[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] nwfilter: reorder match extensions relative to state match



This patch reorders the connlimit and comment match extensions relative to the state match (-m state); connlimit being most useful if found after a -m state --state NEW and not before it.

Signed-off-by: Stefan Berger <stefanb linux vnet ibm com>

---
src/nwfilter/nwfilter_ebiptables_driver.c | 38 ++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -862,6 +862,7 @@ err_exit:

 static int
 iptablesHandleIpHdr(virBufferPtr buf,
+                    virBufferPtr afterStateMatch,
                     virNWFilterHashTablePtr vars,
                     ipHdrDataDefPtr ipHdr,
                     int directionIn,
@@ -1005,7 +1006,9 @@ iptablesHandleIpHdr(virBufferPtr buf,
&ipHdr->dataConnlimitAbove))
                goto err_exit;

-            virBufferVSprintf(buf,
+            /* place connlimit after potential -m state --state ...
+               since this is the most useful order */
+            virBufferVSprintf(afterStateMatch,
                               " -m connlimit %s --connlimit-above %s",
ENTRY_GET_NEG_SIGN(&ipHdr->dataConnlimitAbove),
                               number);
@@ -1016,7 +1019,9 @@ iptablesHandleIpHdr(virBufferPtr buf,
     if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
         printCommentVar(prefix, ipHdr->dataComment.u.string);

-        virBufferAddLit(buf,
+        /* keep comments behind everything else -- they are packet eval.
+           no-ops */
+        virBufferAddLit(afterStateMatch,
                         " -m comment --comment \"$" COMMENT_VARNAME "\"");
     }

@@ -1024,6 +1029,7 @@ iptablesHandleIpHdr(virBufferPtr buf,

 err_exit:
     virBufferFreeAndReset(buf);
+    virBufferFreeAndReset(afterStateMatch);

     return 1;
 }
@@ -1148,6 +1154,7 @@ _iptablesCreateRuleInstance(int directio
     char number[20];
     virBuffer prefix = VIR_BUFFER_INITIALIZER;
     virBuffer buf = VIR_BUFFER_INITIALIZER;
+    virBuffer afterStateMatch = VIR_BUFFER_INITIALIZER;
     virBufferPtr final = NULL;
     const char *target;
     const char *iptables_cmd = (isIPv6) ? ip6tables_cmd_path
@@ -1188,6 +1195,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.tcpHdrFilter.ipHdr,
                                 directionIn,
@@ -1234,6 +1242,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.udpHdrFilter.ipHdr,
                                 directionIn,
@@ -1267,6 +1276,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.udpliteHdrFilter.ipHdr,
                                 directionIn,
@@ -1295,6 +1305,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.espHdrFilter.ipHdr,
                                 directionIn,
@@ -1323,6 +1334,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.ahHdrFilter.ipHdr,
                                 directionIn,
@@ -1351,6 +1363,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.sctpHdrFilter.ipHdr,
                                 directionIn,
@@ -1387,6 +1400,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.icmpHdrFilter.ipHdr,
                                 directionIn,
@@ -1449,6 +1463,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.igmpHdrFilter.ipHdr,
                                 directionIn,
@@ -1477,6 +1492,7 @@ _iptablesCreateRuleInstance(int directio
             goto err_exit;

         if (iptablesHandleIpHdr(&buf,
+ &afterStateMatch,
                                 vars,
&rule->p.allHdrFilter.ipHdr,
                                 directionIn,
@@ -1512,6 +1528,22 @@ _iptablesCreateRuleInstance(int directio
                                  rule,
&buf);

+    if (virBufferError(&afterStateMatch)) {
+        virBufferFreeAndReset(&buf);
+        virBufferFreeAndReset(&prefix);
+        virBufferFreeAndReset(&afterStateMatch);
+        virReportOOMError();
+        return -1;
+    }
+
+    if (virBufferUse(&afterStateMatch)) {
+        char *s = virBufferContentAndReset(&afterStateMatch);
+
+        virBufferAdd(&buf, s, -1);
+
+        VIR_FREE(s);
+    }
+
     virBufferVSprintf(&buf,
                       " -j %s" CMD_DEF_POST CMD_SEPARATOR
                       CMD_EXEC,
@@ -1553,12 +1585,14 @@ _iptablesCreateRuleInstance(int directio
 err_exit:
     virBufferFreeAndReset(&buf);
     virBufferFreeAndReset(&prefix);
+    virBufferFreeAndReset(&afterStateMatch);

     return -1;

 exit_no_error:
     virBufferFreeAndReset(&buf);
     virBufferFreeAndReset(&prefix);
+    virBufferFreeAndReset(&afterStateMatch);

     return 0;
 }


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]