<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/08/2014 11:38 AM, Daniel P.
Berrange wrote:<br>
</div>
<blockquote
cite="mid:1396971498-27129-17-git-send-email-berrange@redhat.com"
type="cite">
<pre wrap="">Convert the nwfilter ebiptablesAllTeardown method to use the
virFirewall object APIs instead of creating shell scripts
using virBuffer APIs. This provides a performance improvement
through allowing direct use of firewalld dbus APIs and will
facilitate automated testing.
Signed-off-by: Daniel P. Berrange <a class="moz-txt-link-rfc2396E" href="mailto:berrange@redhat.com"><berrange@redhat.com></a>
</pre>
</blockquote>
<br>
<blockquote
cite="mid:1396971498-27129-17-git-send-email-berrange@redhat.com"
type="cite">
<pre wrap="">
@@ -2972,6 +3153,58 @@ _ebtablesRemoveSubChains(virBufferPtr buf,
virBufferAddLit(buf, "rm_chains $chains\n");
}
+
+static int
+ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
+ const char *const *lines,
+ void *opaque)
+{
+ size_t i, j;
+ const char *chains = opaque;
+</pre>
</blockquote>
<br>
The problem here is 'opaque' may have gone out of scope ...
[continue below]<br>
<br>
<blockquote
cite="mid:1396971498-27129-17-git-send-email-berrange@redhat.com"
type="cite">
<pre wrap="">
+ for (i = 0; lines[i] != NULL; i++) {
+ VIR_DEBUG("Considering '%s'", lines[i]);
+ char *tmp = strstr(lines[i], "-j ");
+ if (!tmp)
+ continue;
+ tmp = tmp + 3;
+ for (j = 0; chains[j]; j++) {
+ if (tmp[0] == chains[j] &&
+ tmp[1] == '-') {
+ VIR_DEBUG("Processing chain '%s'", tmp);
+ virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ false, ebtablesRemoveSubChainsQuery,
+ (void *)chains,
+ "-t", "nat", "-L", tmp, NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-F", tmp, NULL);
+ virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+ "-t", "nat", "-X", tmp, NULL);
+ }
+ }
+ }
+
+ return 0;
+}
+
+
+static void
+_ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname,
+ const char *chains)
+{
+ char rootchain[MAX_CHAINNAME_LENGTH];
+ size_t i;
+
</pre>
</blockquote>
<br>
[...]<br>
<pre wrap="">@@ -2986,6 +3219,19 @@ ebtablesRemoveSubChains(virBufferPtr buf,
}
static void
+ebtablesRemoveSubChainsFW(virFirewallPtr fw,
+ const char *ifname)
+{
+ char chains[3] = {
+ CHAINPREFIX_HOST_IN,
+ CHAINPREFIX_HOST_OUT,
+ 0
+ };
+</pre>
<br>
... due to these arrays residing on the stack. So I prepended
'static' to these arrays and the ebtables rules cleanup started
working.<br>
<br>
My suggested modification to this patch would be this here:<br>
<br>
<font face="Courier New, Courier, monospace">Index:
libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c<br>
===================================================================<br>
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c<br>
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c<br>
@@ -139,6 +139,19 @@ static const struct ushort_map l3_protoc<br>
};<br>
<br>
<br>
+static char chainprefixes_host[3] = {<br>
+ CHAINPREFIX_HOST_IN,<br>
+ CHAINPREFIX_HOST_OUT,<br>
+ 0<br>
+};<br>
+<br>
+static char chainprefixes_host_temp[3] = {<br>
+ CHAINPREFIX_HOST_IN_TEMP,<br>
+ CHAINPREFIX_HOST_OUT_TEMP,<br>
+ 0<br>
+};<br>
+<br>
+<br>
static int<br>
printVar(virNWFilterVarCombIterPtr vars,<br>
char *buf, int bufsize,<br>
@@ -2621,7 +2634,7 @@ ebtablesRemoveSubChainsQuery(virFirewall<br>
void *opaque)<br>
{<br>
size_t i, j;<br>
- const char *chains = opaque;<br>
+ const char *chainprefixes = opaque;<br>
<br>
for (i = 0; lines[i] != NULL; i++) {<br>
VIR_DEBUG("Considering '%s'", lines[i]);<br>
@@ -2629,13 +2642,13 @@ ebtablesRemoveSubChainsQuery(virFirewall<br>
if (!tmp)<br>
continue;<br>
tmp = tmp + 3;<br>
- for (j = 0; chains[j]; j++) {<br>
- if (tmp[0] == chains[j] &&<br>
+ for (j = 0; chainprefixes[j]; j++) {<br>
+ if (tmp[0] == chainprefixes[j] &&<br>
tmp[1] == '-') {<br>
VIR_DEBUG("Processing chain '%s'", tmp);<br>
virFirewallAddRuleFull(fw,
VIR_FIREWALL_LAYER_ETHERNET,<br>
false,
ebtablesRemoveSubChainsQuery,<br>
- (void *)chains,<br>
+ (void *)chainprefixes,<br>
"-t", "nat", "-L", tmp,
NULL);<br>
virFirewallAddRule(fw,
VIR_FIREWALL_LAYER_ETHERNET,<br>
"-t", "nat", "-F", tmp, NULL);<br>
@@ -2652,16 +2665,16 @@ ebtablesRemoveSubChainsQuery(virFirewall<br>
static void<br>
_ebtablesRemoveSubChainsFW(virFirewallPtr fw,<br>
const char *ifname,<br>
- const char *chains)<br>
+ const char *chainprefixes)<br>
{<br>
char rootchain[MAX_CHAINNAME_LENGTH];<br>
size_t i;<br>
<br>
- for (i = 0; chains[i] != 0; i++) {<br>
- PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);<br>
+ for (i = 0; chainprefixes[i] != 0; i++) {<br>
+ PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname);<br>
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,<br>
false,
ebtablesRemoveSubChainsQuery,<br>
- (void *)chains,<br>
+ (void *)chainprefixes,<br>
"-t", "nat", "-L", rootchain,
NULL);<br>
}<br>
}<br>
@@ -2670,13 +2683,7 @@ static void<br>
ebtablesRemoveSubChainsFW(virFirewallPtr fw,<br>
const char *ifname)<br>
{<br>
- char chains[3] = {<br>
- CHAINPREFIX_HOST_IN,<br>
- CHAINPREFIX_HOST_OUT,<br>
- 0<br>
- };<br>
-<br>
- _ebtablesRemoveSubChainsFW(fw, ifname, chains);<br>
+ _ebtablesRemoveSubChainsFW(fw, ifname, chainprefixes_host);<br>
}<br>
<br>
<br>
@@ -2684,13 +2691,7 @@ static void<br>
ebtablesRemoveTmpSubChainsFW(virFirewallPtr fw,<br>
const char *ifname)<br>
{<br>
- char chains[3] = {<br>
- CHAINPREFIX_HOST_IN_TEMP,<br>
- CHAINPREFIX_HOST_OUT_TEMP,<br>
- 0<br>
- };<br>
-<br>
- _ebtablesRemoveSubChainsFW(fw, ifname, chains);<br>
+ _ebtablesRemoveSubChainsFW(fw, ifname,
chainprefixes_host_temp);<br>
}<br>
<br>
static void<br>
</font><br>
</body>
</html>