util: refactor iptables APIs to share more code

Most of the iptables APIs share code for the add/delete paths, but a
couple were separated. Merge the remaining APIs to facilitate future
changes.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 5dbea8cf57f08b481880499d6b77bab7ceeeaa78..f379844d289c6b33a1f0d1ed00d02c5e4f122331 100644 (file)
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -495,6 +495,21 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
     return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
 }
 
+static void
+iptablesForwardAllowCross(virFirewallPtr fw,
+                          virFirewallLayer layer,
+                          const char *iface,
+                          int action)
+{
+    virFirewallAddRule(fw, layer,
+                       "--table", "filter",
+                       action == ADD ? "--insert" : "--delete", "FORWARD",
+                       "--in-interface", iface,
+                       "--out-interface", iface,
+                       "--jump", "ACCEPT",
+                       NULL);
+}
+
 /**
  * iptablesAddForwardAllowCross:
  * @ctx: pointer to the IP table context
@@ -511,13 +526,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
                              virFirewallLayer layer,
                              const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--insert", "FORWARD",
-                       "--in-interface", iface,
-                       "--out-interface", iface,
-                       "--jump", "ACCEPT",
-                       NULL);
+    iptablesForwardAllowCross(fw, layer, iface, ADD);
 }
 
 /**
@@ -535,13 +544,21 @@ void
 iptablesRemoveForwardAllowCross(virFirewallPtr fw,
                                 virFirewallLayer layer,
                                 const char *iface)
+{
+    iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+}
+
+static void
+iptablesForwardRejectOut(virFirewallPtr fw,
+                         virFirewallLayer layer,
+                         const char *iface,
+                         int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       "--delete", "FORWARD",
+                       action == ADD ? "--insert" : "delete", "FORWARD",
                        "--in-interface", iface,
-                       "--out-interface", iface,
-                       "--jump", "ACCEPT",
+                       "--jump", "REJECT",
                        NULL);
 }
 
@@ -560,12 +577,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
                             virFirewallLayer layer,
                             const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--insert", "FORWARD",
-                       "--in-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    iptablesForwardRejectOut(fw, layer, iface, ADD);
 }
 
 /**
@@ -582,16 +594,25 @@ void
 iptablesRemoveForwardRejectOut(virFirewallPtr fw,
                                virFirewallLayer layer,
                                const char *iface)
+{
+    iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+}
+
+
+static void
+iptablesForwardRejectIn(virFirewallPtr fw,
+                        virFirewallLayer layer,
+                        const char *iface,
+                        int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       "--delete", "FORWARD",
-                       "--in-interface", iface,
+                       action == ADD ? "--insert" : "--delete", "FORWARD",
+                       "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
 }
 
-
 /**
  * iptablesAddForwardRejectIn:
  * @ctx: pointer to the IP table context
@@ -607,12 +628,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
                            virFirewallLayer layer,
                            const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--insert", "FORWARD",
-                       "--out-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    iptablesForwardRejectIn(fw, layer, iface, ADD);
 }
 
 /**
@@ -630,12 +646,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
                               virFirewallLayer layer,
                               const char *iface)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       "--delete", "FORWARD",
-                       "--out-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    iptablesForwardRejectIn(fw, layer, iface, REMOVE);
 }