='inout'>
+ <!-- should use $MAC for MAC address, but tests would depend on VM's
+ MAC address -->
+ <all match='no' srcmacaddr='12:34:56:78:9a:bc'/>
+ </rule>
+
+ <rule action='drop' direction='in'>
+ <!-- not accepting incoming traffic from a certain MAC address -->
+ <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args
b/tests/nwfilterxml2firewalldata/ipv6-linux.args
new file mode 100644
index 0000000..e6674f6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
+--ip6-destination ::10.1.2.3/113 --ip6-protocol 17 --ip6-source-port 20:22 \
+--ip6-destination-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 20:22 \
+--ip6-source-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 20:22 \
+--ip6-destination-port 100:101 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 255:256 \
+--ip6-source-port 65535:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 255:256 \
+--ip6-destination-port 65535:65535 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 18 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 18 -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/ipv6.xml
b/tests/nwfilterxml2firewalldata/ipv6.xml
new file mode 100644
index 0000000..9f67bea
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ipv6.xml
@@ -0,0 +1,43 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80'
+ srcipaddr='::10.1.2.3' srcipmask='22'
+ dstipaddr='::10.1.2.3'
+ dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000'
+ protocol='udp'
+ srcportstart='20' srcportend='22'
+ dstportstart='100' dstportend='101'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='6'
+ srcportstart='20' srcportend='22'
+ dstportstart='100' dstportend='101'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='6'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='18'
+ />
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args
b/tests/nwfilterxml2firewalldata/iter1-linux.args
new file mode 100644
index 0000000..5d8d213
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter1.xml
b/tests/nwfilterxml2firewalldata/iter1.xml
new file mode 100644
index 0000000..c2090e6
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter1.xml
@@ -0,0 +1,6 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A' srcportstart='$B' dscp='2'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args
b/tests/nwfilterxml2firewalldata/iter2-linux.args
new file mode 100644
index 0000000..42d9e92
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.args
@@ -0,0 +1,342 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 1 --dport 90
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 1 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 90
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 90
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \
+--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \
+--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80
\
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80
\
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80
\
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90
\
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90
\
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90
\
+--sport 1080 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80
\
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80
\
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80
\
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90
\
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90
\
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90
\
+--sport 1090 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80
\
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80
\
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80
\
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90
\
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90
\
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90
\
+--sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80
\
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80
\
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80
\
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90
\
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90
\
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90
\
+--sport 1110 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \
+--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 1.1.1.1 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 1.1.1.1 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 2.2.2.2 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 2.2.2.2 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 3.3.3.3 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 3.3.3.3 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \
+--dscp 5 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \
+--dscp 6 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \
+--dscp 6 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \
+--dscp 6 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \
+--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter2.xml
b/tests/nwfilterxml2firewalldata/iter2.xml
new file mode 100644
index 0000000..3a3174a
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter2.xml
@@ -0,0 +1,23 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A' srcportstart='$B[@0]' dscp='1'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp srcipaddr='$A[@1]' srcportstart='$B[@2]'
dscp='2'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <sctp srcipaddr='$A[@1]' srcportstart='$B[@2]'
dstportstart='$C[@2]'
+ dscp='3'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A[@1]' srcportstart='$B[@2]'
dstportstart='$C[@3]'
+ dscp='4'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp srcipaddr='$A[@1]' dstipaddr='$A[@2]' dscp='5'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <sctp srcipaddr='$A' dstipaddr='$A' dscp='6'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args
b/tests/nwfilterxml2firewalldata/iter3-linux.args
new file mode 100644
index 0000000..c74338c
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.args
@@ -0,0 +1,30 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 90
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90
\
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \
+-m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \
