[libvirt] [PATCH 08/26] Merge nwfilter createRuleInstance driver into applyNewRules
Stefan Berger
stefanb at linux.vnet.ibm.com
Wed Apr 16 20:52:29 UTC 2014
On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
> The current nwfilter tech driver API has a 'createRuleInstance' method
> which populates virNWFilterRuleInstPtr with a command line string
> containing variable placeholders. The 'applyNewRules' method then
> expands the variables and executes the commands. This split of
> responsibility won't work when switching to the virFirewallPtr
> APIs, since we can't just build up command line strings. This patch
> this merges the functionality of 'createRuleInstance' into the
> applyNewRules method.
>
> The virNWFilterRuleInstPtr struct is changed from holding an array
> of opaque pointers, into holding generic metadata about the rules
> to be processed. In essence this is the result of taking a linked
> set of virNWFilterDefPtr's and flattening the tree to get a list
> of virNWFilterRuleDefPtr's. At the same time we must keep track of
> any nested virNWFilterObjPtr instances, so that the locks are held
> for the duration of the 'applyNewRules' method.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
Some parts are difficult to read in the patch, especially where you
split the contents of _virNWFilterInstantiateRec into two functions. But
I find that the pieces appear again in the new functions.
/* process ebtables commands; interleave commands from filters with
commands for creating and connecting ebtables chains */
j = 0;
- for (i = 0; i < nruleInstances; i++) {
- sa_assert(inst);
- switch (inst[i]->ruleType) {
- case RT_EBTABLES:
+ for (i = 0; i < nrules; i++) {
+ if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
while (j < nEbtChains &&
- ebtChains[j].priority <= inst[i]->priority) {
+ ebtChains[j].priority <= rules[i]->priority) {
ebiptablesInstCommand(&buf,
ebtChains[j++].commandTemplate,
'A', -1, true);
}
- ebiptablesInstCommand(&buf,
- inst[i]->commandTemplate,
- 'A', -1, true);
- break;
- case RT_IPTABLES:
- haveIptables = true;
- break;
- case RT_IP6TABLES:
- haveIp6tables = true;
- break;
+ ebtablesRuleInstCommand(&buf,
+ ifname,
+ rules[i],
+ 'A', -1, true);
+ } else {
+ if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIptables = true;
+ else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+ haveIp6tables = true;
Here's that typo. If you were to change this, the TCK test suite will
probably pass after each step of applying the patches incrementally.
ACK
Stefan
More information about the libvir-list
mailing list