for (i = 0; i < data->nchains; i++) {
const char *from;
if (!virHashLookup(chains, data->chains[i].child)) {
- virFirewallAddRule(fw, layer,
- "--table", data->table,
- "--new-chain", data->chains[i].child, NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", data->table,
+ "--new-chain", data->chains[i].child, NULL);
*data->changed = true;
}
from = virHashLookup(links, data->chains[i].child);
if (!from || STRNEQ(from, data->chains[i].parent))
- virFirewallAddRule(fw, layer,
- "--table", data->table,
- "--insert", data->chains[i].parent,
- "--jump", data->chains[i].child, NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", data->table,
+ "--insert", data->chains[i].parent,
+ "--jump", data->chains[i].child, NULL);
}
return 0;
virFirewallStartTransaction(fw, 0);
for (i = 0; i < G_N_ELEMENTS(data); i++)
- virFirewallAddRuleFull(fw, data[i].layer,
- false, iptablesPrivateChainCreate,
- &(data[i]), "--table", data[i].table,
- "--list-rules", NULL);
+ virFirewallAddCmdFull(fw, data[i].layer,
+ false, iptablesPrivateChainCreate,
+ &(data[i]), "--table", data[i].table,
+ "--list-rules", NULL);
if (virFirewallApply(fw) < 0)
return -1;
{
g_autofree char *portstr = g_strdup_printf("%d", port);
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_INPUT_CHAIN,
- "--in-interface", iface,
- "--protocol", tcp ? "tcp" : "udp",
- "--destination-port", portstr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_INPUT_CHAIN,
+ "--in-interface", iface,
+ "--protocol", tcp ? "tcp" : "udp",
+ "--destination-port", portstr,
+ "--jump", "ACCEPT",
+ NULL);
}
static void
{
g_autofree char *portstr = g_strdup_printf("%d", port);
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_OUTPUT_CHAIN,
- "--out-interface", iface,
- "--protocol", tcp ? "tcp" : "udp",
- "--destination-port", portstr,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_OUTPUT_CHAIN,
+ "--out-interface", iface,
+ "--protocol", tcp ? "tcp" : "udp",
+ "--destination-port", portstr,
+ "--jump", "ACCEPT",
+ NULL);
}
/**
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_OUT_CHAIN,
- "--source", networkstr,
- "--in-interface", iface,
- "--out-interface", physdev,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
+ "--source", networkstr,
+ "--in-interface", iface,
+ "--out-interface", physdev,
+ "--jump", "ACCEPT",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_OUT_CHAIN,
- "--source", networkstr,
- "--in-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
+ "--source", networkstr,
+ "--in-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
return 0;
}
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--in-interface", physdev,
- "--out-interface", iface,
- "--match", "conntrack",
- "--ctstate", "ESTABLISHED,RELATED",
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--in-interface", physdev,
+ "--out-interface", iface,
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
+ "--jump", "ACCEPT",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--out-interface", iface,
- "--match", "conntrack",
- "--ctstate", "ESTABLISHED,RELATED",
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--out-interface", iface,
+ "--match", "conntrack",
+ "--ctstate", "ESTABLISHED,RELATED",
+ "--jump", "ACCEPT",
+ NULL);
return 0;
}
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--in-interface", physdev,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--in-interface", physdev,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--destination", networkstr,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--destination", networkstr,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
return 0;
}
const char *iface,
int action)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_X_CHAIN,
- "--in-interface", iface,
- "--out-interface", iface,
- "--jump", "ACCEPT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_X_CHAIN,
+ "--in-interface", iface,
+ "--out-interface", iface,
+ "--jump", "ACCEPT",
+ NULL);
}
/**
const char *iface,
int action)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_OUT_CHAIN,
- "--in-interface", iface,
- "--jump", "REJECT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_OUT_CHAIN,
+ "--in-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
const char *iface,
int action)
{
- virFirewallAddRule(fw, layer,
- "--table", "filter",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_FWD_IN_CHAIN,
- "--out-interface", iface,
- "--jump", "REJECT",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "filter",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_FWD_IN_CHAIN,
+ "--out-interface", iface,
+ "--jump", "REJECT",
+ NULL);
}
/**
g_autofree char *addrEndStr = NULL;
g_autofree char *portRangeStr = NULL;
g_autofree char *natRangeStr = NULL;
- virFirewallRule *rule;
+ virFirewallCmd *fwCmd;
int af = VIR_SOCKET_ADDR_FAMILY(netaddr);
virFirewallLayer layer = af == AF_INET ?
VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
}
if (protocol && protocol[0]) {
- rule = virFirewallAddRule(fw, layer,
+ fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
"!", "--destination", networkstr,
NULL);
} else {
- rule = virFirewallAddRule(fw, layer,
+ fwCmd = virFirewallAddCmd(fw, layer,
"--table", "nat",
action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
}
if (physdev && physdev[0])
- virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NULL);
if (protocol && protocol[0]) {
if (port->start == 0 && port->end == 0) {
portRangeStr ? portRangeStr : "");
}
- virFirewallRuleAddArgList(fw, rule,
- "--jump", "SNAT",
- "--to-source", natRangeStr, NULL);
+ virFirewallCmdAddArgList(fw, fwCmd,
+ "--jump", "SNAT",
+ "--to-source", natRangeStr, NULL);
} else {
- virFirewallRuleAddArgList(fw, rule,
- "--jump", "MASQUERADE", NULL);
+ virFirewallCmdAddArgList(fw, fwCmd,
+ "--jump", "MASQUERADE", NULL);
if (portRangeStr && portRangeStr[0])
- virFirewallRuleAddArgList(fw, rule,
- "--to-ports", &portRangeStr[1], NULL);
+ virFirewallCmdAddArgList(fw, fwCmd,
+ "--to-ports", &portRangeStr[1], NULL);
}
return 0;
return -1;
if (physdev && physdev[0])
- virFirewallAddRule(fw, layer,
- "--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
- "--out-interface", physdev,
- "--source", networkstr,
- "--destination", destaddr,
- "--jump", "RETURN",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "nat",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+ "--out-interface", physdev,
+ "--source", networkstr,
+ "--destination", destaddr,
+ "--jump", "RETURN",
+ NULL);
else
- virFirewallAddRule(fw, layer,
- "--table", "nat",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
- "--source", networkstr,
- "--destination", destaddr,
- "--jump", "RETURN",
- NULL);
+ virFirewallAddCmd(fw, layer,
+ "--table", "nat",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+ "--source", networkstr,
+ "--destination", destaddr,
+ "--jump", "RETURN",
+ NULL);
return 0;
}
{
g_autofree char *portstr = g_strdup_printf("%d", port);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "--table", "mangle",
- action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
- VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
- "--out-interface", iface,
- "--protocol", "udp",
- "--destination-port", portstr,
- "--jump", "CHECKSUM", "--checksum-fill",
- NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "--table", "mangle",
+ action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+ VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+ "--out-interface", iface,
+ "--protocol", "udp",
+ "--destination-port", portstr,
+ "--jump", "CHECKSUM", "--checksum-fill",
+ NULL);
}
/**
static int
ebtablesHandleEthHdr(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
ethHdrDataDef *ethHdr,
bool reverse)
ðHdr->dataSrcMACAddr) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- reverse ? "-d" : "-s",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ reverse ? "-d" : "-s",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(ðHdr->dataSrcMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACMask)) {
if (printDataType(vars,
ðHdr->dataSrcMACMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", macaddr, macmask);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", macaddr, macmask);
} else {
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
}
ðHdr->dataDstMACAddr) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- reverse ? "-s" : "-d",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ reverse ? "-s" : "-d",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(ðHdr->dataDstMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(ðHdr->dataDstMACMask)) {
if (printDataType(vars,
ðHdr->dataDstMACMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", macaddr, macmask);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", macaddr, macmask);
} else {
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
}
iptablesCreateBaseChainsFW(virFirewall *fw,
virFirewallLayer layer)
{
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", VIRT_IN_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", VIRT_OUT_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", VIRT_IN_POST_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-N", HOST_IN_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL);
- virFirewallAddRule(fw, layer,
- "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_OUT_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-N", HOST_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL);
}
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, layer,
- "-N", chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-N", chain, NULL);
}
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-F", chain, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-X", chain, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-F", chain, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-X", chain, NULL);
}
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
if (incoming)
- virFirewallAddRule(fw, layer,
- "-A", basechain,
- MATCH_PHYSDEV_IN_FW,
- ifname,
- "-g", chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", basechain,
+ MATCH_PHYSDEV_IN_FW,
+ ifname,
+ "-g", chain, NULL);
else
- virFirewallAddRule(fw, layer,
- "-A", basechain,
- MATCH_PHYSDEV_OUT_FW,
- ifname,
- "-g", chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", basechain,
+ MATCH_PHYSDEV_OUT_FW,
+ ifname,
+ "-g", chain, NULL);
}
virFirewallLayer layer G_GNUC_UNUSED,
