File libvirt-util-refactor-iptables-command-construction-into-multiple-steps.patch of Package libvirt
From 72ad23a73f2e5d9c1fe8792c618ce56997ddd372 Mon Sep 17 00:00:00 2001
Message-Id: <72ad23a73f2e5d9c1fe8792c618ce56997ddd372.1373885146.git.jdenemar@redhat.com>
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Tue, 2 Jul 2013 03:48:43 -0400
Subject: [PATCH] util: refactor iptables command construction into multiple
steps
This is a prerequisite for the patches that resolve:
https://bugzilla.redhat.com/show_bug.cgi?id=851455
Instead of creating an iptables command in one shot, do it in steps
so we can add conditional options like physdev and protocol.
This removes code duplication while keeping existing behaviour.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from upstream f3531a040cf2ea1fc432a7613af4e9e823b2caa1)
Conflicts:
iptables.c has been renamed to viriptables.c upstream.
small conflict due to filename added in copyright notice.
---
src/util/iptables.c | 132 +++++++++++++++++++++++-----------------------------
1 file changed, 59 insertions(+), 73 deletions(-)
diff --git a/src/util/iptables.c b/src/util/iptables.c
index 00a1c29..9fc856d 100644
--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2012 Red Hat, Inc.
+ * Copyright (C) 2007-2013 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -127,15 +127,10 @@ iptRulesNew(const char *table,
return NULL;
}
-static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(iptRules *rules, int family, int action,
- const char *arg, ...)
+static virCommandPtr
+iptablesCommandNew(iptRules *rules, int family, int action)
{
- va_list args;
- int ret;
virCommandPtr cmd = NULL;
- const char *s;
-
#if HAVE_FIREWALLD
virIpTablesInitialize();
if (firewall_cmd_path) {
@@ -152,16 +147,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action,
virCommandAddArgList(cmd, "--table", rules->table,
action == ADD ? "--insert" : "--delete",
- rules->chain, arg, NULL);
+ rules->chain, NULL);
+ return cmd;
+}
+
+static int
+iptablesCommandRunAndFree(virCommandPtr cmd)
+{
+ int ret;
+ ret = virCommandRun(cmd, NULL);
+ virCommandFree(cmd);
+ return ret;
+}
+
+static int ATTRIBUTE_SENTINEL
+iptablesAddRemoveRule(iptRules *rules, int family, int action,
+ const char *arg, ...)
+{
+ va_list args;
+ virCommandPtr cmd = NULL;
+ const char *s;
+
+ cmd = iptablesCommandNew(rules, family, action);
+ virCommandAddArg(cmd, arg);
va_start(args, arg);
while ((s = va_arg(args, const char *)))
virCommandAddArg(cmd, s);
va_end(args);
- ret = virCommandRun(cmd, NULL);
- virCommandFree(cmd);
- return ret;
+ return iptablesCommandRunAndFree(cmd);
}
/**
@@ -370,28 +385,24 @@ iptablesForwardAllowOut(iptablesContext *ctx,
{
int ret;
char *networkstr;
+ virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
- if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
- VIR_SOCKET_ADDR_FAMILY(netaddr),
- action,
- "--source", networkstr,
- "--in-interface", iface,
- "--out-interface", physdev,
- "--jump", "ACCEPT",
- NULL);
- } else {
- ret = iptablesAddRemoveRule(ctx->forward_filter,
- VIR_SOCKET_ADDR_FAMILY(netaddr),
- action,
- "--source", networkstr,
- "--in-interface", iface,
- "--jump", "ACCEPT",
- NULL);
- }
+ cmd = iptablesCommandNew(ctx->forward_filter,
+ VIR_SOCKET_ADDR_FAMILY(netaddr),
+ action);
+ virCommandAddArgList(cmd,
+ "--source", networkstr,
+ "--in-interface", iface, NULL);
+
+ if (physdev && physdev[0])
+ virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
+
+ virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL);
+
+ ret = iptablesCommandRunAndFree(cmd);
VIR_FREE(networkstr);
return ret;
}
@@ -797,6 +808,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
{
int ret;
char *networkstr;
+ virCommandPtr cmd = NULL;
if (!(networkstr = iptablesFormatNetwork(netaddr, prefix)))
return -1;
@@ -810,49 +822,23 @@ iptablesForwardMasquerade(iptablesContext *ctx,
return -1;
}
- if (protocol && protocol[0]) {
- if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule(ctx->nat_postrouting,
- AF_INET,
- action,
- "--source", networkstr,
- "-p", protocol,
- "!", "--destination", networkstr,
- "--out-interface", physdev,
- "--jump", "MASQUERADE",
- "--to-ports", "1024-65535",
- NULL);
- } else {
- ret = iptablesAddRemoveRule(ctx->nat_postrouting,
- AF_INET,
- action,
- "--source", networkstr,
- "-p", protocol,
- "!", "--destination", networkstr,
- "--jump", "MASQUERADE",
- "--to-ports", "1024-65535",
- NULL);
- }
- } else {
- if (physdev && physdev[0]) {
- ret = iptablesAddRemoveRule(ctx->nat_postrouting,
- AF_INET,
- action,
- "--source", networkstr,
- "!", "--destination", networkstr,
- "--out-interface", physdev,
- "--jump", "MASQUERADE",
- NULL);
- } else {
- ret = iptablesAddRemoveRule(ctx->nat_postrouting,
- AF_INET,
- action,
- "--source", networkstr,
- "!", "--destination", networkstr,
- "--jump", "MASQUERADE",
- NULL);
- }
- }
+ cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action);
+ virCommandAddArgList(cmd, "--source", networkstr, NULL);
+
+ if (protocol && protocol[0])
+ virCommandAddArgList(cmd, "-p", protocol, NULL);
+
+ virCommandAddArgList(cmd, "!", "--destination", networkstr, NULL);
+
+ if (physdev && physdev[0])
+ virCommandAddArgList(cmd, "--out-interface", physdev, NULL);
+
+ virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL);
+
+ if (protocol && protocol[0])
+ virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL);
+
+ ret = iptablesCommandRunAndFree(cmd);
VIR_FREE(networkstr);
return ret;
}
--
1.8.3.2
