[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 5/5] remove now unneeded iptablesContext



iptablesContext no longer contains any state, so we can drop it

* src/util/iptables.c, src/util/iptables.h: drop iptablesContext

* src/network/bridge_driver.c: update callers

* src/libvirt_private.syms: drop context new/free functions
---
 src/libvirt_private.syms    |    2 -
 src/network/bridge_driver.c |  132 ++++++++-----------
 src/util/iptables.c         |  307 ++++++++++++-------------------------------
 src/util/iptables.h         |   59 +++------
 4 files changed, 153 insertions(+), 347 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index e5ba365..d78142e 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -235,8 +235,6 @@ iptablesAddForwardRejectIn;
 iptablesAddForwardRejectOut;
 iptablesAddTcpInput;
 iptablesAddUdpInput;
-iptablesContextFree;
-iptablesContextNew;
 iptablesRemoveForwardAllowCross;
 iptablesRemoveForwardAllowIn;
 iptablesRemoveForwardAllowOut;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index abee78c..28340a1 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -69,7 +69,6 @@ struct network_driver {
 
     virNetworkObjList networks;
 
-    iptablesContext *iptables;
     brControl *brctl;
     char *networkConfigDir;
     char *networkAutostartDir;
@@ -247,11 +246,6 @@ networkStartup(int privileged) {
         goto error;
     }
 
-    if (!(driverState->iptables = iptablesContextNew())) {
-        goto out_of_memory;
-    }
-
-
     if (virNetworkLoadAllConfigs(NULL,
                                  &driverState->networks,
                                  driverState->networkConfigDir,
@@ -349,8 +343,6 @@ networkShutdown(void) {
 
     if (driverState->brctl)
         brShutdown(driverState->brctl);
-    if (driverState->iptables)
-        iptablesContextFree(driverState->iptables);
 
     networkDriverUnlock(driverState);
     virMutexDestroy(&driverState->lock);
@@ -590,13 +582,11 @@ cleanup:
 }
 
 static int
-networkAddMasqueradingIptablesRules(virConnectPtr conn,
-                      struct network_driver *driver,
-                      virNetworkObjPtr network) {
+networkAddMasqueradingIptablesRules(virConnectPtr conn, virNetworkObjPtr network)
+{
     int err;
     /* allow forwarding packets from the bridge interface */
-    if ((err = iptablesAddForwardAllowOut(driver->iptables,
-                                          network->def->network,
+    if ((err = iptablesAddForwardAllowOut(network->def->network,
                                           network->def->bridge,
                                           network->def->forwardDev))) {
         virReportSystemError(conn, err,
@@ -606,10 +596,9 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
     }
 
     /* allow forwarding packets to the bridge interface if they are part of an existing connection */
-    if ((err = iptablesAddForwardAllowRelatedIn(driver->iptables,
-                                         network->def->network,
-                                         network->def->bridge,
-                                         network->def->forwardDev))) {
+    if ((err = iptablesAddForwardAllowRelatedIn(network->def->network,
+                                                network->def->bridge,
+                                                network->def->forwardDev))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to allow forwarding to '%s'"),
                              network->def->bridge);
@@ -617,8 +606,7 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
     }
 
     /* enable masquerading */
-    if ((err = iptablesAddForwardMasquerade(driver->iptables,
-                                            network->def->network,
+    if ((err = iptablesAddForwardMasquerade(network->def->network,
                                             network->def->forwardDev))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to enable masquerading to '%s'\n"),
@@ -629,13 +617,11 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
     return 1;
 
  masqerr3:
-    iptablesRemoveForwardAllowRelatedIn(driver->iptables,
-                                 network->def->network,
-                                 network->def->bridge,
-                                 network->def->forwardDev);
+    iptablesRemoveForwardAllowRelatedIn(network->def->network,
+                                        network->def->bridge,
+                                        network->def->forwardDev);
  masqerr2:
-    iptablesRemoveForwardAllowOut(driver->iptables,
-                                  network->def->network,
+    iptablesRemoveForwardAllowOut(network->def->network,
                                   network->def->bridge,
                                   network->def->forwardDev);
  masqerr1:
@@ -643,13 +629,11 @@ networkAddMasqueradingIptablesRules(virConnectPtr conn,
 }
 
 static int
-networkAddRoutingIptablesRules(virConnectPtr conn,
-                      struct network_driver *driver,
-                      virNetworkObjPtr network) {
+networkAddRoutingIptablesRules(virConnectPtr conn, virNetworkObjPtr network)
+{
     int err;
     /* allow routing packets from the bridge interface */
-    if ((err = iptablesAddForwardAllowOut(driver->iptables,
-                                          network->def->network,
+    if ((err = iptablesAddForwardAllowOut(network->def->network,
                                           network->def->bridge,
                                           network->def->forwardDev))) {
         virReportSystemError(conn, err,
@@ -659,8 +643,7 @@ networkAddRoutingIptablesRules(virConnectPtr conn,
     }
 
