[libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets

Ján Tomko jtomko at redhat.com
Wed Apr 16 13:36:55 UTC 2014 

On 04/08/2014 05:38 PM, Daniel P. Berrange wrote:
> The network and nwfilter drivers both have a need to update
> firewall rules. The currently share no code for interacting
> with iptables / firewalld. The nwfilter driver is fairly
> tied to the concept of creating shell scripts to execute
> which makes it very hard to port to talk to firewalld via
> DBus APIs.
> 
> This patch introduces a virFirewallPtr object which is able
> to represent a complete sequence of rule changes, with the
> ability to have multiple transactional checkpoints with
> rollbacks. By formally separating the definition of the rules
> to be applied from the mechanism used to apply them, it is
> also possible to write a firewall engine that uses firewalld
> DBus APIs natively instead of via the slow firewalld-cmd.
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---


> +
> +static int
> +virFirewallOnceInit(void)
> +{
> +    return virFirewallValidateBackend(currentBackend);
> +}
> +
> +VIR_ONCE_GLOBAL_INIT(virFirewall)
> +
> +static int
> +virFirewallValidateBackend(virFirewallBackend backend)
> +{
> +    VIR_DEBUG("Validating backend %d", backend);
> +#if WITH_DBUS
> +    if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
> +        backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
> +        int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
> +        VIR_DEBUG("Firewalled is registered ? %d", rv);

s/Firewalled/Firewalld/

> +        if (rv < 0) {
> +            if (rv == -2) {
> +                if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
> +                    virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> +                                   _("firewalld firewall backend requested, but service is not running"));


> +#define VIR_FIREWALL_RETURN_IF_ERROR(firewall)          \
> +    if (!firewall || firewall->err)                     \
> +        return;
> +
> +#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, ruel)\

s/ruel/rule

> +    if (!firewall || firewall->err || !rule)            \
> +        return;
> +


> @@ -998,6 +999,12 @@ virfiletest_SOURCES = \
>  	virfiletest.c testutils.h testutils.c
>  virfiletest_LDADD = $(LDADDS)
>  
> +virfirewalltest_SOURCES = \
> +	virfirewalltest.c testutils.h testutils.c
> +virfirewalltest_LDADD = $(LDADDS)
> +virfirewalltest_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)

> +virfirewalltest_LDFLAGS = $(DRIVER_MODULE_LDFLAGS)

This breaks the test when built --without-driver-modules. As of commit
844a5c1, omitting the LDFLAGS line should be fine.

> +
>  jsontest_SOURCES = \
>  	jsontest.c testutils.h testutils.c
>  jsontest_LDADD = $(LDADDS)

Jan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140416/2c37c96b/attachment-0001.sig>

More information about the libvir-list mailing list