+--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \
+--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/iter3.xml
b/tests/nwfilterxml2firewalldata/iter3.xml
new file mode 100644
index 0000000..47f5096
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/iter3.xml
@@ -0,0 +1,13 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcipaddr='$A[ 0]' srcportstart='$B[ @0 ] '
dscp='1'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp srcipaddr='$A[1 ]' srcportstart='$B[ @2 ]'
dscp='2'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <sctp srcipaddr='$A[ 1 ] ' srcportstart='$B[2 ] '
dstportstart='$C[ 2 ]'
+ dscp='3'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/mac-linux.args
b/tests/nwfilterxml2firewalldata/mac-linux.args
new file mode 100644
index 0000000..d03b706
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/mac-linux.args
@@ -0,0 +1,8 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x600 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0xffff -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/mac.xml
b/tests/nwfilterxml2firewalldata/mac.xml
new file mode 100644
index 0000000..2aec935
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/mac.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='1536'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.args
b/tests/nwfilterxml2firewalldata/rarp-linux.args
new file mode 100644
index 0000000..c100470
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/rarp-linux.args
@@ -0,0 +1,12 @@
+/usr/sbin/ebtables -t nat -N libvirt-J-vnet0
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8035 --arp-htype 12 --arp-opcode 1 \
+--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
+-j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x8035 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x8035 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x8035 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT
+/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0
diff --git a/tests/nwfilterxml2firewalldata/rarp.xml
b/tests/nwfilterxml2firewalldata/rarp.xml
new file mode 100644
index 0000000..77c1127
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/rarp.xml
@@ -0,0 +1,28 @@
+<filter name='tck-testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='rarp'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ hwtype='12'
+ protocoltype='34'
+ opcode='Request'
+ arpsrcmacaddr='1:2:3:4:5:6'
+ arpdstmacaddr='a:b:c:d:e:f'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='1' hwtype='255' protocoltype='255'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='11' hwtype='256' protocoltype='256'/>
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ opcode='65535' hwtype='65535' protocoltype='65535'
/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ref-rule.xml
b/tests/nwfilterxml2firewalldata/ref-rule.xml
new file mode 100644
index 0000000..5cb2fad
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ref-rule.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase'>
+ <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid>
+ <filterref filter='clean-traffic'/>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/ref.xml
b/tests/nwfilterxml2firewalldata/ref.xml
new file mode 100644
index 0000000..beb46d2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/ref.xml
@@ -0,0 +1,4 @@
+<filter name='tck-testcase'>
+ <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid>
+ <filterref filter='clean-traffic'/>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
new file mode 100644
index 0000000..956ab82
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6.xml
b/tests/nwfilterxml2firewalldata/sctp-ipv6.xml
new file mode 100644
index 0000000..d1a57b8
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args
b/tests/nwfilterxml2firewalldata/sctp-linux.args
new file mode 100644
index 0000000..643db68
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/sctp.xml
b/tests/nwfilterxml2firewalldata/sctp.xml
new file mode 100644
index 0000000..c3c1000
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/sctp.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <sctp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <sctp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/stp-linux.args
b/tests/nwfilterxml2firewalldata/stp-linux.args
new file mode 100644
index 0000000..4f66836
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/stp-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/ebtables -t nat -F J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -X J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -N J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:80:c2:00:00:00 -j J-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -F P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -X P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -N P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d 01:80:c2:00:00:00 -j P-vnet0-stp-xyz
+/usr/sbin/ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d 01:80:c2:00:00:00 --stp-type 18 --stp-flags 68 -j CONTINUE
+/usr/sbin/ebtables -t nat -A J-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d 01:80:c2:00:00:00 --stp-root-pri 4660:9029 \
+--stp-root-addr 06:05:04:03:02:01/ff:ff:ff:ff:ff:ff \
+--stp-root-cost 287454020:573785173 -j RETURN
+/usr/sbin/ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d 01:80:c2:00:00:00 --stp-sender-prio 4660 --stp-sender-addr 06:05:04:03:02:01 \
+--stp-port 123:234 --stp-msg-age 5544:5555 --stp-max-age 7777:8888 \
+--stp-hello-time 12345:12346 --stp-forward-delay 54321:65432 -j DROP
diff --git a/tests/nwfilterxml2firewalldata/stp.xml
b/tests/nwfilterxml2firewalldata/stp.xml
new file mode 100644
index 0000000..6b5a625
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/stp.xml
@@ -0,0 +1,26 @@
+<filter name='tck-testcase' chain='stp-xyz'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='continue' direction='in'>
+ <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ type='0x12' flags='0x44'/>
+ </rule>
+
+ <rule action='return' direction='out'>
+ <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ root-priority='0x1234' root-priority-hi='0x2345'
+ root-address="6:5:4:3:2:1"
root-address-mask='ff:ff:ff:ff:ff:ff'
+ root-cost='0x11223344' root-cost-hi='0x22334455' />
+ </rule>
+
+ <rule action='reject' direction='in'>