const char *ifname G_GNUC_UNUSED)
{
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", VIRT_IN_POST_CHAIN,
- MATCH_PHYSDEV_IN_FW,
- ifname, "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, layer,
- "-A", VIRT_IN_POST_CHAIN,
- MATCH_PHYSDEV_IN_FW,
- ifname, "-j", "ACCEPT", NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
}
virFirewallLayer layer,
const char *ifname)
{
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", VIRT_IN_POST_CHAIN,
- MATCH_PHYSDEV_IN_FW,
- ifname, "-j", "ACCEPT", NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", VIRT_IN_POST_CHAIN,
+ MATCH_PHYSDEV_IN_FW,
+ ifname, "-j", "ACCEPT", NULL);
}
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
if (incoming)
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", basechain,
- MATCH_PHYSDEV_IN_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_IN_FW, ifname,
+ "-g", chain,
+ NULL);
else
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", basechain,
- MATCH_PHYSDEV_OUT_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_FW, ifname,
+ "-g", chain,
+ NULL);
/*
* Previous versions of libvirt may have created a rule
* as well.
*/
if (!incoming)
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-D", basechain,
- MATCH_PHYSDEV_OUT_OLD_FW, ifname,
- "-g", chain,
- NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-D", basechain,
+ MATCH_PHYSDEV_OUT_OLD_FW, ifname,
+ "-g", chain,
+ NULL);
}
PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, layer,
- "-E", tmpchain, chain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-E", tmpchain, chain, NULL);
}
static int
iptablesHandleSrcMacAddr(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
nwItemDesc *srcMacAddr,
bool directionIn,
srcMacAddr) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "mac",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "mac",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(srcMacAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--mac-source",
- macaddr,
- NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--mac-source",
+ macaddr,
+ NULL);
}
return 0;
static int
iptablesHandleIPHdr(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
ipHdrDataDef *ipHdr,
bool directionIn,
return -1;
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, src);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, src);
if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) {
&ipHdr->dataSrcIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
} else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) {
if (printDataType(vars,
&ipHdr->dataSrcIPFrom) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "iprange",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "iprange",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, srcrange);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, srcrange);
if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) {
&ipHdr->dataSrcIPTo) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s-%s", ipaddr, ipaddralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s-%s", ipaddr, ipaddralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
return -1;
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, dst);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, dst);
if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) {
if (printDataType(vars,
&ipHdr->dataDstIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
} else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) {
if (printDataType(vars,
&ipHdr->dataDstIPFrom) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "iprange",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "iprange",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, dstrange);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, dstrange);
if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) {
if (printDataType(vars,
&ipHdr->dataDstIPTo) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s-%s", ipaddr, ipaddralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s-%s", ipaddr, ipaddralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
&ipHdr->dataDSCP) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "dscp",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "dscp",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--dscp", number,
- NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--dscp", number,
+ NULL);
}
if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
static int
iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
ipHdrDataDef *ipHdr,
bool directionIn)
&ipHdr->dataIPSet) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "set",
- "--match-set", str,
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "set",
+ "--match-set", str,
+ NULL);
if (printDataTypeDirection(vars,
str, sizeof(str),
&ipHdr->dataIPSetFlags, directionIn) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, str);
+ virFirewallCmdAddArg(fw, fwrule, str);
}
if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
/* place connlimit after potential -m state --state ...
since this is the most useful order */
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "connlimit",
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "connlimit",
+ NULL);
if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--connlimit-above", number,
- NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--connlimit-above", number,
+ NULL);
}
}
if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
/* keep comments behind everything else -- they are packet eval.