     /* allow routing packets to the bridge interface */
-    if ((err = iptablesAddForwardAllowIn(driver->iptables,
-                                         network->def->network,
+    if ((err = iptablesAddForwardAllowIn(network->def->network,
                                          network->def->bridge,
                                          network->def->forwardDev))) {
         virReportSystemError(conn, err,
@@ -673,8 +656,7 @@ networkAddRoutingIptablesRules(virConnectPtr conn,
 
 
  routeerr2:
-    iptablesRemoveForwardAllowOut(driver->iptables,
-                                  network->def->network,
+    iptablesRemoveForwardAllowOut(network->def->network,
                                   network->def->bridge,
                                   network->def->forwardDev);
  routeerr1:
@@ -682,20 +664,19 @@ networkAddRoutingIptablesRules(virConnectPtr conn,
 }
 
 static int
-networkAddIptablesRules(virConnectPtr conn,
-                      struct network_driver *driver,
-                      virNetworkObjPtr network) {
+networkAddIptablesRules(virConnectPtr conn, virNetworkObjPtr network)
+{
     int err;
 
     /* allow DHCP requests through to dnsmasq */
-    if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 67))) {
+    if ((err = iptablesAddTcpInput(network->def->bridge, 67))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to allow DHCP requests from '%s'"),
                              network->def->bridge);
         goto err1;
     }
 
-    if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 67))) {
+    if ((err = iptablesAddUdpInput(network->def->bridge, 67))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to allow DHCP requests from '%s'"),
                              network->def->bridge);
@@ -703,14 +684,14 @@ networkAddIptablesRules(virConnectPtr conn,
     }
 
     /* allow DNS requests through to dnsmasq */
-    if ((err = iptablesAddTcpInput(driver->iptables, network->def->bridge, 53))) {
+    if ((err = iptablesAddTcpInput(network->def->bridge, 53))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to allow DNS requests from '%s'"),
                              network->def->bridge);
         goto err3;
     }
 
-    if ((err = iptablesAddUdpInput(driver->iptables, network->def->bridge, 53))) {
+    if ((err = iptablesAddUdpInput(network->def->bridge, 53))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to allow DNS requests from '%s'"),
                              network->def->bridge);
@@ -720,14 +701,14 @@ networkAddIptablesRules(virConnectPtr conn,
 
     /* Catch all rules to block forwarding to/from bridges */
 
-    if ((err = iptablesAddForwardRejectOut(driver->iptables, network->def->bridge))) {
+    if ((err = iptablesAddForwardRejectOut(network->def->bridge))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to block outbound traffic from '%s'"),
                              network->def->bridge);
         goto err5;
     }
 
-    if ((err = iptablesAddForwardRejectIn(driver->iptables, network->def->bridge))) {
+    if ((err = iptablesAddForwardRejectIn(network->def->bridge))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to block inbound traffic to '%s'"),
                              network->def->bridge);
@@ -735,7 +716,7 @@ networkAddIptablesRules(virConnectPtr conn,
     }
 
     /* Allow traffic between guests on the same bridge */
-    if ((err = iptablesAddForwardAllowCross(driver->iptables, network->def->bridge))) {
+    if ((err = iptablesAddForwardAllowCross(network->def->bridge))) {
         virReportSystemError(conn, err,
                              _("failed to add iptables rule to allow cross bridge traffic on '%s'"),
                              network->def->bridge);
@@ -745,66 +726,59 @@ networkAddIptablesRules(virConnectPtr conn,
 
     /* If masquerading is enabled, set up the rules*/
     if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT &&
-        !networkAddMasqueradingIptablesRules(conn, driver, network))
+        !networkAddMasqueradingIptablesRules(conn, network))
         goto err8;
     /* else if routing is enabled, set up the rules*/
     else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE &&
-             !networkAddRoutingIptablesRules(conn, driver, network))
+             !networkAddRoutingIptablesRules(conn, network))
         goto err8;
 
     return 1;
 
  err8:
-    iptablesRemoveForwardAllowCross(driver->iptables,
-                                    network->def->bridge);
+    iptablesRemoveForwardAllowCross(network->def->bridge);
  err7:
-    iptablesRemoveForwardRejectIn(driver->iptables,
-                                  network->def->bridge);
+    iptablesRemoveForwardRejectIn(network->def->bridge);
  err6:
-    iptablesRemoveForwardRejectOut(driver->iptables,
-                                   network->def->bridge);
+    iptablesRemoveForwardRejectOut(network->def->bridge);
  err5:
-    iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
+    iptablesRemoveUdpInput(network->def->bridge, 53);
  err4:
-    iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
+    iptablesRemoveTcpInput(network->def->bridge, 53);
  err3:
-    iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
+    iptablesRemoveUdpInput(network->def->bridge, 67);
  err2:
-    iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
+    iptablesRemoveTcpInput(network->def->bridge, 67);
  err1:
     return 0;
 }
 
