[libvirt] [PATCH 11/26] Introduce an object for managing firewall rulesets
Ján Tomko
jtomko at redhat.com
Wed Apr 16 13:36:55 UTC 2014
On 04/08/2014 05:38 PM, Daniel P. Berrange wrote:
> The network and nwfilter drivers both have a need to update
> firewall rules. The currently share no code for interacting
> with iptables / firewalld. The nwfilter driver is fairly
> tied to the concept of creating shell scripts to execute
> which makes it very hard to port to talk to firewalld via
> DBus APIs.
>
> This patch introduces a virFirewallPtr object which is able
> to represent a complete sequence of rule changes, with the
> ability to have multiple transactional checkpoints with
> rollbacks. By formally separating the definition of the rules
> to be applied from the mechanism used to apply them, it is
> also possible to write a firewall engine that uses firewalld
> DBus APIs natively instead of via the slow firewalld-cmd.
>
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
> +
> +static int
> +virFirewallOnceInit(void)
> +{
> + return virFirewallValidateBackend(currentBackend);
> +}
> +
> +VIR_ONCE_GLOBAL_INIT(virFirewall)
> +
> +static int
> +virFirewallValidateBackend(virFirewallBackend backend)
> +{
> + VIR_DEBUG("Validating backend %d", backend);
> +#if WITH_DBUS
> + if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
> + backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
> + int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
> + VIR_DEBUG("Firewalled is registered ? %d", rv);
s/Firewalled/Firewalld/
> + if (rv < 0) {
> + if (rv == -2) {
> + if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("firewalld firewall backend requested, but service is not running"));
> +#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
> + if (!firewall || firewall->err) \
> + return;
> +
> +#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, ruel)\
s/ruel/rule
> + if (!firewall || firewall->err || !rule) \
> + return;
> +
> @@ -998,6 +999,12 @@ virfiletest_SOURCES = \
> virfiletest.c testutils.h testutils.c
> virfiletest_LDADD = $(LDADDS)
>
> +virfirewalltest_SOURCES = \
> + virfirewalltest.c testutils.h testutils.c
> +virfirewalltest_LDADD = $(LDADDS)
> +virfirewalltest_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)
> +virfirewalltest_LDFLAGS = $(DRIVER_MODULE_LDFLAGS)
This breaks the test when built --without-driver-modules. As of commit
844a5c1, omitting the LDFLAGS line should be fine.
> +
> jsontest_SOURCES = \
> jsontest.c testutils.h testutils.c
> jsontest_LDADD = $(LDADDS)
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140416/2c37c96b/attachment-0001.sig>
More information about the libvir-list
mailing list