no-ops */
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "comment",
- "--comment", ipHdr->dataComment.u.string,
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "comment",
+ "--comment", ipHdr->dataComment.u.string,
+ NULL);
}
return 0;
static int
iptablesHandlePortData(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
virNWFilterVarCombIter *vars,
portDataDef *portData,
bool directionIn)
return -1;
if (ENTRY_WANT_NEG_SIGN(&portData->dataSrcPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, sport);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, sport);
if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) {
if (printDataType(vars,
&portData->dataSrcPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", portstr, portstralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", portstr, portstralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, portstr);
+ virFirewallCmdAddArg(fw, fwrule, portstr);
}
}
return -1;
if (ENTRY_WANT_NEG_SIGN(&portData->dataDstPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, dport);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, dport);
if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) {
if (printDataType(vars,
&portData->dataDstPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", portstr, portstralt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", portstr, portstralt);
} else {
- virFirewallRuleAddArg(fw, fwrule, portstr);
+ virFirewallCmdAddArg(fw, fwrule, portstr);
}
}
static void
iptablesEnforceDirection(virFirewall *fw,
- virFirewallRule *fwrule,
+ virFirewallCmd *fwrule,
bool directionIn,
virNWFilterRuleDef *rule)
{
if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT)
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "conntrack",
- "--ctdir",
- (directionIn ?
- "Reply" :
- "Original"),
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "conntrack",
+ "--ctdir",
+ (directionIn ?
+ "Reply" :
+ "Original"),
+ NULL);
}
bool skipRule = false;
bool skipMatch = false;
bool hasICMPType = false;
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
size_t fwruleargs;
PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
switch ((int)rule->prtclType) {
case VIR_NWFILTER_RULE_PROTOCOL_TCP:
case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "tcp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "tcp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
g_autofree char *mask = NULL;
g_autofree char *flags = NULL;
if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, "--tcp-flags");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "--tcp-flags");
if (!(mask = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask)))
return -1;
- virFirewallRuleAddArg(fw, fwrule, mask);
+ virFirewallCmdAddArg(fw, fwrule, mask);
if (!(flags = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags)))
return -1;
- virFirewallRuleAddArg(fw, fwrule, flags);
+ virFirewallCmdAddArg(fw, fwrule, flags);
}
if (iptablesHandlePortData(fw, fwrule,
return -1;
if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgList(fw, fwrule,
- "--tcp-option", number, NULL);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgList(fw, fwrule,
+ "--tcp-option", number, NULL);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_UDP:
case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "udp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "udp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "udplite",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "udplite",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
case VIR_NWFILTER_RULE_PROTOCOL_ESP:
case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "esp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "esp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
case VIR_NWFILTER_RULE_PROTOCOL_AH:
case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "ah",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "ah",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "sctp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "sctp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ NULL);
if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "icmp", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "icmp", NULL);
else
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "icmpv6", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "icmpv6", NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
hasICMPType = true;
if (maySkipICMP) {
- virFirewallRemoveRule(fw, fwrule);
+ virFirewallRemoveCmd(fw, fwrule);
return 0;
}
return -1;
if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, parm);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, parm);
if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) {
if (printDataType(vars,
&rule->p.icmpHdrFilter.dataICMPCode) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "igmp",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "igmp",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
case VIR_NWFILTER_RULE_PROTOCOL_ALL:
case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
- fwrule = virFirewallAddRule(fw, layer,
- "-A", chain,
- "-p", "all",
- NULL);
+ fwrule = virFirewallAddCmd(fw, layer,
+ "-A", chain,
+ "-p", "all",
+ NULL);
- fwruleargs = virFirewallRuleGetArgCount(fwrule);
+ fwruleargs = virFirewallCmdGetArgCount(fwrule);
if (iptablesHandleSrcMacAddr(fw, fwrule,
vars,
}
if ((srcMacSkipped &&
- fwruleargs == virFirewallRuleGetArgCount(fwrule)) ||
+ fwruleargs == virFirewallCmdGetArgCount(fwrule)) ||
skipRule) {
- virFirewallRemoveRule(fw, fwrule);
+ virFirewallRemoveCmd(fw, fwrule);
return 0;
}
}
if (match && !skipMatch) {