 static void
-networkRemoveIptablesRules(struct network_driver *driver,
-                         virNetworkObjPtr network) {
+networkRemoveIptablesRules(virNetworkObjPtr network)
+{
     if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
         if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) {
-            iptablesRemoveForwardMasquerade(driver->iptables,
-                                                network->def->network,
-                                                network->def->forwardDev);
-            iptablesRemoveForwardAllowRelatedIn(driver->iptables,
-                                                network->def->network,
+            iptablesRemoveForwardMasquerade(network->def->network,
+                                            network->def->forwardDev);
+            iptablesRemoveForwardAllowRelatedIn(network->def->network,
                                                 network->def->bridge,
                                                 network->def->forwardDev);
         } else if (network->def->forwardType == VIR_NETWORK_FORWARD_ROUTE)
-            iptablesRemoveForwardAllowIn(driver->iptables,
-                                         network->def->network,
+            iptablesRemoveForwardAllowIn(network->def->network,
                                          network->def->bridge,
                                          network->def->forwardDev);
 
-        iptablesRemoveForwardAllowOut(driver->iptables,
-                                      network->def->network,
+        iptablesRemoveForwardAllowOut(network->def->network,
                                       network->def->bridge,
                                       network->def->forwardDev);
     }
-    iptablesRemoveForwardAllowCross(driver->iptables, network->def->bridge);
-    iptablesRemoveForwardRejectIn(driver->iptables, network->def->bridge);
-    iptablesRemoveForwardRejectOut(driver->iptables, network->def->bridge);
-    iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 53);
-    iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 53);
-    iptablesRemoveUdpInput(driver->iptables, network->def->bridge, 67);
-    iptablesRemoveTcpInput(driver->iptables, network->def->bridge, 67);
+    iptablesRemoveForwardAllowCross(network->def->bridge);
+    iptablesRemoveForwardRejectIn(network->def->bridge);
+    iptablesRemoveForwardRejectOut(network->def->bridge);
+    iptablesRemoveUdpInput(network->def->bridge, 53);
+    iptablesRemoveTcpInput(network->def->bridge, 53);
+    iptablesRemoveUdpInput(network->def->bridge, 67);
+    iptablesRemoveTcpInput(network->def->bridge, 67);
 }
 
 static void
@@ -818,8 +792,8 @@ networkReloadIptablesRules(struct network_driver *driver)
         virNetworkObjLock(driver->networks.objs[i]);
 
         if (virNetworkObjIsActive(driver->networks.objs[i])) {
-            networkRemoveIptablesRules(driver, driver->networks.objs[i]);
-            if (!networkAddIptablesRules(NULL, driver, driver->networks.objs[i])) {
+            networkRemoveIptablesRules(driver->networks.objs[i]);
+            if (!networkAddIptablesRules(NULL, driver->networks.objs[i])) {
                 /* failed to add but already logged */
             }
         }
@@ -940,7 +914,7 @@ static int networkStartNetworkDaemon(virConnectPtr conn,
         goto err_delbr;
     }
 
-    if (!networkAddIptablesRules(conn, driver, network))
+    if (!networkAddIptablesRules(conn, network))
         goto err_delbr1;
 
     if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE &&
@@ -972,7 +946,7 @@ static int networkStartNetworkDaemon(virConnectPtr conn,
     }
 
  err_delbr2:
-    networkRemoveIptablesRules(driver, network);
+    networkRemoveIptablesRules(network);
 
  err_delbr1:
     if ((err = brSetInterfaceUp(driver->brctl, network->def->bridge, 0))) {
@@ -1013,7 +987,7 @@ static int networkShutdownNetworkDaemon(virConnectPtr conn,
     if (network->dnsmasqPid > 0)
         kill(network->dnsmasqPid, SIGTERM);
 
-    networkRemoveIptablesRules(driver, network);
+    networkRemoveIptablesRules(network);
 
     char ebuf[1024];
     if ((err = brSetInterfaceUp(driver->brctl, network->def->bridge, 0))) {
diff --git a/src/util/iptables.c b/src/util/iptables.c
index 3c02ea6..de75a24 100644
--- a/src/util/iptables.c
+++ b/src/util/iptables.c
@@ -52,51 +52,9 @@ enum {
     REMOVE
 };
 
