[libvirt] [PATCH 2/5] util: move all firewalld-specific stuff into its own file

Daniel P. Berrangé berrange at redhat.com
Tue Jan 15 16:23:28 UTC 2019 

On Wed, Jan 09, 2019 at 09:57:34PM -0500, Laine Stump wrote:
> Since I'm going to be adding at least one more firewalld-specific
> function, this seems like a good time to separate the code that's
> unique to firewalld from the more-generic "firewall" file.
> 
> Signed-off-by: Laine Stump <laine at laine.org>
> ---
>  include/libvirt/virterror.h |   1 +
>  src/libvirt_private.syms    |   3 +
>  src/util/Makefile.inc.am    |   2 +
>  src/util/virerror.c         |   1 +
>  src/util/virfirewall.c      |  86 ++----------------------
>  src/util/virfirewalld.c     | 128 ++++++++++++++++++++++++++++++++++++
>  src/util/virfirewalld.h     |  33 ++++++++++
>  src/util/virfirewallpriv.h  |   2 -
>  tests/virfirewalltest.c     |   1 +
>  9 files changed, 173 insertions(+), 84 deletions(-)
>  create mode 100644 src/util/virfirewalld.c
>  create mode 100644 src/util/virfirewalld.h

> +    if (error.level == VIR_ERR_ERROR) {
> +        /*
> +         * As of firewalld-0.3.9.3-1.fc20.noarch the name and
> +         * message fields in the error look like
> +         *
> +         *    name="org.freedesktop.DBus.Python.dbus.exceptions.DBusException"
> +         * message="COMMAND_FAILED: '/sbin/iptables --table filter --delete
> +         *          INPUT --in-interface virbr0 --protocol udp --destination-port 53
> +         *          --jump ACCEPT' failed: iptables: Bad rule (does a matching rule
> +         *          exist in that chain?)."
> +         *
> +         * We'd like to only ignore DBus errors precisely related to the failure
> +         * of iptables/ebtables commands. A well designed DBus interface would
> +         * return specific named exceptions not the top level generic python dbus
> +         * exception name. With this current scheme our only option is todo a
> +         * sub-string match for 'COMMAND_FAILED' on the message. eg like
> +         *
> +         * if (ignoreErrors &&
> +         *     STREQ(error.name,
> +         *           "org.freedesktop.DBus.Python.dbus.exceptions.DBusException") &&
> +         *     STRPREFIX(error.message, "COMMAND_FAILED"))
> +         *    ...
> +         *
> +         * But this risks our error detecting code being broken if firewalld changes
> +         * ever alter the message string, so we're avoiding doing that.
> +         */

We really ought to ask the firewalld guys to improve this since
we have good communication with them now :-)

> +        if (ignoreErrors) {
> +            VIR_DEBUG("Ignoring error '%s': '%s'",
> +                      error.str1, error.message);
> +        } else {
> +            virReportErrorObject(&error);
> +            goto cleanup;
> +        }
> +    } else {
> +        if (virDBusMessageRead(reply, "s", output) < 0)
> +            goto cleanup;
> +    }
> +
> +    ret = 0;
> +
> + cleanup:
> +    virResetError(&error);
> +    virDBusMessageUnref(reply);
> +    return ret;
> +}


> diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h
> new file mode 100644
> index 0000000000..c1c929399a
> --- /dev/null
> +++ b/src/util/virfirewalld.h
> @@ -0,0 +1,33 @@


> +#ifndef LIBVIRT_VIRFIREWALLD_H
> +# define LIBVIRT_VIRFIREWALLD_H
> +
> +# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1"

This is only needed for tests so should go in a priv.h header
as it was before.

> +
> +int virFirewallDStatus(void);

Perhaps  virFirewallDIsRegistered() ?

Could you put API docs for this since it has an unusal tri-state
return value.

> +
> +int virFirewallDApplyRule(virFirewallLayer layer,
> +                          char **args, size_t argsLen,
> +                          bool ignoreErrors,
> +                          char **output);

Would be nice to have API docs for this too

> +
> +#endif /* LIBVIRT_VIRFIREWALLD_H */
> diff --git a/src/util/virfirewallpriv.h b/src/util/virfirewallpriv.h
> index efa94a7da4..7c31d0680d 100644
> --- a/src/util/virfirewallpriv.h
> +++ b/src/util/virfirewallpriv.h
> @@ -27,8 +27,6 @@
>  
>  # include "virfirewall.h"
>  
> -# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1"
> -
>  typedef enum {
>      VIR_FIREWALL_BACKEND_AUTOMATIC,
>      VIR_FIREWALL_BACKEND_DIRECT,
> diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
> index 63b9ced820..573ab1f9cd 100644
> --- a/tests/virfirewalltest.c
> +++ b/tests/virfirewalltest.c
> @@ -27,6 +27,7 @@
>  # include "vircommandpriv.h"
>  # define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW
>  # include "virfirewallpriv.h"
> +# include "virfirewalld.h"

Should be virfirewalldpriv.h


Assuming those small changes are made

Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list