[libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
Pavel Hrdina
phrdina at redhat.com
Tue Apr 29 14:45:31 UTC 2014
On 8.4.2014 17:38, Daniel P. Berrange wrote:
> The network and nwfilter drivers both have a need to update
> firewall rules. The currently share no code for interacting
> with iptables / firewalld. The nwfilter driver is fairly
> tied to the concept of creating shell scripts to execute
> which makes it very hard to port to talk to firewalld via
> DBus APIs.
>
> This patch introduces a virFirewallPtr object which is able
> to represent a complete sequence of rule changes, with the
> ability to have multiple transactional checkpoints with
> rollbacks. By formally separating the definition of the rules
> to be applied from the mechanism used to apply them, it is
> also possible to write a firewall engine that uses firewalld
> DBus APIs natively instead of via the slow firewalld-cmd.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> include/libvirt/virterror.h | 1 +
> po/POTFILES.in | 1 +
> src/Makefile.am | 2 +
> src/libvirt_private.syms | 17 +
> src/util/virerror.c | 1 +
> src/util/virfirewall.c | 922 +++++++++++++++++++++++++++++++++
> src/util/virfirewall.h | 109 ++++
> src/util/virfirewallpriv.h | 45 ++
> tests/Makefile.am | 7 +
> tests/testutils.c | 18 +-
> tests/virfirewalltest.c | 1186 +++++++++++++++++++++++++++++++++++++++++++
> 11 files changed, 2305 insertions(+), 4 deletions(-)
> create mode 100644 src/util/virfirewall.c
> create mode 100644 src/util/virfirewall.h
> create mode 100644 src/util/virfirewallpriv.h
> create mode 100644 tests/virfirewalltest.c
[...]
> diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
> new file mode 100644
> index 0000000..b558d2f
> --- /dev/null
> +++ b/src/util/virfirewall.c
> @@ -0,0 +1,922 @@
[...]
> +static virFirewallRulePtr
> +virFirewallAddRuleFullV(virFirewallPtr firewall,
> + virFirewallLayer layer,
> + bool ignoreErrors,
> + virFirewallQueryCallback cb,
> + void *opaque,
> + va_list args)
> +{
> + virFirewallGroupPtr group;
> + virFirewallRulePtr rule;
> + char *str;
> +
> + VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
> +
> + if (firewall->ngroups == 0) {
> + firewall->err = ENODATA;
> + return NULL;
> + }
> + group = firewall->groups[firewall->currentGroup];
[...]
> +void virFirewallStartRollback(virFirewallPtr firewall,
> + unsigned int flags)
> +{
> + virFirewallGroupPtr group;
> +
> + VIR_FIREWALL_RETURN_IF_ERROR(firewall);
> +
> + if (firewall->ngroups == 0) {
> + firewall->err = ENODATA;
> + return;
> + }
> +
> + group = firewall->groups[firewall->ngroups-1];
> + group->rollbackFlags = flags;
> + group->addingRollback = true;
> +}
Hi Dan,
The ENODATA error is not defined in freebsd and I'm wondering
whether it should be compiled there? If yes, than we have to
add:
#ifndef ENODATA
# define ENODATA ENOMSG
#endif
into that file.
Pavel
More information about the libvir-list
mailing list