-typedef struct
-{
-    char  *table;
-    char  *chain;
-} iptRules;
-
-struct _iptablesContext
-{
-    iptRules *input_filter;
-    iptRules *forward_filter;
-    iptRules *nat_postrouting;
-};
-
-static void
-iptRulesFree(iptRules *rules)
-{
-    VIR_FREE(rules->table);
-    VIR_FREE(rules->chain);
-    VIR_FREE(rules);
-}
-
-static iptRules *
-iptRulesNew(const char *table,
-            const char *chain)
-{
-    iptRules *rules;
-
-    if (VIR_ALLOC(rules) < 0)
-        return NULL;
-
-    if (!(rules->table = strdup(table)))
-        goto error;
-
-    if (!(rules->chain = strdup(chain)))
-        goto error;
-
-    return rules;
-
- error:
-    iptRulesFree(rules);
-    return NULL;
-}
-
 static int ATTRIBUTE_SENTINEL
-iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
+iptablesAddRemoveRule(const char *table, const char *chain,
+                      int action, const char *arg, ...)
 {
     va_list args;
     int retval = ENOMEM;
@@ -126,13 +84,13 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
     if (!(argv[n++] = strdup("--table")))
         goto error;
 
-    if (!(argv[n++] = strdup(rules->table)))
+    if (!(argv[n++] = strdup(table)))
         goto error;
 
     if (!(argv[n++] = strdup(action == ADD ? "--insert" : "--delete")))
         goto error;
 
-    if (!(argv[n++] = strdup(rules->chain)))
+    if (!(argv[n++] = strdup(chain)))
         goto error;
 
     if (!(argv[n++] = strdup(arg)))
@@ -164,58 +122,8 @@ iptablesAddRemoveRule(iptRules *rules, int action, const char *arg, ...)
     return retval;
 }
 
-/**
- * iptablesContextNew:
- *
- * Create a new IPtable context
- *
- * Returns a pointer to the new structure or NULL in case of error
- */
-iptablesContext *
-iptablesContextNew(void)
-{
-    iptablesContext *ctx;
-
-    if (VIR_ALLOC(ctx) < 0)
-        return NULL;
-
-    if (!(ctx->input_filter = iptRulesNew("filter", "INPUT")))
-        goto error;
-
-    if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD")))
-        goto error;
-
-    if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING")))
-        goto error;
-
-    return ctx;
-
- error:
-    iptablesContextFree(ctx);
-    return NULL;
-}
-
-/**
- * iptablesContextFree:
- * @ctx: pointer to the IP table context
- *
- * Free the resources associated with an IP table context
- */
-void
-iptablesContextFree(iptablesContext *ctx)
-{
-    if (ctx->input_filter)
-        iptRulesFree(ctx->input_filter);
-    if (ctx->forward_filter)
-        iptRulesFree(ctx->forward_filter);
-    if (ctx->nat_postrouting)
-        iptRulesFree(ctx->nat_postrouting);
-    VIR_FREE(ctx);
-}
-
 static int
-iptablesInput(iptablesContext *ctx,
-              const char *iface,
+iptablesInput(const char *iface,
               int port,
               int action,
               int tcp)
@@ -225,7 +133,7 @@ iptablesInput(iptablesContext *ctx,
     snprintf(portstr, sizeof(portstr), "%d", port);
     portstr[sizeof(portstr) - 1] = '\0';
 
-    return iptablesAddRemoveRule(ctx->input_filter,
+    return iptablesAddRemoveRule("filter", "INPUT",
                                  action,
                                  "--in-interface", iface,
                                  "--protocol", tcp ? "tcp" : "udp",
@@ -236,7 +144,6 @@ iptablesInput(iptablesContext *ctx,
 
 /**
  * iptablesAddTcpInput:
- * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the TCP port to add
  *
@@ -247,16 +154,13 @@ iptablesInput(iptablesContext *ctx,
  */
 
 int
-iptablesAddTcpInput(iptablesContext *ctx,
-                    const char *iface,
-                    int port)
+iptablesAddTcpInput(const char *iface, int port)
 {
-    return iptablesInput(ctx, iface, port, ADD, 1);
+    return iptablesInput(iface, port, ADD, 1);
 }
 
 /**
  * iptablesRemoveTcpInput:
- * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the TCP port to remove
  *
@@ -266,16 +170,13 @@ iptablesAddTcpInput(iptablesContext *ctx,
  * Returns 0 in case of success or an error code in case of error
  */
 int
-iptablesRemoveTcpInput(iptablesContext *ctx,
-                       const char *iface,
-                       int port)
+iptablesRemoveTcpInput(const char *iface, int port)
 {
-    return iptablesInput(ctx, iface, port, REMOVE, 1);
+    return iptablesInput(iface, port, REMOVE, 1);
 }
 