+ <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ sender-priority='0x1234'
+ sender-address="6:5:4:3:2:1"
+ port='123' port-hi='234'
+ age='5544' age-hi='5555'
+ max-age='7777' max-age-hi='8888'
+ hello-time='12345' hello-time-hi='12346'
+ forward-delay='54321' forward-delay-hi='65432'/>
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/target-linux.args
b/tests/nwfilterxml2firewalldata/target-linux.args
new file mode 100644
index 0000000..bf3b2dc
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target-linux.args
@@ -0,0 +1,75 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-p 0x806 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j ACCEPT
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
+-p 0x800 -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
+--comment 'accept rule -- dir out' -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -m comment --comment 'accept rule -- dir out' -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
+--comment 'accept rule -- dir out' -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'drop rule -- dir out' -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'drop rule -- dir out' -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'drop rule -- dir out' -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'reject rule -- dir out' -j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 \
+-m comment --comment 'reject rule -- dir out' -j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
+--comment 'reject rule -- dir out' -j REJECT
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j
RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -m comment \
+--comment 'accept rule -- dir in' -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j
RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'drop rule -- dir in' -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'drop rule -- dir
in' \
+-j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'drop rule -- dir in' -j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'reject rule -- dir in' -j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'reject rule -- dir
in' \
+-j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
+-m comment --comment 'reject rule -- dir in' -j REJECT
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'accept rule -- dir
inout' \
+-j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'accept rule -- dir
inout' \
+-j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'accept rule -- dir
inout' \
+-j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'drop rule -- dir
inout' \
+-j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'drop rule -- dir
inout' \
+-j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'drop rule -- dir
inout' \
+-j DROP
+/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'reject rule -- dir
inout' \
+-j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'reject rule -- dir
inout' \
+-j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'reject rule -- dir
inout' \
+-j REJECT
diff --git a/tests/nwfilterxml2firewalldata/target.xml
b/tests/nwfilterxml2firewalldata/target.xml
new file mode 100644
index 0000000..aa7465b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target.xml
@@ -0,0 +1,66 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='accept rule -- dir out'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='drop rule -- dir out'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='reject rule -- dir out'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='accept rule -- dir in'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='drop rule -- dir in'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='reject rule -- dir in'/>
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all comment='accept rule -- dir inout'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all comment='drop rule -- dir inout'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all comment='reject rule -- dir inout'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args
b/tests/nwfilterxml2firewalldata/target2-linux.args
new file mode 100644
index 0000000..a1e4c86
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target2-linux.args
@@ -0,0 +1,13 @@
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 22 -j ACCEPT
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 22 -j RETURN
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 22 -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED \
+-j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp -j REJECT
+/usr/sbin/iptables -A FP-vnet0 -p tcp -j REJECT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp -j REJECT
+/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP
+/usr/sbin/iptables -A FP-vnet0 -p all -j DROP
+/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP
diff --git a/tests/nwfilterxml2firewalldata/target2.xml
b/tests/nwfilterxml2firewalldata/target2.xml
new file mode 100644
index 0000000..c913bf5
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/target2.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='80'/>
+ </rule>
+ <rule action='reject' direction='inout'>
+ <tcp/>
+ </rule>
+ <rule action='drop' direction='inout'>
+ <all/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
new file mode 100644
index 0000000..836937f
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6.xml
b/tests/nwfilterxml2firewalldata/tcp-ipv6.xml
new file mode 100644
index 0000000..d4f24f4
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args
b/tests/nwfilterxml2firewalldata/tcp-linux.args
new file mode 100644
index 0000000..c8e351b
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/iptables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags SYN ALL -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags SYN SYN,ACK -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags RST NONE -j ACCEPT
+/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags PSH NONE -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/tcp.xml
b/tests/nwfilterxml2firewalldata/tcp.xml
new file mode 100644
index 0000000..14ebd35
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/tcp.xml
@@ -0,0 +1,34 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in' statematch='false'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in' statematch='0'>