- virFirewallRuleAddArgList(fw, fwrule,
- "-m", "conntrack",
- "--ctstate", match,
- NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-m", "conntrack",
+ "--ctstate", match,
+ NULL);
}
if (defMatch && match != NULL && !skipMatch && !hasICMPType)
directionIn) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-j", target, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-j", target, NULL);
return 0;
}
char chain[MAX_CHAINNAME_LENGTH];
const char *target;
bool hasMask = false;
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
if (STREQ(chainSuffix,
virNWFilterChainSuffixTypeToString(
field, sizeof(field), \
&rule->p.STRUCT.ITEM) < 0) \
return -1; \
- virFirewallRuleAddArg(fw, fwrule, CLI); \
+ virFirewallCmdAddArg(fw, fwrule, CLI); \
if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
- virFirewallRuleAddArg(fw, fwrule, "!"); \
- virFirewallRuleAddArg(fw, fwrule, field); \
+ virFirewallCmdAddArg(fw, fwrule, "!"); \
+ virFirewallCmdAddArg(fw, fwrule, field); \
}
#define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \
field, sizeof(field), \
&rule->p.STRUCT.ITEM) < 0) \
return -1; \
- virFirewallRuleAddArg(fw, fwrule, CLI); \
+ virFirewallCmdAddArg(fw, fwrule, CLI); \
if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
- virFirewallRuleAddArg(fw, fwrule, "!"); \
+ virFirewallCmdAddArg(fw, fwrule, "!"); \
if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \
if (printDataType(vars, \
fieldalt, sizeof(fieldalt), \
&rule->p.STRUCT.ITEM_HI) < 0) \
return -1; \
- virFirewallRuleAddArgFormat(fw, fwrule, \
- "%s%s%s", field, SEP, fieldalt); \
+ virFirewallCmdAddArgFormat(fw, fwrule, \
+ "%s%s%s", field, SEP, fieldalt); \
} else { \
- virFirewallRuleAddArg(fw, fwrule, field); \
+ virFirewallCmdAddArg(fw, fwrule, field); \
} \
}
#define INST_ITEM_RANGE(S, I, I_HI, C) \
switch ((int)rule->prtclType) {
case VIR_NWFILTER_RULE_PROTOCOL_MAC:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat",
- "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat",
+ "-A", chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
number, sizeof(number),
&rule->p.ethHdrFilter.dataProtocolID) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "-p");
+ virFirewallCmdAddArg(fw, fwrule, "-p");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "0x8100", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "0x8100", NULL);
INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id")
INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap")
return -1;
}
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-d", NWFILTER_MAC_BGA, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-d", NWFILTER_MAC_BGA, NULL);
INST_ITEM(stpHdrFilter, dataType, "--stp-type")
INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags")
case VIR_NWFILTER_RULE_PROTOCOL_ARP:
case VIR_NWFILTER_RULE_PROTOCOL_RARP:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
reverse) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "-p");
- virFirewallRuleAddArgFormat(fw, fwrule, "0x%x",
- (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP)
- ? l3_protocols[L3_PROTO_ARP_IDX].attr
- : l3_protocols[L3_PROTO_RARP_IDX].attr);
+ virFirewallCmdAddArg(fw, fwrule, "-p");
+ virFirewallCmdAddArgFormat(fw, fwrule, "0x%x",
+ (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP)
+ ? l3_protocols[L3_PROTO_ARP_IDX].attr
+ : l3_protocols[L3_PROTO_RARP_IDX].attr);
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.arpHdrFilter.dataHWType) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--arp-htype");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-htype");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) {
number, sizeof(number),
&rule->p.arpHdrFilter.dataOpcode) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--arp-opcode");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-opcode");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) {
number, sizeof(number),
&rule->p.arpHdrFilter.dataProtocolType) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--arp-ptype");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-ptype");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) {
hasMask = true;
}
- virFirewallRuleAddArg(fw, fwrule,
+ virFirewallCmdAddArg(fw, fwrule,
reverse ? "--arp-ip-dst" : "--arp-ip-src");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, hasMask ? ipmask : "32");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, hasMask ? ipmask : "32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
hasMask = true;
}
- virFirewallRuleAddArg(fw, fwrule,
+ virFirewallCmdAddArg(fw, fwrule,
reverse ? "--arp-ip-src" : "--arp-ip-dst");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, hasMask ? ipmask : "32");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, hasMask ? ipmask : "32");
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {
&rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--arp-mac-dst" : "--arp-mac-src");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--arp-mac-dst" : "--arp-mac-src");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) {
&rule->p.arpHdrFilter.dataARPDstMACAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--arp-mac-src" : "--arp-mac-dst");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--arp-mac-src" : "--arp-mac-dst");
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, macaddr);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, macaddr);
}
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) &&
rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) {
if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, "--arp-gratuitous");