 /**
  * iptablesAddUdpInput:
- * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the UDP port to add
  *
@@ -286,16 +187,13 @@ iptablesRemoveTcpInput(iptablesContext *ctx,
  */
 
 int
-iptablesAddUdpInput(iptablesContext *ctx,
-                    const char *iface,
-                    int port)
+iptablesAddUdpInput(const char *iface, int port)
 {
-    return iptablesInput(ctx, iface, port, ADD, 0);
+    return iptablesInput(iface, port, ADD, 0);
 }
 
 /**
  * iptablesRemoveUdpInput:
- * @ctx: pointer to the IP table context
  * @iface: the interface name
  * @port: the UDP port to remove
  *
@@ -305,11 +203,9 @@ iptablesAddUdpInput(iptablesContext *ctx,
  * Returns 0 in case of success or an error code in case of error
  */
 int
-iptablesRemoveUdpInput(iptablesContext *ctx,
-                       const char *iface,
-                       int port)
+iptablesRemoveUdpInput(const char *iface, int port)
 {
-    return iptablesInput(ctx, iface, port, REMOVE, 0);
+    return iptablesInput(iface, port, REMOVE, 0);
 }
 
 
@@ -317,14 +213,13 @@ iptablesRemoveUdpInput(iptablesContext *ctx,
  * to proceed to WAN
  */
 static int
-iptablesForwardAllowOut(iptablesContext *ctx,
-                         const char *network,
-                         const char *iface,
-                         const char *physdev,
-                         int action)
+iptablesForwardAllowOut(const char *network,
+                        const char *iface,
+                        const char *physdev,
+                        int action)
 {
     if (physdev && physdev[0]) {
-        return iptablesAddRemoveRule(ctx->forward_filter,
+        return iptablesAddRemoveRule("filter", "FORWARD",
                                      action,
                                      "--source", network,
                                      "--in-interface", iface,
@@ -332,7 +227,7 @@ iptablesForwardAllowOut(iptablesContext *ctx,
                                      "--jump", "ACCEPT",
                                      NULL);
     } else {
-        return iptablesAddRemoveRule(ctx->forward_filter,
+        return iptablesAddRemoveRule("filter", "FORWARD",
                                      action,
                                      "--source", network,
                                      "--in-interface", iface,
@@ -343,7 +238,6 @@ iptablesForwardAllowOut(iptablesContext *ctx,
 
 /**
  * iptablesAddForwardAllowOut:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the source interface name
  * @physdev: the physical output device
@@ -355,17 +249,15 @@ iptablesForwardAllowOut(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardAllowOut(iptablesContext *ctx,
-                            const char *network,
-                            const char *iface,
-                            const char *physdev)
+iptablesAddForwardAllowOut(const char *network,
+                           const char *iface,
+                           const char *physdev)
 {
-    return iptablesForwardAllowOut(ctx, network, iface, physdev, ADD);
+    return iptablesForwardAllowOut(network, iface, physdev, ADD);
 }
 
 /**
  * iptablesRemoveForwardAllowOut:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the source interface name
  * @physdev: the physical output device
@@ -377,12 +269,11 @@ iptablesAddForwardAllowOut(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardAllowOut(iptablesContext *ctx,
-                               const char *network,
-                               const char *iface,
-                               const char *physdev)
+iptablesRemoveForwardAllowOut(const char *network,
+                              const char *iface,
+                              const char *physdev)
 {
-    return iptablesForwardAllowOut(ctx, network, iface, physdev, REMOVE);
+    return iptablesForwardAllowOut(network, iface, physdev, REMOVE);
 }
 
 
@@ -390,14 +281,13 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx,
  * and associated with an existing connection
  */
 static int
-iptablesForwardAllowRelatedIn(iptablesContext *ctx,
-                       const char *network,
-                       const char *iface,
-                       const char *physdev,
-                       int action)
+iptablesForwardAllowRelatedIn(const char *network,
+                              const char *iface,
+                              const char *physdev,
+                              int action)
 {
     if (physdev && physdev[0]) {
-        return iptablesAddRemoveRule(ctx->forward_filter,
+        return iptablesAddRemoveRule("filter", "FORWARD",
                                      action,
                                      "--destination", network,
                                      "--in-interface", physdev,
@@ -407,7 +297,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
                                      "--jump", "ACCEPT",
                                      NULL);
     } else {
-        return iptablesAddRemoveRule(ctx->forward_filter,
+        return iptablesAddRemoveRule("filter", "FORWARD",
                                      action,
                                      "--destination", network,
                                      "--out-interface", iface,
@@ -420,7 +310,6 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
 