+ <tcp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='SYN/ALL'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='SYN/SYN,ACK'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='RST/NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp state='NONE' flags='PSH/'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
new file mode 100644
index 0000000..d9e2060
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
@@ -0,0 +1,22 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \
+-j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::a:b:c/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 \
+-m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6.xml
b/tests/nwfilterxml2firewalldata/udp-ipv6.xml
new file mode 100644
index 0000000..fd4f135
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::a:b:c' srcipmask='128'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args
b/tests/nwfilterxml2firewalldata/udp-linux.args
new file mode 100644
index 0000000..8638d8d
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
+--state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \
+--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
+--state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \
+--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udp.xml
b/tests/nwfilterxml2firewalldata/udp.xml
new file mode 100644
index 0000000..359dfa2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udp.xml
@@ -0,0 +1,22 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='33'
+ srcportstart='20' srcportend='21'
+ dstportstart='100' dstportend='1111'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udp srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='32'
+ dscp='63'
+ srcportstart='255' srcportend='256'
+ dstportstart='65535' dstportend='65535'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
new file mode 100644
index 0000000..22d37e5
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/ip6tables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udplite --destination f:e:d::c:b:a/127 \
+--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \
+--state NEW,ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/ip6tables -A HJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6.xml
b/tests/nwfilterxml2firewalldata/udplite-ipv6.xml
new file mode 100644
index 0000000..5b941a2
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6.xml
@@ -0,0 +1,19 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='a:b:c::d:e:f' dstipmask='128'
+ srcipaddr='f:e:d::c:b:a' srcipmask='127'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='a:b:c::' srcipmask='128'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite-ipv6 srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='::10.1.2.3' srcipmask='128'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args
b/tests/nwfilterxml2firewalldata/udplite-linux.args
new file mode 100644
index 0000000..52ca3df
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.args
@@ -0,0 +1,18 @@
+/usr/sbin/iptables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udplite --source 10.1.2.3/32 -m dscp --dscp 2 \
+-m state --state ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
+/usr/sbin/iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \
+--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT
+/usr/sbin/iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \
+--dscp 33 -m state --state ESTABLISHED -j RETURN
diff --git a/tests/nwfilterxml2firewalldata/udplite.xml
b/tests/nwfilterxml2firewalldata/udplite.xml
new file mode 100644
index 0000000..91262fd
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/udplite.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <udplite srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <udplite srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33'/>
+ </rule>
+</filter>
diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.args
b/tests/nwfilterxml2firewalldata/vlan-linux.args
new file mode 100644
index 0000000..6f858f1
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/vlan-linux.args
@@ -0,0 +1,14 @@
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN
+/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 2054 -j DROP
+/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
+-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 4660 -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/vlan.xml
b/tests/nwfilterxml2firewalldata/vlan.xml
new file mode 100644
index 0000000..a5e7b38
--- /dev/null
+++ b/tests/nwfilterxml2firewalldata/vlan.xml
@@ -0,0 +1,38 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='continue' direction='inout'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ vlanid='0x123'
+ />
+ </rule>
+
+ <rule action='return' direction='inout'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ vlanid='1234'
+ />
+ </rule>
+
+ <rule action='reject' direction='in'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ vlanid='0x123'
+ />
+ </rule>
+
+ <rule action='drop' direction='out'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ encap-protocol='arp'
+ />
+ </rule>
+
+ <rule action='accept' direction='out'>
+ <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ encap-protocol='0x1234'
+ />
+ </rule>
+
+</filter>
diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewalltest.c
new file mode 100644
index 0000000..653ac82
--- /dev/null
+++ b/tests/nwfilterxml2firewalltest.c
@@ -0,0 +1,534 @@
+/*
+ * nwfilterxml2firewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "nwfilter/nwfilter_ebiptables_driver.h"
+# include "virbuffer.h"
+
+# define __VIR_FIREWALL_PRIV_H_ALLOW__
+# include "virfirewallpriv.h"
+
+# define __VIR_COMMAND_PRIV_H_ALLOW__
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+static const char *abs_top_srcdir;
+
+# ifdef __linux__
+# define RULESTYPE "linux"
+# else
+# error "test case not ported to this platform"
+# endif
+
+typedef struct _virNWFilterInst virNWFilterInst;
+typedef virNWFilterInst *virNWFilterInstPtr;
+struct _virNWFilterInst {
+ virNWFilterDefPtr *filters;
+ size_t nfilters;
+ virNWFilterRuleInstPtr *rules;
+ size_t nrules;
+};
+
+/*
+ * Some sets of rules that will be common to all test files,
+ * so we don't bother including them in the test data files
+ * as that would just bloat them
+ */
+
+static const char *commonRules[] = {
+ /* Dropping ebtables rules */
