(This paragraph is for historical reference only, described only to
avoid confusion of past use of the name with its new use) In a past
life, virFirewallBackend had been a private static in virfirewall.c
that was set at daemon init time, and used to globally (i.e. for all
drivers in the daemon) determine whether to directly execute iptables
commands, or to run them indirectly via the firewalld passthrough
API. This was removed in commit
d566cc55, since we decided that using
the firewalld passthrough API is never appropriate.
Now the same enum, virFirewallBackend, is being reintroduced, with a
different meaning and usage pattern. It will be used to pick between
using nftables commands or iptables commands (in either case directly
handled by libvirt, *not* via firewalld). Additionally, rather than
being a static known only within virfirewall.c and applying to all
firewall commands for all drivers, each virFirewall object will have
its own backend setting, which will be set during virFirewallNew() by
the driver who wants to add a firewall rule.
This will allow the nwfilter and network drivers to each have their
own backend setting, even when they coexist in a single unified
daemon. At least as important as that, it will also allow an instance
of the network driver to remove iptables rules that had been added by
a previous instance, and then add nftables rules for the new instance
(in the case that an admin, or possibly an update, switches the driver
backend from iptables to nftable)
Initially, the enum will only have one usable value -
VIR_FIREWALL_BACKEND_IPTABLES, and that will be hardcoded into all
calls to virFirewallNew(). The other enum value (along with a method
of setting it for each driver) will be added later, when it can be
used (when the nftables backend is in the code).
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
# util/virfirewall.h
virFirewallAddCmdFull;
virFirewallApply;
+virFirewallBackendTypeFromString;
+virFirewallBackendTypeToString;
virFirewallCmdAddArg;
virFirewallCmdAddArgFormat;
virFirewallCmdAddArgList;
virFirewallCmdGetArgCount;
virFirewallCmdToString;
virFirewallFree;
+virFirewallGetBackend;
virFirewallNew;
virFirewallRemoveCmd;
virFirewallStartRollback;
int
iptablesSetupPrivateChains(virFirewallLayer layer)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
iptablesGlobalChain filter_chains[] = {
{"INPUT", VIR_IPTABLES_INPUT_CHAIN},
{"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN},
{
size_t i;
virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, 0);
{
size_t i;
virNetworkIPDef *ipdef;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
iptablesRemoveChecksumFirewallRules(fw, def);
ebtablesApplyBasicRules(const char *ifname,
const virMacAddr *macaddr)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
char chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = CHAINPREFIX_HOST_IN_TEMP;
char macaddr_str[VIR_MAC_STRING_BUFLEN];
char macaddr_str[VIR_MAC_STRING_BUFLEN];
unsigned int idx = 0;
unsigned int num_dhcpsrvrs;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virMacAddrFormat(macaddr, macaddr_str);
{
char chain_in [MAX_CHAINNAME_LENGTH],
chain_out[MAX_CHAINNAME_LENGTH];
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
if (ebiptablesAllTeardown(ifname) < 0)
return -1;
static int
ebtablesCleanAll(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
size_t nrules)
{
size_t i, j;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
g_autoptr(GHashTable) chains_in_set = virHashNew(NULL);
g_autoptr(GHashTable) chains_out_set = virHashNew(NULL);
bool haveEbtables = false;
static int
ebiptablesTearNewRules(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
static int
ebiptablesTearOldRules(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
static int
ebiptablesAllTeardown(const char *ifname)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
int
ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
const char *macaddr,
int action)
{
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
virFirewallStartTransaction(fw, 0);
virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
VIR_LOG_INIT("util.firewall");
+VIR_ENUM_IMPL(virFirewallBackend,
+ VIR_FIREWALL_BACKEND_LAST,
+ "iptables");
+
typedef struct _virFirewallGroup virFirewallGroup;
VIR_ENUM_DECL(virFirewallLayerCommand);
size_t ngroups;
virFirewallGroup **groups;
size_t currentGroup;
+ virFirewallBackend backend;
};
static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER;
*
* Returns the new firewall ruleset
*/
-virFirewall *virFirewallNew(void)
+virFirewall *virFirewallNew(virFirewallBackend backend)
{
virFirewall *firewall = g_new0(virFirewall, 1);
+ firewall->backend = backend;
return firewall;
}
+virFirewallBackend
+virFirewallGetBackend(virFirewall *firewall)
+{
+ return firewall->backend;
+}
+
+
static void
virFirewallCmdFree(virFirewallCmd *fwCmd)
{
#pragma once
#include "internal.h"
+#include "virenum.h"
typedef struct _virFirewall virFirewall;
VIR_FIREWALL_LAYER_LAST,
} virFirewallLayer;
-virFirewall *virFirewallNew(void);
+typedef enum {
+ VIR_FIREWALL_BACKEND_IPTABLES,
+
+ VIR_FIREWALL_BACKEND_LAST,
+} virFirewallBackend;
+
+VIR_ENUM_DECL(virFirewallBackend);
+virFirewall *virFirewallNew(virFirewallBackend backend);
void virFirewallFree(virFirewall *firewall);
+virFirewallBackend virFirewallGetBackend(virFirewall *firewall);
/**
* virFirewallAddCmd:
testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
testFirewallQuery(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
- g_autoptr(virFirewall) fw = virFirewallNew();
+ g_autoptr(virFirewall) fw = virFirewallNew(VIR_FIREWALL_BACKEND_IPTABLES);
const char *actual = NULL;
const char *expected =
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
projects / libvirt.git / commitdiff