 /**
  * iptablesAddForwardAllowRelatedIn:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
  * @physdev: the physical input device or NULL
@@ -432,17 +321,15 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
-                          const char *network,
-                          const char *iface,
-                          const char *physdev)
+iptablesAddForwardAllowRelatedIn(const char *network,
+                                 const char *iface,
+                                 const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD);
+    return iptablesForwardAllowRelatedIn(network, iface, physdev, ADD);
 }
 
 /**
  * iptablesRemoveForwardAllowRelatedIn:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
  * @physdev: the physical input device or NULL
@@ -454,25 +341,23 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
-                             const char *network,
-                             const char *iface,
-                             const char *physdev)
+iptablesRemoveForwardAllowRelatedIn(const char *network,
+                                    const char *iface,
+                                    const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE);
+    return iptablesForwardAllowRelatedIn(network, iface, physdev, REMOVE);
 }
 
 /* Allow all traffic destined to the bridge, with a valid network address
  */
 static int
-iptablesForwardAllowIn(iptablesContext *ctx,
-                       const char *network,
+iptablesForwardAllowIn(const char *network,
                        const char *iface,
                        const char *physdev,
                        int action)
 {
     if (physdev && physdev[0]) {
-        return iptablesAddRemoveRule(ctx->forward_filter,
+        return iptablesAddRemoveRule("filter", "FORWARD",
                                      action,
                                      "--destination", network,
                                      "--in-interface", physdev,
@@ -480,7 +365,7 @@ iptablesForwardAllowIn(iptablesContext *ctx,
                                      "--jump", "ACCEPT",
                                      NULL);
     } else {
-        return iptablesAddRemoveRule(ctx->forward_filter,
+        return iptablesAddRemoveRule("filter", "FORWARD",
                                      action,
                                      "--destination", network,
                                      "--out-interface", iface,
@@ -491,7 +376,6 @@ iptablesForwardAllowIn(iptablesContext *ctx,
 
 /**
  * iptablesAddForwardAllowIn:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
  * @physdev: the physical input device or NULL
@@ -503,17 +387,15 @@ iptablesForwardAllowIn(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardAllowIn(iptablesContext *ctx,
-                          const char *network,
+iptablesAddForwardAllowIn(const char *network,
                           const char *iface,
                           const char *physdev)
 {
-    return iptablesForwardAllowIn(ctx, network, iface, physdev, ADD);
+    return iptablesForwardAllowIn(network, iface, physdev, ADD);
 }
 
 /**
  * iptablesRemoveForwardAllowIn:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @iface: the output interface name
  * @physdev: the physical input device or NULL
@@ -525,12 +407,11 @@ iptablesAddForwardAllowIn(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardAllowIn(iptablesContext *ctx,
-                             const char *network,
+iptablesRemoveForwardAllowIn(const char *network,
                              const char *iface,
                              const char *physdev)
 {
-    return iptablesForwardAllowIn(ctx, network, iface, physdev, REMOVE);
+    return iptablesForwardAllowIn(network, iface, physdev, REMOVE);
 }
 
 
@@ -538,11 +419,9 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx,
  * with a valid network address
  */
 static int
-iptablesForwardAllowCross(iptablesContext *ctx,
-                          const char *iface,
-                          int action)
+iptablesForwardAllowCross(const char *iface, int action)
 {
-    return iptablesAddRemoveRule(ctx->forward_filter,
+    return iptablesAddRemoveRule("filter", "FORWARD",
                                  action,
                                  "--in-interface", iface,
                                  "--out-interface", iface,
@@ -552,7 +431,6 @@ iptablesForwardAllowCross(iptablesContext *ctx,
 
 /**
  * iptablesAddForwardAllowCross:
- * @ctx: pointer to the IP table context
  * @iface: the input/output interface name
  *
  * Add rules to the IP table context to allow traffic to cross that
@@ -562,14 +440,13 @@ iptablesForwardAllowCross(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardAllowCross(iptablesContext *ctx,
-                             const char *iface) {
-    return iptablesForwardAllowCross(ctx, iface, ADD);
+iptablesAddForwardAllowCross( const char *iface)
+{
+    return iptablesForwardAllowCross(iface, ADD);
 }
 
 /**
  * iptablesRemoveForwardAllowCross:
- * @ctx: pointer to the IP table context
  * @iface: the input/output interface name
  *
  * Remove rules to the IP table context to block traffic to cross that
@@ -579,9 +456,9 @@ iptablesAddForwardAllowCross(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardAllowCross(iptablesContext *ctx,
-                                const char *iface) {
-    return iptablesForwardAllowCross(ctx, iface, REMOVE);
+iptablesRemoveForwardAllowCross(const char *iface)
+{
+    return iptablesForwardAllowCross(iface, REMOVE);
 }
 