+ "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -L libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -F libvirt-P-vnet0\n"
+ "/usr/sbin/ebtables -t nat -X libvirt-P-vnet0\n",
+
+ /* Creating ebtables chains */
+ "/usr/sbin/ebtables -t nat -N libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -N libvirt-P-vnet0\n",
+
+ /* Dropping iptables rules */
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out
vnet0 -g FP-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g
FP-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g
FJ-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HJ-vnet0\n"
+ "/usr/sbin/iptables -F FP-vnet0\n"
+ "/usr/sbin/iptables -X FP-vnet0\n"
+ "/usr/sbin/iptables -F FJ-vnet0\n"
+ "/usr/sbin/iptables -X FJ-vnet0\n"
+ "/usr/sbin/iptables -F HJ-vnet0\n"
+ "/usr/sbin/iptables -X HJ-vnet0\n",
+
+ /* Creating iptables chains */
+ "/usr/sbin/iptables -N libvirt-in\n"
+ "/usr/sbin/iptables -N libvirt-out\n"
+ "/usr/sbin/iptables -N libvirt-in-post\n"
+ "/usr/sbin/iptables -N libvirt-host-in\n"
+ "/usr/sbin/iptables -D FORWARD -j libvirt-in\n"
+ "/usr/sbin/iptables -D FORWARD -j libvirt-out\n"
+ "/usr/sbin/iptables -D FORWARD -j libvirt-in-post\n"
+ "/usr/sbin/iptables -D INPUT -j libvirt-host-in\n"
+ "/usr/sbin/iptables -I FORWARD 1 -j libvirt-in\n"
+ "/usr/sbin/iptables -I FORWARD 2 -j libvirt-out\n"
+ "/usr/sbin/iptables -I FORWARD 3 -j libvirt-in-post\n"
+ "/usr/sbin/iptables -I INPUT 1 -j libvirt-host-in\n"
+ "/usr/sbin/iptables -N FP-vnet0\n"
+ "/usr/sbin/iptables -N FJ-vnet0\n"
+ "/usr/sbin/iptables -N HJ-vnet0\n"
+ "/usr/sbin/iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out
vnet0 -g FP-vnet0\n"
+ "/usr/sbin/iptables -A libvirt-in -m physdev --physdev-in vnet0 -g
FJ-vnet0\n"
+ "/usr/sbin/iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g
HJ-vnet0\n"
+ "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n",
+
+ /* Dropping ip6tables rules */
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g
FP-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g
FJ-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g
HJ-vnet0\n"
+ "/usr/sbin/ip6tables -F FP-vnet0\n"
+ "/usr/sbin/ip6tables -X FP-vnet0\n"
+ "/usr/sbin/ip6tables -F FJ-vnet0\n"
+ "/usr/sbin/ip6tables -X FJ-vnet0\n"
+ "/usr/sbin/ip6tables -F HJ-vnet0\n"
+ "/usr/sbin/ip6tables -X HJ-vnet0\n",
+
+ /* Creating ip6tables chains */
+ "/usr/sbin/ip6tables -N libvirt-in\n"
+ "/usr/sbin/ip6tables -N libvirt-out\n"
+ "/usr/sbin/ip6tables -N libvirt-in-post\n"
+ "/usr/sbin/ip6tables -N libvirt-host-in\n"
+ "/usr/sbin/ip6tables -D FORWARD -j libvirt-in\n"
+ "/usr/sbin/ip6tables -D FORWARD -j libvirt-out\n"
+ "/usr/sbin/ip6tables -D FORWARD -j libvirt-in-post\n"
+ "/usr/sbin/ip6tables -D INPUT -j libvirt-host-in\n"
+ "/usr/sbin/ip6tables -I FORWARD 1 -j libvirt-in\n"
+ "/usr/sbin/ip6tables -I FORWARD 2 -j libvirt-out\n"
+ "/usr/sbin/ip6tables -I FORWARD 3 -j libvirt-in-post\n"
+ "/usr/sbin/ip6tables -I INPUT 1 -j libvirt-host-in\n"
+ "/usr/sbin/ip6tables -N FP-vnet0\n"
+ "/usr/sbin/ip6tables -N FJ-vnet0\n"
+ "/usr/sbin/ip6tables -N HJ-vnet0\n"
+ "/usr/sbin/ip6tables -A libvirt-out -m physdev --physdev-is-bridged
--physdev-out vnet0 -g FP-vnet0\n"
+ "/usr/sbin/ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g
FJ-vnet0\n"
+ "/usr/sbin/ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g
HJ-vnet0\n"
+ "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n"
+ "/usr/sbin/ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j
ACCEPT\n",
+
+ /* Inserting ebtables rules */
+ "/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+ "/usr/sbin/ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
+};
+
+
+static virNWFilterHashTablePtr
+virNWFilterCreateVarsFrom(virNWFilterHashTablePtr vars1,
+ virNWFilterHashTablePtr vars2)
+{
+ virNWFilterHashTablePtr res = virNWFilterHashTableCreate(0);
+ if (!res)
+ return NULL;
+
+ if (virNWFilterHashTablePutAll(vars1, res) < 0)
+ goto err_exit;
+
+ if (virNWFilterHashTablePutAll(vars2, res) < 0)
+ goto err_exit;
+
+ return res;
+
+ err_exit:
+ virNWFilterHashTableFree(res);
+ return NULL;
+}
+
+
+static void
+virNWFilterRuleInstFree(virNWFilterRuleInstPtr inst)
+{
+ if (!inst)
+ return;
+
+ virNWFilterHashTableFree(inst->vars);
+ VIR_FREE(inst);
+}
+
+
+static void
+virNWFilterInstReset(virNWFilterInstPtr inst)
+{
+ size_t i;
+
+ for (i = 0; i < inst->nfilters; i++)
+ virNWFilterDefFree(inst->filters[i]);
+ VIR_FREE(inst->filters);
+ inst->nfilters = 0;
+
+ for (i = 0; i < inst->nrules; i++)
+ virNWFilterRuleInstFree(inst->rules[i]);
+ inst->nrules = 0;
+ VIR_FREE(inst->rules);
+}
+
+
+static int
+virNWFilterDefToInst(const char *xml,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst);
+
+static int
+virNWFilterRuleDefToRuleInst(virNWFilterDefPtr def,
+ virNWFilterRuleDefPtr rule,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst)
+{
+ virNWFilterRuleInstPtr ruleinst;
+ int ret = -1;
+
+ if (VIR_ALLOC(ruleinst) < 0)
+ goto cleanup;
+
+ ruleinst->chainSuffix = def->chainsuffix;
+ ruleinst->chainPriority = def->chainPriority;
+ ruleinst->def = rule;
+ ruleinst->priority = rule->priority;
+ if (!(ruleinst->vars = virNWFilterHashTableCreate(0)))
+ goto cleanup;
+ if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
+ goto cleanup;
+
+ if (VIR_APPEND_ELEMENT(inst->rules,
+ inst->nrules,
+ ruleinst) < 0)
+ goto cleanup;
+ ruleinst = NULL;
+
+ ret = 0;
+ cleanup:
+ virNWFilterRuleInstFree(ruleinst);
+ return ret;
+}
+
+
+static int
+virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDefPtr inc,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst)
+{
+ virNWFilterHashTablePtr tmpvars = NULL;
+ int ret = -1;
+ char *xml;
+
+ if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml",
+ abs_srcdir, inc->filterref) < 0)
+ return -1;
+
+ /* create a temporary hashmap for depth-first tree traversal */
+ if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
+ vars)))
+ goto cleanup;
+
+ if (virNWFilterDefToInst(xml,
+ tmpvars,
+ inst) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ if (ret < 0)
+ virNWFilterInstReset(inst);
+ virNWFilterHashTableFree(tmpvars);
+ VIR_FREE(xml);
+ return ret;
+}
+
+static int
+virNWFilterDefToInst(const char *xml,
+ virNWFilterHashTablePtr vars,
+ virNWFilterInstPtr inst)
+{
+ size_t i;
+ int ret = -1;
+ virNWFilterDefPtr def = virNWFilterDefParseFile(xml);
+
