[libvirt] [PATCH 08/26] Merge nwfilter createRuleInstance driver into applyNewRules

Wed Apr 16 20:52:29 UTC 2014

On 04/08/2014 11:38 AM, Daniel P. Berrange wrote:
> The current nwfilter tech driver API has a 'createRuleInstance' method
> which populates virNWFilterRuleInstPtr with a command line string
> containing variable placeholders. The 'applyNewRules' method then
> expands the variables and executes the commands. This split of
> responsibility won't work when switching to the virFirewallPtr
> APIs, since we can't just build up command line strings. This patch
> this merges the functionality of 'createRuleInstance' into the
> applyNewRules method.
>
> The virNWFilterRuleInstPtr struct is changed from holding an array
> of opaque pointers, into holding generic metadata about the rules
> to be processed. In essence this is the result of taking a linked
> set of virNWFilterDefPtr's and flattening the tree to get a list
> of virNWFilterRuleDefPtr's. At the same time we must keep track of
> any nested virNWFilterObjPtr instances, so that the locks are held
> for the duration of the 'applyNewRules' method.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>

Some parts are difficult to read in the patch, especially where you 
split the contents of _virNWFilterInstantiateRec into two functions. But 
I find that the pieces appear again in the new functions.

      /* process ebtables commands; interleave commands from filters with
         commands for creating and connecting ebtables chains */
      j = 0;
-    for (i = 0; i < nruleInstances; i++) {
-        sa_assert(inst);
-        switch (inst[i]->ruleType) {
-        case RT_EBTABLES:
+    for (i = 0; i < nrules; i++) {
+        if (virNWFilterRuleIsProtocolEthernet(rules[i]->def)) {
              while (j < nEbtChains &&
-                   ebtChains[j].priority <= inst[i]->priority) {
+                   ebtChains[j].priority <= rules[i]->priority) {
                  ebiptablesInstCommand(&buf,
                                        ebtChains[j++].commandTemplate,
                                        'A', -1, true);
              }
-            ebiptablesInstCommand(&buf,
-                                  inst[i]->commandTemplate,
-                                  'A', -1, true);
-        break;
-        case RT_IPTABLES:
-            haveIptables = true;
-        break;
-        case RT_IP6TABLES:
-            haveIp6tables = true;
-        break;
+            ebtablesRuleInstCommand(&buf,
+                                    ifname,
+                                    rules[i],
+                                    'A', -1, true);
+        } else {
+            if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+                haveIptables = true;
+            else if (virNWFilterRuleIsProtocolIPv4(rules[i]->def))
+                haveIp6tables = true;

Here's that typo. If you were to change this, the TCK test suite will 
probably pass after each step of applying the patches incrementally.

ACK

    Stefan