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "--arp-gratuitous");
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_IP:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "ipv4", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "ipv4", NULL);
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) {
if (printDataType(vars,
&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-destination" : "--ip-source");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-destination" : "--ip-source");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-source" : "--ip-destination");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-source" : "--ip-destination");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipHdrFilter.ipHdr.dataDstIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipaddr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipaddr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipaddr);
+ virFirewallCmdAddArg(fw, fwrule, ipaddr);
}
}
&rule->p.ipHdrFilter.ipHdr.dataProtocolID) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--ip-protocol");
+ virFirewallCmdAddArg(fw, fwrule, "--ip-protocol");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtocolID))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortStart)) {
&rule->p.ipHdrFilter.portData.dataSrcPortStart) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-destination-port" : "--ip-source-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-destination-port" : "--ip-source-port");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEnd)) {
if (printDataType(vars,
&rule->p.ipHdrFilter.portData.dataSrcPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
&rule->p.ipHdrFilter.portData.dataDstPortStart) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip-source-port" : "--ip-destination-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip-source-port" : "--ip-destination-port");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEnd)) {
if (printDataType(vars,
&rule->p.ipHdrFilter.portData.dataDstPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
&rule->p.ipHdrFilter.ipHdr.dataDSCP) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--ip-tos");
+ virFirewallCmdAddArg(fw, fwrule, "--ip-tos");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain, NULL);
if (ebtablesHandleEthHdr(fw, fwrule,
vars,
reverse) < 0)
return -1;
- virFirewallRuleAddArgList(fw, fwrule,
- "-p", "ipv6", NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-p", "ipv6", NULL);
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) {
if (printDataType(vars,
&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-destination" : "--ip6-source");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-destination" : "--ip6-source");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipv6addr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipv6addr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipv6addr);
+ virFirewallCmdAddArg(fw, fwrule, ipv6addr);
}
}
&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-source" : "--ip6-destination");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-source" : "--ip6-destination");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)) {
if (printDataType(vars,
number, sizeof(number),
&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s/%s", ipv6addr, number);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s/%s", ipv6addr, number);
} else {
- virFirewallRuleAddArg(fw, fwrule, ipv6addr);
+ virFirewallCmdAddArg(fw, fwrule, ipv6addr);
}
}
&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule, "--ip6-protocol");
+ virFirewallCmdAddArg(fw, fwrule, "--ip6-protocol");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID))
- virFirewallRuleAddArg(fw, fwrule, "!");
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, number);
}
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart)) {
&rule->p.ipv6HdrFilter.portData.dataSrcPortStart) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-destination-port" : "--ip6-source-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-destination-port" : "--ip6-source-port");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)) {
if (printDataType(vars,
&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
&rule->p.ipv6HdrFilter.portData.dataDstPortStart) < 0)
return -1;
- virFirewallRuleAddArg(fw, fwrule,
- reverse ? "--ip6-source-port" : "--ip6-destination-port");
+ virFirewallCmdAddArg(fw, fwrule,
+ reverse ? "--ip6-source-port" : "--ip6-destination-port");
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDstPortStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPortEnd)) {
if (printDataType(vars,
&rule->p.ipv6HdrFilter.portData.dataDstPortEnd) < 0)
return -1;
- virFirewallRuleAddArgFormat(fw, fwrule,
- "%s:%s", number, numberalt);
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "%s:%s", number, numberalt);
} else {
- virFirewallRuleAddArg(fw, fwrule, number);
+ virFirewallCmdAddArg(fw, fwrule, number);
}
}
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
g_autofree char *r = NULL;
- virFirewallRuleAddArg(fw, fwrule,
- "--ip6-icmp-type");
+ virFirewallCmdAddArg(fw, fwrule,
+ "--ip6-icmp-type");
if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) {
if (printDataType(vars,
virBufferStrcat(&buf, numberalt, NULL);
if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart))
- virFirewallRuleAddArg(fw, fwrule, "!");
+ virFirewallCmdAddArg(fw, fwrule, "!");
r = virBufferContentAndReset(&buf);
- virFirewallRuleAddArg(fw, fwrule, r);
+ virFirewallCmdAddArg(fw, fwrule, r);
}
break;
case VIR_NWFILTER_RULE_PROTOCOL_NONE:
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain, NULL);
break;
default:
target = virNWFilterJumpTargetTypeToString(rule->action);
}
- virFirewallRuleAddArgList(fw, fwrule,
- "-j", target, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-j", target, NULL);
#undef INST_ITEM_RANGE
#undef INST_ITEM_MASK
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-N", chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-N", chain, NULL);
}
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A",
- incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
- incoming ? "-i" : "-o",
- ifname, "-j", chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A",
+ incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+ incoming ? "-i" : "-o",
+ ifname, "-j", chain, NULL);
}
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-F", chain, NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-X", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-F", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-X", chain, NULL);
}
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-D",
- incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
- incoming ? "-i" : "-o",
- ifname, "-j", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-D",
+ incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+ incoming ? "-i" : "-o",
+ ifname, "-j", chain, NULL);
}
char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP;
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname,
(filtername) ? filtername : l3_protocols[protoidx].val);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-F", chain, NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- true, NULL, NULL,
- "-t", "nat", "-X", chain, NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-N", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-F", chain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ true, NULL, NULL,
+ "-t", "nat", "-X", chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-N", chain, NULL);
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", rootchain, NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", rootchain, NULL);
switch ((int)protoidx) {
case L2_PROTO_MAC_IDX:
break;
case L2_PROTO_STP_IDX:
- virFirewallRuleAddArgList(fw, fwrule,
- "-d", NWFILTER_MAC_BGA, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-d", NWFILTER_MAC_BGA, NULL);
break;
default:
- virFirewallRuleAddArg(fw, fwrule, "-p");
- virFirewallRuleAddArgFormat(fw, fwrule,
- "0x%04x",
- l3_protocols[protoidx].attr);
+ virFirewallCmdAddArg(fw, fwrule, "-p");
+ virFirewallCmdAddArgFormat(fw, fwrule,
+ "0x%04x",
+ l3_protocols[protoidx].attr);
break;
}
- virFirewallRuleAddArgList(fw, fwrule,
- "-j", chain, NULL);
+ virFirewallCmdAddArgList(fw, fwrule,
+ "-j", chain, NULL);
}
if (tmp[0] == chainprefixes[j] &&
tmp[1] == '-') {
VIR_DEBUG("Processing chain '%s'", tmp);
- virFirewallAddRuleFull(fw, layer,
- false, ebtablesRemoveSubChainsQuery,
- (void *)chainprefixes,
- "-t", "nat", "-L", tmp, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-F", tmp, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-X", tmp, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chainprefixes,
+ "-t", "nat", "-L", tmp, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-F", tmp, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-X", tmp, NULL);
}
}
}
for (i = 0; chainprefixes[i] != 0; i++) {
PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- false, ebtablesRemoveSubChainsQuery,
- (void *)chainprefixes,
- "-t", "nat", "-L", rootchain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chainprefixes,
+ "-t", "nat", "-L", rootchain, NULL);
}
}
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
}
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-E", tmpchain, chain, NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-E", tmpchain, chain, NULL);
}
static void
else
newchain[0] = CHAINPREFIX_HOST_OUT;
VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain);
- virFirewallAddRuleFull(fw, layer,
- false, ebtablesRenameTmpSubAndRootChainsQuery,
- NULL,
- "-t", "nat", "-L", tmp, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-F", newchain, NULL);
- virFirewallAddRuleFull(fw, layer,
- true, NULL, NULL,
- "-t", "nat", "-X", newchain, NULL);
- virFirewallAddRule(fw, layer,
- "-t", "nat", "-E", tmp, newchain, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ false, ebtablesRenameTmpSubAndRootChainsQuery,
+ NULL,
+ "-t", "nat", "-L", tmp, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-F", newchain, NULL);
+ virFirewallAddCmdFull(fw, layer,
+ true, NULL, NULL,
+ "-t", "nat", "-X", newchain, NULL);
+ virFirewallAddCmd(fw, layer,
+ "-t", "nat", "-E", tmp, newchain, NULL);
}
return 0;
};
for (i = 0; chains[i] != 0; i++) {
PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
- false, ebtablesRenameTmpSubAndRootChainsQuery,
- NULL,
- "-t", "nat", "-L", rootchain, NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRenameTmpSubAndRootChainsQuery,
+ NULL,
+ "-t", "nat", "-L", rootchain, NULL);
}
ebtablesRenameTmpRootChainFW(fw, true, ifname);
ebtablesCreateTmpRootChainFW(fw, true, ifname);
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-s", "!", macaddr_str,
- "-j", "DROP", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-p", "IPv4",
- "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-p", "ARP",
- "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-s", "!", macaddr_str,
+ "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-p", "IPv4",
+ "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-p", "ARP",
+ "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain,
+ "-j", "DROP", NULL);