+ if (!def)
+ return -1;
+
+ if (VIR_APPEND_ELEMENT_COPY(inst->filters,
+ inst->nfilters,
+ def) < 0) {
+ virNWFilterDefFree(def);
+ goto cleanup;
+ }
+
+ for (i = 0; i < def->nentries; i++) {
+ if (def->filterEntries[i]->rule) {
+ if (virNWFilterRuleDefToRuleInst(def,
+ def->filterEntries[i]->rule,
+ vars,
+ inst) < 0)
+ goto cleanup;
+ } else if (def->filterEntries[i]->include) {
+ if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->include,
+ vars,
+ inst) < 0)
+ goto cleanup;
+ }
+ }
+
+ ret = 0;
+ cleanup:
+ if (ret < 0)
+ virNWFilterInstReset(inst);
+ return ret;
+}
+
+
+static void testRemoveCommonRules(char *rules)
+{
+ size_t i;
+ char *offset = rules;
+
+ for (i = 0; i < ARRAY_CARDINALITY(commonRules); i++) {
+ char *tmp = strstr(offset, commonRules[i]);
+ size_t len = strlen(commonRules[i]);
+ if (tmp) {
+ memmove(tmp, tmp + len, (strlen(tmp) + 1) - len);
+ offset = tmp;
+ }
+ }
+}
+
+
+static int testSetOneParameter(virNWFilterHashTablePtr vars,
+ const char *name,
+ const char *value)
+{
+ int ret = -1;
+ virNWFilterVarValuePtr val;
+
+ if ((val = virHashLookup(vars->hashTable, name)) == NULL) {
+ val = virNWFilterVarValueCreateSimpleCopyValue(value);
+ if (!val)
+ goto cleanup;
+ if (virNWFilterHashTablePut(vars, name, val) < 0) {
+ virNWFilterVarValueFree(val);
+ goto cleanup;
+ }
+ } else {
+ if (virNWFilterVarValueAddValueCopy(val, value) < 0)
+ goto cleanup;
+ }
+ ret = 0;
+ cleanup:
+ return ret;
+}
+
+static int testSetDefaultParameters(virNWFilterHashTablePtr vars)
+{
+ if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 ||
+ testSetOneParameter(vars, "A", "1.1.1.1") ||
+ testSetOneParameter(vars, "A", "2.2.2.2") ||
+ testSetOneParameter(vars, "A", "3.3.3.3") ||
+ testSetOneParameter(vars, "A", "3.3.3.3") ||
+ testSetOneParameter(vars, "B", "80") ||
+ testSetOneParameter(vars, "B", "90") ||
+ testSetOneParameter(vars, "B", "80") ||
+ testSetOneParameter(vars, "B", "80") ||
+ testSetOneParameter(vars, "C", "1080") ||
+ testSetOneParameter(vars, "C", "1090") ||
+ testSetOneParameter(vars, "C", "1100") ||
+ testSetOneParameter(vars, "C", "1110"))
+ return -1;
+ return 0;
+}
+
+static int testCompareXMLToArgvFiles(const char *xml,
+ const char *cmdline)
+{
+ char *expectargv = NULL;
+ int len;
+ char *actualargv = NULL;
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ virNWFilterHashTablePtr vars = virNWFilterHashTableCreate(0);
+ virNWFilterInst inst;
+ int ret = -1;
+
+ memset(&inst, 0, sizeof(inst));
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (!vars)
+ goto cleanup;
+
+ if (testSetDefaultParameters(vars) < 0)
+ goto cleanup;
+
+ if (virNWFilterDefToInst(xml,
+ vars,
+ &inst) < 0)
+ goto cleanup;
+
+ if (ebiptables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) <
0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actualargv = virBufferContentAndReset(&buf);
+ virCommandSetDryRun(NULL, NULL, NULL);
+
+ testRemoveCommonRules(actualargv);
+
+ len = virtTestLoadFile(cmdline, &expectargv);
+ if (len < 0)
+ goto cleanup;
+
+ if (STRNEQ(expectargv, actualargv)) {
+ virtTestDifference(stderr, expectargv, actualargv);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ virBufferFreeAndReset(&buf);
+ VIR_FREE(expectargv);
+ VIR_FREE(actualargv);
+ virNWFilterInstReset(&inst);
+ virNWFilterHashTableFree(vars);
+ return ret;
+}
+
+struct testInfo {
+ const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+ int result = -1;
+ const struct testInfo *info = data;
+ char *xml = NULL;
+ char *args = NULL;
+
+ if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml",
+ abs_srcdir, info->name) < 0 ||
+ virAsprintf(&args, "%s/nwfilterxml2firewalldata/%s-%s.args",
+ abs_srcdir, info->name, RULESTYPE) < 0)
+ goto cleanup;
+
+ result = testCompareXMLToArgvFiles(xml, args);
+
+ cleanup:
+ VIR_FREE(xml);
+ VIR_FREE(args);
+ return result;
+}
+
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+ abs_top_srcdir = getenv("abs_top_srcdir");
+ if (!abs_top_srcdir)
+ abs_top_srcdir = abs_srcdir "/..";
+
+# define DO_TEST(name) \
+ do { \
+ static struct testInfo info = { \
+ name, \
+ }; \
+ if (virtTestRun("NWFilter XML-2-firewall " name, \
+ testCompareXMLToIPTablesHelper, &info) < 0) \
+ ret = -1; \
+ } while (0)
+
+ if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ DO_TEST("ah");
+ DO_TEST("ah-ipv6");
+ DO_TEST("all");
+ DO_TEST("all-ipv6");
+ DO_TEST("arp");
+ DO_TEST("comment");
+ DO_TEST("conntrack");
+ DO_TEST("esp");
+ DO_TEST("esp-ipv6");
+ DO_TEST("example-1");
+ DO_TEST("example-2");
+ DO_TEST("hex-data");
+ DO_TEST("icmp-direction2");
+ DO_TEST("icmp-direction3");
+ DO_TEST("icmp-direction");
+ DO_TEST("icmp");
+ DO_TEST("icmpv6");
+ DO_TEST("igmp");
+ DO_TEST("ip");
+ DO_TEST("ipset");
+ DO_TEST("ipt-no-macspoof");
+ DO_TEST("ipv6");
+ DO_TEST("iter1");
+ DO_TEST("iter2");
+ DO_TEST("iter3");
+ DO_TEST("mac");
+ DO_TEST("rarp");
+ DO_TEST("sctp");
+ DO_TEST("sctp-ipv6");
+ DO_TEST("stp");
+ DO_TEST("target2");
+ DO_TEST("target");
+ DO_TEST("tcp");
+ DO_TEST("tcp-ipv6");
+ DO_TEST("udp");
+ DO_TEST("udp-ipv6");
+ DO_TEST("udplite");
+ DO_TEST("udplite-ipv6");
+ DO_TEST("vlan");
+
+ cleanup:
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+ return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */
--
1.9.0
3:16 p.m.
New subject: [libvirt] [PATCH 26/26] Add a test suite for nwfilter ebiptables tech driver
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
You are reusing the TCK tests. With TCK tests passing, the created
commands must be correct.
+
+static void
+virNWFilterInstReset(virNWFilterInstPtr inst)
+{
+ size_t i;
+
+ for (i = 0; i < inst->nfilters; i++)
+ virNWFilterDefFree(inst->filters[i]);
+ VIR_FREE(inst->filters);
+ inst->nfilters = 0;
+
+ for (i = 0; i < inst->nrules; i++)
+ virNWFilterRuleInstFree(inst->rules[i]);
+ inst->nrules = 0;
+ VIR_FREE(inst->rules);
+}
The VIR_FREE(inst->rules) could be placed before the inst->nrules = 0 to
match the pattern above :-)
Not even a memory leak...
ACK
3:47 p.m.
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
Currently we have three places which interact with the firewall
- util/virebtables - simple MAC filtering used by QEMU driver
- util/viriptables - used by network driver
- nwfilter - general purpose guest filtering
Oh my, so much work! -- Thanks
I'll review as much as I can.
Regards,
Stefan
3:29 a.m.