 
@@ -589,20 +466,17 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx,
  * ie the bridge is the in interface
  */
 static int
-iptablesForwardRejectOut(iptablesContext *ctx,
-                         const char *iface,
-                         int action)
+iptablesForwardRejectOut(const char *iface, int action)
 {
-    return iptablesAddRemoveRule(ctx->forward_filter,
-                                     action,
-                                     "--in-interface", iface,
-                                     "--jump", "REJECT",
-                                     NULL);
+    return iptablesAddRemoveRule("filter", "FORWARD",
+                                 action,
+                                 "--in-interface", iface,
+                                 "--jump", "REJECT",
+                                 NULL);
 }
 
 /**
  * iptablesAddForwardRejectOut:
- * @ctx: pointer to the IP table context
  * @iface: the output interface name
  *
  * Add rules to the IP table context to forbid all traffic to that
@@ -611,15 +485,13 @@ iptablesForwardRejectOut(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardRejectOut(iptablesContext *ctx,
-                            const char *iface)
+iptablesAddForwardRejectOut(const char *iface)
 {
-    return iptablesForwardRejectOut(ctx, iface, ADD);
+    return iptablesForwardRejectOut(iface, ADD);
 }
 
 /**
  * iptablesRemoveForwardRejectOut:
- * @ctx: pointer to the IP table context
  * @iface: the output interface name
  *
  * Remove rules from the IP table context forbidding all traffic to that
@@ -628,24 +500,18 @@ iptablesAddForwardRejectOut(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardRejectOut(iptablesContext *ctx,
-                               const char *iface)
+iptablesRemoveForwardRejectOut(const char *iface)
 {
-    return iptablesForwardRejectOut(ctx, iface, REMOVE);
+    return iptablesForwardRejectOut(iface, REMOVE);
 }
 
-
-
-
 /* Drop all traffic trying to forward to the bridge.
  * ie the bridge is the out interface
  */
 static int
-iptablesForwardRejectIn(iptablesContext *ctx,
-                        const char *iface,
-                        int action)
+iptablesForwardRejectIn(const char *iface, int action)
 {
-    return iptablesAddRemoveRule(ctx->forward_filter,
+    return iptablesAddRemoveRule("filter", "FORWARD",
                                  action,
                                  "--out-interface", iface,
                                  "--jump", "REJECT",
@@ -654,7 +520,6 @@ iptablesForwardRejectIn(iptablesContext *ctx,
 
 /**
  * iptablesAddForwardRejectIn:
- * @ctx: pointer to the IP table context
  * @iface: the input interface name
  *
  * Add rules to the IP table context to forbid all traffic from that
@@ -663,15 +528,13 @@ iptablesForwardRejectIn(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardRejectIn(iptablesContext *ctx,
-                           const char *iface)
+iptablesAddForwardRejectIn(const char *iface)
 {
-    return iptablesForwardRejectIn(ctx, iface, ADD);
+    return iptablesForwardRejectIn(iface, ADD);
 }
 
 /**
  * iptablesRemoveForwardRejectIn:
- * @ctx: pointer to the IP table context
  * @iface: the input interface name
  *
  * Remove rules from the IP table context forbidding all traffic from that
@@ -680,10 +543,9 @@ iptablesAddForwardRejectIn(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardRejectIn(iptablesContext *ctx,
-                              const char *iface)
+iptablesRemoveForwardRejectIn(const char *iface)
 {
-    return iptablesForwardRejectIn(ctx, iface, REMOVE);
+    return iptablesForwardRejectIn(iface, REMOVE);
 }
 
 
@@ -691,13 +553,12 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx,
  * with the bridge
  */
 static int
-iptablesForwardMasquerade(iptablesContext *ctx,
-                       const char *network,
-                       const char *physdev,
-                       int action)
+iptablesForwardMasquerade(const char *network,
+                          const char *physdev,
+                          int action)
 {
     if (physdev && physdev[0]) {
-        return iptablesAddRemoveRule(ctx->nat_postrouting,
+        return iptablesAddRemoveRule("nat", "POSTROUTING",
                                      action,
                                      "--source", network,
                                      "!", "--destination", network,
@@ -705,7 +566,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
                                      "--jump", "MASQUERADE",
                                      NULL);
     } else {
-        return iptablesAddRemoveRule(ctx->nat_postrouting,
+        return iptablesAddRemoveRule("nat", "POSTROUTING",
                                      action,
                                      "--source", network,
                                      "!", "--destination", network,
@@ -716,7 +577,6 @@ iptablesForwardMasquerade(iptablesContext *ctx,
 