ebtablesLinkTmpRootChainFW(fw, true, ifname);
ebtablesRenameTmpRootChainFW(fw, true, ifname);
PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_in,
- "-s", macaddr_str,
- "-p", "ipv4", "--ip-protocol", "udp",
- "--ip-sport", "68", "--ip-dport", "67",
- "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-s", macaddr_str,
+ "-p", "ipv4", "--ip-protocol", "udp",
+ "--ip-sport", "68", "--ip-dport", "67",
+ "-j", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_in,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-j", "DROP", NULL);
num_dhcpsrvrs = (dhcpsrvrs != NULL)
? virNWFilterVarValueGetCardinality(dhcpsrvrs)
*/
for (ctr = 0; ctr < 2; ctr++) {
if (dhcpserver)
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_out,
- "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
- "-p", "ipv4", "--ip-protocol", "udp",
- "--ip-src", dhcpserver,
- "--ip-sport", "67", "--ip-dport", "68",
- "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
+ "-p", "ipv4", "--ip-protocol", "udp",
+ "--ip-src", dhcpserver,
+ "--ip-sport", "67", "--ip-dport", "68",
+ "-j", "ACCEPT", NULL);
else
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_out,
- "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
- "-p", "ipv4", "--ip-protocol", "udp",
- "--ip-sport", "67", "--ip-dport", "68",
- "-j", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
+ "-p", "ipv4", "--ip-protocol", "udp",
+ "--ip-sport", "67", "--ip-dport", "68",
+ "-j", "ACCEPT", NULL);
}
idx++;
break;
}
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_out,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-j", "DROP", NULL);
ebtablesLinkTmpRootChainFW(fw, true, ifname);
ebtablesLinkTmpRootChainFW(fw, false, ifname);
PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_in,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_in,
+ "-j", "DROP", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
- "-t", "nat", "-A", chain_out,
- "-j", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-A", chain_out,
+ "-j", "DROP", NULL);
ebtablesLinkTmpRootChainFW(fw, true, ifname);
ebtablesLinkTmpRootChainFW(fw, false, ifname);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n";
- virFirewallRule *fwrule;
+ virFirewallCmd *fwrule;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT", NULL);
- virFirewallRuleAddArg(fw, fwrule, "--source");
- virFirewallRemoveRule(fw, fwrule);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallCmdAddArg(fw, fwrule, "--source");
+ virFirewallRemoveCmd(fw, fwrule);
- fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT", NULL);
- virFirewallRuleAddArg(fw, fwrule, "--source");
- virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
- virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
+ fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT", NULL);
+ virFirewallCmdAddArg(fw, fwrule, "--source");
+ virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
+ virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--jump", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--jump", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
- true, NULL, NULL,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ true, NULL, NULL,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "OUTPUT",
- "--jump", "DROP", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "OUTPUT",
+ "--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.127",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.127",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.127",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.127",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "192.168.122.255",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "192.168.122.255",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-D", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-D", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
void *opaque G_GNUC_UNUSED)
{
size_t i;
- virFirewallAddRule(fw, layer,
- "-A", "INPUT",
- "--source", "!192.168.122.129",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, layer,
+ "-A", "INPUT",
+ "--source", "!192.168.122.129",
+ "--jump", "REJECT", NULL);
for (i = 0; lines[i] != NULL; i++) {
if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) {
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.1",
- "--jump", "ACCEPT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.1",
+ "--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.127",
- "--jump", "REJECT", NULL);
-
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
- false,
- testFirewallQueryCallback,
- NULL,
- "-L", NULL);
- virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
- false,
- testFirewallQueryCallback,
- NULL,
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.127",
+ "--jump", "REJECT", NULL);
+
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
+ "-L", NULL);
+ virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+ false,
+ testFirewallQueryCallback,
+ NULL,
"-t", "nat", "-L", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.130",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.130",
+ "--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "192.168.122.128",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "192.168.122.128",
+ "--jump", "REJECT", NULL);
- virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
- "-A", "INPUT",
- "--source", "!192.168.122.1",
- "--jump", "REJECT", NULL);
+ virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+ "-A", "INPUT",
+ "--source", "!192.168.122.1",
+ "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
return -1;
projects / libvirt.git / commitdiff