On Mon, Apr 14, 2014 at 04:47:50PM -0400, Stefan Berger wrote:
On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>Currently we have three places which interact with the firewall
>
> - util/virebtables - simple MAC filtering used by QEMU driver
> - util/viriptables - used by network driver
> - nwfilter - general purpose guest filtering
Oh my, so much work! -- Thanks
I'll review as much as I can.
Thanks, I appreciate any review you can do particularly of the big
nwfilter patches, since you're main expert in that area.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
6:40 a.m.
On 04/15/2014 04:29 AM, Daniel P. Berrange wrote:
On Mon, Apr 14, 2014 at 04:47:50PM -0400, Stefan Berger wrote:
> On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>> Currently we have three places which interact with the firewall
>>
>> - util/virebtables - simple MAC filtering used by QEMU driver
>> - util/viriptables - used by network driver
>> - nwfilter - general purpose guest filtering
> Oh my, so much work! -- Thanks
>
> I'll review as much as I can.
Thanks, I appreciate any review you can do particularly of the big
nwfilter patches, since you're main expert in that area.
Some of the patches are so involved that besides looking at them I'll
mostly have to rely on the TCK tests to see whether they still pass. The
TCK tests unfortunately also need updating due to recent changes in the
code (elimination of the source MAC tests in recent patches) as well as
different output by the ip6tables command related to IPv6 addresses.
Regards,
Stefan
6:42 a.m.
On Tue, Apr 15, 2014 at 07:40:41AM -0400, Stefan Berger wrote:
On 04/15/2014 04:29 AM, Daniel P. Berrange wrote:
>On Mon, Apr 14, 2014 at 04:47:50PM -0400, Stefan Berger wrote:
>>On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>>>Currently we have three places which interact with the firewall
>>>
>>> - util/virebtables - simple MAC filtering used by QEMU driver
>>> - util/viriptables - used by network driver
>>> - nwfilter - general purpose guest filtering
>>Oh my, so much work! -- Thanks
>>
>>I'll review as much as I can.
>Thanks, I appreciate any review you can do particularly of the big
>nwfilter patches, since you're main expert in that area.
Some of the patches are so involved that besides looking at them
I'll mostly have to rely on the TCK tests to see whether they still
pass. The TCK tests unfortunately also need updating due to recent
changes in the code (elimination of the source MAC tests in recent
patches) as well as different output by the ip6tables command
related to IPv6 addresses.
The TCK tests shouldn't need updating. The current libvirt-tck GIT
master nwfilter tests pass against libvirt GIT master, and also
pass after this patch series is applied (at least on Fedora 20).
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:04 a.m.
On 04/15/2014 07:42 AM, Daniel P. Berrange wrote:
On Tue, Apr 15, 2014 at 07:40:41AM -0400, Stefan Berger wrote:
> On 04/15/2014 04:29 AM, Daniel P. Berrange wrote:
>> On Mon, Apr 14, 2014 at 04:47:50PM -0400, Stefan Berger wrote:
>>> On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>>>> Currently we have three places which interact with the firewall
>>>>
>>>> - util/virebtables - simple MAC filtering used by QEMU driver
>>>> - util/viriptables - used by network driver
>>>> - nwfilter - general purpose guest filtering
>>> Oh my, so much work! -- Thanks
>>>
>>> I'll review as much as I can.
>> Thanks, I appreciate any review you can do particularly of the big
>> nwfilter patches, since you're main expert in that area.
> Some of the patches are so involved that besides looking at them
> I'll mostly have to rely on the TCK tests to see whether they still
> pass. The TCK tests unfortunately also need updating due to recent
> changes in the code (elimination of the source MAC tests in recent
> patches) as well as different output by the ip6tables command
> related to IPv6 addresses.
The TCK tests shouldn't need updating. The current libvirt-tck GIT
master nwfilter tests pass against libvirt GIT master, and also
pass after this patch series is applied (at least on Fedora 20).
That's interesting. I am running this on Fedora 18. This patch here
https://www.redhat.com/archives/libvir-list/2014-March/msg00660.html
is necessary on Fedora 18, but not on Fedora 20 I assume. Probably
it was a temporary regression in iptables.
Is this patch series incremental so that the TCK test suite should work
after each one of them? At least for me it passes up to patch 7/26
but then patch 8/26 starts causing ip6tables related problems.
Regards,
Stefan
9:06 a.m.
On Tue, Apr 15, 2014 at 10:04:01AM -0400, Stefan Berger wrote:
On 04/15/2014 07:42 AM, Daniel P. Berrange wrote:
>On Tue, Apr 15, 2014 at 07:40:41AM -0400, Stefan Berger wrote:
>>On 04/15/2014 04:29 AM, Daniel P. Berrange wrote:
>>>On Mon, Apr 14, 2014 at 04:47:50PM -0400, Stefan Berger wrote:
>>>>On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>>>>>Currently we have three places which interact with the firewall
>>>>>
>>>>> - util/virebtables - simple MAC filtering used by QEMU driver
>>>>> - util/viriptables - used by network driver
>>>>> - nwfilter - general purpose guest filtering
>>>>Oh my, so much work! -- Thanks
>>>>
>>>>I'll review as much as I can.
>>>Thanks, I appreciate any review you can do particularly of the big
>>>nwfilter patches, since you're main expert in that area.
>>Some of the patches are so involved that besides looking at them
>>I'll mostly have to rely on the TCK tests to see whether they still
>>pass. The TCK tests unfortunately also need updating due to recent
>>changes in the code (elimination of the source MAC tests in recent
>>patches) as well as different output by the ip6tables command
>>related to IPv6 addresses.