 /**
  * iptablesAddForwardMasquerade:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @physdev: the physical input device or NULL
  *
@@ -727,16 +587,14 @@ iptablesForwardMasquerade(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesAddForwardMasquerade(iptablesContext *ctx,
-                             const char *network,
+iptablesAddForwardMasquerade(const char *network,
                              const char *physdev)
 {
-    return iptablesForwardMasquerade(ctx, network, physdev, ADD);
+    return iptablesForwardMasquerade(network, physdev, ADD);
 }
 
 /**
  * iptablesRemoveForwardMasquerade:
- * @ctx: pointer to the IP table context
  * @network: the source network name
  * @physdev: the physical input device or NULL
  *
@@ -747,9 +605,8 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
  * Returns 0 in case of success or an error code otherwise
  */
 int
-iptablesRemoveForwardMasquerade(iptablesContext *ctx,
-                                const char *network,
+iptablesRemoveForwardMasquerade(const char *network,
                                 const char *physdev)
 {
-    return iptablesForwardMasquerade(ctx, network, physdev, REMOVE);
+    return iptablesForwardMasquerade(network, physdev, REMOVE);
 }
diff --git a/src/util/iptables.h b/src/util/iptables.h
index 68d9e0d..8809d7d 100644
--- a/src/util/iptables.h
+++ b/src/util/iptables.h
@@ -22,72 +22,49 @@
 #ifndef __QEMUD_IPTABLES_H__
 #define __QEMUD_IPTABLES_H__
 
-typedef struct _iptablesContext iptablesContext;
-
-iptablesContext *iptablesContextNew              (void);
-void             iptablesContextFree             (iptablesContext *ctx);
-
-int              iptablesAddTcpInput             (iptablesContext *ctx,
-                                                  const char *iface,
+int              iptablesAddTcpInput             (const char *iface,
                                                   int port);
-int              iptablesRemoveTcpInput          (iptablesContext *ctx,
-                                                  const char *iface,
+int              iptablesRemoveTcpInput          (const char *iface,
                                                   int port);
 
-int              iptablesAddUdpInput             (iptablesContext *ctx,
-                                                  const char *iface,
+int              iptablesAddUdpInput             (const char *iface,
                                                   int port);
-int              iptablesRemoveUdpInput          (iptablesContext *ctx,
-                                                  const char *iface,
+int              iptablesRemoveUdpInput          (const char *iface,
                                                   int port);
 
-int              iptablesAddForwardAllowOut      (iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesAddForwardAllowOut      (const char *network,
                                                   const char *iface,
                                                   const char *physdev);
-int              iptablesRemoveForwardAllowOut   (iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesRemoveForwardAllowOut   (const char *network,
                                                   const char *iface,
                                                   const char *physdev);
 
-int              iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesAddForwardAllowRelatedIn(const char *network,
                                                   const char *iface,
                                                   const char *physdev);
-int              iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesRemoveForwardAllowRelatedIn(const char *network,
                                                   const char *iface,
                                                   const char *physdev);
 
-int              iptablesAddForwardAllowIn       (iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesAddForwardAllowIn       (const char *network,
                                                   const char *iface,
                                                   const char *physdev);
-int              iptablesRemoveForwardAllowIn    (iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesRemoveForwardAllowIn    (const char *network,
                                                   const char *iface,
                                                   const char *physdev);
 
-int              iptablesAddForwardAllowCross    (iptablesContext *ctx,
-                                                  const char *iface);
-int              iptablesRemoveForwardAllowCross (iptablesContext *ctx,
-                                                  const char *iface);
+int              iptablesAddForwardAllowCross    (const char *iface);
+int              iptablesRemoveForwardAllowCross (const char *iface);
 
-int              iptablesAddForwardRejectOut     (iptablesContext *ctx,
-                                                  const char *iface);
-int              iptablesRemoveForwardRejectOut  (iptablesContext *ctx,
-                                                  const char *iface);
+int              iptablesAddForwardRejectOut     (const char *iface);
+int              iptablesRemoveForwardRejectOut  (const char *iface);
 
-int              iptablesAddForwardRejectIn      (iptablesContext *ctx,
-                                                  const char *iface);
-int              iptablesRemoveForwardRejectIn   (iptablesContext *ctx,
-                                                  const char *iface);
+int              iptablesAddForwardRejectIn      (const char *iface);
+int              iptablesRemoveForwardRejectIn   (const char *iface);
 
-int              iptablesAddForwardMasquerade    (iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesAddForwardMasquerade    (const char *network,
                                                   const char *physdev);
-int              iptablesRemoveForwardMasquerade (iptablesContext *ctx,
-                                                  const char *network,
+int              iptablesRemoveForwardMasquerade (const char *network,
                                                   const char *physdev);
 
 #endif /* __QEMUD_IPTABLES_H__ */
-- 
1.6.5.2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]