Introduce an internal priority for chains

For better handling of the sorting of chains introduce an internally used
priority. Use a lookup table to store the priorities. For now their actual
values do not matter just that the values cause the chains to be properly
sorted through changes in the following patches. However, the values are
chosen as negative so that once they are sorted along with filtering rules
(whose priority may only be positive for now) they will always be instantiated
before them (lower values cause instantiation before higher values). This
is done to maintain backwards compatibility.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index 55ab68b3efe23aafa0046df7aa6d794dceef7e87..1024e579c0813947518924b885bfc304679e36d2 100644 (file)
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -124,6 +124,14 @@ struct int_map {
 #define INTMAP_ENTRY(ATT, VAL) { .attr = ATT, .val = VAL }
 #define INTMAP_ENTRY_LAST      { .val = NULL }
 
+static const struct int_map chain_priorities[] = {
+    INTMAP_ENTRY(NWFILTER_ROOT_FILTER_PRI, "root"),
+    INTMAP_ENTRY(NWFILTER_IPV4_FILTER_PRI, "ipv4"),
+    INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, "ipv6"),
+    INTMAP_ENTRY(NWFILTER_ARP_FILTER_PRI , "arp" ),
+    INTMAP_ENTRY(NWFILTER_RARP_FILTER_PRI, "rarp"),
+    INTMAP_ENTRY_LAST,
+};
 
 /*
  * only one filter update allowed
@@ -2028,6 +2036,12 @@ virNWFilterDefParseXML(xmlXPathContextPtr ctxt) {
                                    _("unknown chain suffix '%s'"), chain);
             goto cleanup;
         }
+        /* assign an implicit priority -- support XML attribute later */
+        if (!intMapGetByString(chain_priorities, chain, 0,
+                               &ret->chainPriority)) {
+            ret->chainPriority = (NWFILTER_MAX_FILTER_PRIORITY +
+                                  NWFILTER_MIN_FILTER_PRIORITY) / 2;
+        }
     }
 
     uuid = virXPathString("string(./uuid)", ctxt);

diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index f48c7cd1d15141f29d8dfd0cf6c5e99484f102f7..3d430181b92d3d96daf9765c317d651657c95ae5 100644 (file)
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -357,8 +357,18 @@ enum virNWFilterEbtablesTableType {
 };
 
 
+# define MIN_RULE_PRIORITY  0
 # define MAX_RULE_PRIORITY  1000
 
+# define NWFILTER_MIN_FILTER_PRIORITY -1000
+# define NWFILTER_MAX_FILTER_PRIORITY MAX_RULE_PRIORITY
+
+# define NWFILTER_ROOT_FILTER_PRI 0
+# define NWFILTER_IPV4_FILTER_PRI -700
+# define NWFILTER_IPV6_FILTER_PRI -600
+# define NWFILTER_ARP_FILTER_PRI  -500
+# define NWFILTER_RARP_FILTER_PRI -400
+
 enum virNWFilterRuleFlags {
     RULE_FLAG_NO_STATEMATCH      = (1 << 0),
     RULE_FLAG_STATE_NEW          = (1 << 1),
@@ -436,6 +446,7 @@ enum virNWFilterChainSuffixType {
     VIR_NWFILTER_CHAINSUFFIX_LAST,
 };
 
+typedef int32_t virNWFilterChainPriority;
 
 typedef struct _virNWFilterDef virNWFilterDef;
 typedef virNWFilterDef *virNWFilterDefPtr;
@@ -445,6 +456,7 @@ struct _virNWFilterDef {
     unsigned char uuid[VIR_UUID_BUFLEN];
 
     int chainsuffix; /*enum virNWFilterChainSuffixType */
+    virNWFilterChainPriority chainPriority;
 
     int nentries;
     virNWFilterEntryPtr *filterEntries;

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 87bc228bd4b0799c7bc388b384f2e9e80b5e1508..62fe722f5ac0fe9bc349896f09c561d835adceeb 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -328,6 +328,7 @@ static int
 ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
                       char *commandTemplate,
                       enum virNWFilterChainSuffixType neededChain,
+                      virNWFilterChainPriority chainPriority,
                       char chainprefix,
                       unsigned int priority,
                       enum RuleType ruleType)
@@ -341,6 +342,7 @@ ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
 
     inst->commandTemplate = commandTemplate;
     inst->neededProtocolChain = neededChain;
+    inst->chainPriority = chainPriority;
     inst->chainprefix = chainprefix;
     inst->priority = priority;
     inst->ruleType = ruleType;
@@ -1589,6 +1591,7 @@ _iptablesCreateRuleInstance(int directionIn,
     return ebiptablesAddRuleInst(res,
                                  virBufferContentAndReset(final),
                                  nwfilter->chainsuffix,
+                                 nwfilter->chainPriority,
                                  '\0',
                                  rule->priority,
                                  (isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
@@ -2338,6 +2341,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
     return ebiptablesAddRuleInst(res,
                                  virBufferContentAndReset(&buf),
                                  nwfilter->chainsuffix,
+                                 nwfilter->chainPriority,
                                  chainPrefix,
                                  rule->priority,
                                  RT_EBTABLES);

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.h b/src/nwfilter/nwfilter_ebiptables_driver.h
index ff3de3cc06ecc07bc89dc7b9bd4b2084c3af898f..8eb2e26ba9812f2a33b1dae21b8461d30bdba27b 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.h
+++ b/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -36,6 +36,7 @@ typedef ebiptablesRuleInst *ebiptablesRuleInstPtr;
 struct _ebiptablesRuleInst {
     char *commandTemplate;
     enum virNWFilterChainSuffixType neededProtocolChain;
+    virNWFilterChainPriority chainPriority;
     char chainprefix;    /* I for incoming, O for outgoing */
     unsigned int priority;
     enum RuleType ruleType;