>The TCK tests shouldn't need updating. The current libvirt-tck GIT
>master nwfilter tests pass against libvirt GIT master, and also
>pass after this patch series is applied (at least on Fedora 20).
That's interesting. I am running this on Fedora 18. This patch here
https://www.redhat.com/archives/libvir-list/2014-March/msg00660.html
is necessary on Fedora 18, but not on Fedora 20 I assume. Probably
it was a temporary regression in iptables.
Is this patch series incremental so that the TCK test suite should work
after each one of them? At least for me it passes up to patch 7/26
but then patch 8/26 starts causing ip6tables related problems.
It was intended to be incremental, but I honestly haven't tested the
TCK against the individual patches - only the end result.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
10:40 a.m.
On 04/15/2014 10:06 AM, Daniel P. Berrange wrote:
On Tue, Apr 15, 2014 at 10:04:01AM -0400, Stefan Berger wrote:
> On 04/15/2014 07:42 AM, Daniel P. Berrange wrote:
>> On Tue, Apr 15, 2014 at 07:40:41AM -0400, Stefan Berger wrote:
>>> On 04/15/2014 04:29 AM, Daniel P. Berrange wrote:
>>>> On Mon, Apr 14, 2014 at 04:47:50PM -0400, Stefan Berger wrote:
>>>>> On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>>>>>> Currently we have three places which interact with the firewall
>>>>>>
>>>>>> - util/virebtables - simple MAC filtering used by QEMU driver
>>>>>> - util/viriptables - used by network driver
>>>>>> - nwfilter - general purpose guest filtering
>>>>> Oh my, so much work! -- Thanks
>>>>>
>>>>> I'll review as much as I can.
>>>> Thanks, I appreciate any review you can do particularly of the big
>>>> nwfilter patches, since you're main expert in that area.
>>> Some of the patches are so involved that besides looking at them
>>> I'll mostly have to rely on the TCK tests to see whether they still
>>> pass. The TCK tests unfortunately also need updating due to recent
>>> changes in the code (elimination of the source MAC tests in recent
>>> patches) as well as different output by the ip6tables command
>>> related to IPv6 addresses.
>> The TCK tests shouldn't need updating. The current libvirt-tck GIT
>> master nwfilter tests pass against libvirt GIT master, and also
>> pass after this patch series is applied (at least on Fedora 20).
> That's interesting. I am running this on Fedora 18. This patch here
>
> https://www.redhat.com/archives/libvir-list/2014-March/msg00660.html
>
> is necessary on Fedora 18, but not on Fedora 20 I assume. Probably
> it was a temporary regression in iptables.
>
> Is this patch series incremental so that the TCK test suite should work
> after each one of them? At least for me it passes up to patch 7/26
> but then patch 8/26 starts causing ip6tables related problems.
It was intended to be incremental, but I honestly haven't tested the
TCK against the individual patches - only the end result.
The end result also works for me. Patch 23/26 corrects the ip6tables
problem.
Regards,
Stefan
5:15 p.m.
On 04/15/2014 10:06 AM, Daniel P. Berrange wrote:
On Tue, Apr 15, 2014 at 10:04:01AM -0400, Stefan Berger wrote:
> On 04/15/2014 07:42 AM, Daniel P. Berrange wrote:
>> On Tue, Apr 15, 2014 at 07:40:41AM -0400, Stefan Berger wrote:
>>> On 04/15/2014 04:29 AM, Daniel P. Berrange wrote:
>>>> On Mon, Apr 14, 2014 at 04:47:50PM -0400, Stefan Berger wrote:
>>>>> On 04/08/2014 11:37 AM, Daniel P. Berrange wrote:
>>>>>> Currently we have three places which interact with the firewall
>>>>>>
>>>>>> - util/virebtables - simple MAC filtering used by QEMU driver
>>>>>> - util/viriptables - used by network driver
>>>>>> - nwfilter - general purpose guest filtering
>>>>> Oh my, so much work! -- Thanks
>>>>>
>>>>> I'll review as much as I can.
>>>> Thanks, I appreciate any review you can do particularly of the big
>>>> nwfilter patches, since you're main expert in that area.
>>> Some of the patches are so involved that besides looking at them
>>> I'll mostly have to rely on the TCK tests to see whether they still
>>> pass. The TCK tests unfortunately also need updating due to recent
>>> changes in the code (elimination of the source MAC tests in recent
>>> patches) as well as different output by the ip6tables command
>>> related to IPv6 addresses.
>> The TCK tests shouldn't need updating. The current libvirt-tck GIT
>> master nwfilter tests pass against libvirt GIT master, and also
>> pass after this patch series is applied (at least on Fedora 20).
> That's interesting. I am running this on Fedora 18. This patch here
>
> https://www.redhat.com/archives/libvir-list/2014-March/msg00660.html
>
> is necessary on Fedora 18, but not on Fedora 20 I assume. Probably
> it was a temporary regression in iptables.
>
> Is this patch series incremental so that the TCK test suite should work
> after each one of them? At least for me it passes up to patch 7/26
> but then patch 8/26 starts causing ip6tables related problems.
It was intended to be incremental, but I honestly haven't tested the
TCK against the individual patches - only the end result.
I did some more tests now using iptables directly. From what I can see
it is working as expected. There was a locking problem that I just sent
a patch for. So from my perspective these patches can go in with the
modifications applied to 16/26.
Regards,
Stefan
3853
days inactive
3874
days old
80 comments
7 participants
participants (7)
-
Daniel P. Berrange -
Eric Blake -
Jeff E. Nelson -
John Ferlan -
Ján Tomko -
Pavel Hrdina -
Stefan Berger