static int
virNWFilterRuleDefToRuleInst(virNWFilterDefPtr def,
virNWFilterRuleDefPtr rule,
virNWFilterHashTablePtr vars,
virNWFilterInstPtr inst)
{
virNWFilterRuleInstPtr ruleinst;
int ret = -1;
if (VIR_ALLOC(ruleinst) < 0)
goto cleanup;
ruleinst->chainSuffix = def->chainsuffix;
ruleinst->chainPriority = def->chainPriority;
ruleinst->def = rule;
ruleinst->priority = rule->priority;
if (!(ruleinst->vars = virNWFilterHashTableCreate(0)))
goto cleanup;
if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
goto cleanup;
if (VIR_APPEND_ELEMENT(inst->rules,
inst->nrules,
ruleinst) < 0)
goto cleanup;
ruleinst = NULL;
ret = 0;
cleanup:
virNWFilterRuleInstFree(ruleinst);
return ret;
}
/**
* virNWFilterCreateVarHashmap:
* @macaddr: pointer to string containing formatted MAC address of interface
* @ipaddr: pointer to string containing formatted IP address used by
* VM on this interface; may be NULL
*
* Create a hashmap used for evaluating the firewall rules. Initializes
* it with the standard variable 'MAC' and 'IP' if provided.
*
* Returns pointer to hashmap, NULL if an error occcurred.
*/
virNWFilterHashTablePtr
virNWFilterCreateVarHashmap(char *macaddr,
const virNWFilterVarValuePtr ipaddr) {
virNWFilterHashTablePtr table = virNWFilterHashTableCreate(0);
if (!table)
return NULL;
if (virNWFilterVarHashmapAddStdValues(table, macaddr, ipaddr) < 0) {
virNWFilterHashTableFree(table);
return NULL;
}
return table;
}
/**
* virNWFilterCreateVarHashmap:
* @macaddr: pointer to string containing formatted MAC address of interface
* @ipaddr: pointer to string containing formatted IP address used by
* VM on this interface; may be NULL
*
* Create a hashmap used for evaluating the firewall rules. Initializes
* it with the standard variable 'MAC' and 'IP' if provided.
*
* Returns pointer to hashmap, NULL if an error occcurred and error message
* is attached to the virConnect object.
*/
virNWFilterHashTablePtr
virNWFilterCreateVarHashmap(char *macaddr, char *ipaddr) {
virNWFilterHashTablePtr table = virNWFilterHashTableCreate(0);
if (!table) {
virReportOOMError();
return NULL;
}
if (virNWFilterVarHashmapAddStdValues(table, macaddr, ipaddr)) {
virNWFilterHashTableFree(table);
return NULL;
}
return table;
}
int
virNWFilterIPAddrMapInit(void)
{
ipAddressMap = virNWFilterHashTableCreate(0);
if (!ipAddressMap)
return -1;
if (virMutexInit(&ipAddressMapLock) < 0) {
virNWFilterIPAddrMapShutdown();
return -1;
}
return 0;
}
static int testCompareXMLToArgvFiles(const char *xml,
const char *cmdline)
{
char *actualargv = NULL;
virBuffer buf = VIR_BUFFER_INITIALIZER;
virNWFilterHashTablePtr vars = virNWFilterHashTableCreate(0);
virNWFilterInst inst;
int ret = -1;
memset(&inst, 0, sizeof(inst));
virCommandSetDryRun(&buf, NULL, NULL);
if (!vars)
goto cleanup;
if (testSetDefaultParameters(vars) < 0)
goto cleanup;
if (virNWFilterDefToInst(xml,
vars,
&inst) < 0)
goto cleanup;
if (ebiptables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < 0)
goto cleanup;
if (virBufferError(&buf))
goto cleanup;
actualargv = virBufferContentAndReset(&buf);
virTestClearCommandPath(actualargv);
virCommandSetDryRun(NULL, NULL, NULL);
testRemoveCommonRules(actualargv);
if (virTestCompareToFile(actualargv, cmdline) < 0)
goto cleanup;
ret = 0;
cleanup:
virBufferFreeAndReset(&buf);
VIR_FREE(actualargv);
virNWFilterInstReset(&inst);
virNWFilterHashTableFree(vars);
return ret;
}
static virNWFilterHashTablePtr
virNWFilterCreateVarsFrom(virNWFilterHashTablePtr vars1,
virNWFilterHashTablePtr vars2)
{
virNWFilterHashTablePtr res = virNWFilterHashTableCreate(0);
if (!res)
return NULL;
if (virNWFilterHashTablePutAll(vars1, res) < 0)
goto err_exit;
if (virNWFilterHashTablePutAll(vars2, res) < 0)
goto err_exit;
return res;
err_exit:
virNWFilterHashTableFree(res);
return NULL;
}
/**
* virNWFilterInstantiate:
* @conn: pointer to virConnect object
* @techdriver: The driver to use for instantiation
* @filter: The filter to instantiate
* @ifname: The name of the interface to apply the rules to
* @vars: A map holding variable names and values used for instantiating
* the filter and its subfilters.
* @forceWithPendingReq: Ignore the check whether a pending learn request
* is active; 'true' only when the rules are applied late
*
* Returns 0 on success, a value otherwise.
*
* Instantiate a filter by instantiating the filter itself along with
* all its subfilters in a depth-first traversal of the tree of referenced
* filters. The name of the interface to which the rules belong must be
* provided. Apply the values of variables as needed.
*
* Call this function while holding the NWFilter filter update lock
*/
static int
virNWFilterInstantiate(virConnectPtr conn,
virNWFilterTechDriverPtr techdriver,
enum virDomainNetType nettype,
virNWFilterDefPtr filter,
const char *ifname,
int ifindex,
const char *linkdev,
virNWFilterHashTablePtr vars,
enum instCase useNewFilter, bool *foundNewFilter,
bool teardownOld,
const unsigned char *macaddr,
virNWFilterDriverStatePtr driver,
bool forceWithPendingReq)
{
int rc;
int j, nptrs;
int nEntries = 0;
virNWFilterRuleInstPtr *insts = NULL;
void **ptrs = NULL;
int instantiate = 1;
virNWFilterHashTablePtr missing_vars = virNWFilterHashTableCreate(0);
if (!missing_vars) {
virReportOOMError();
rc = 1;
goto err_exit;
}
rc = virNWFilterDetermineMissingVarsRec(conn,
filter,
vars,
missing_vars,
useNewFilter,
driver);
if (rc)
goto err_exit;
if (virHashSize(missing_vars->hashTable) == 1) {
if (virHashLookup(missing_vars->hashTable,
NWFILTER_STD_VAR_IP) != NULL) {
if (virNWFilterLookupLearnReq(ifindex) == NULL) {
rc = virNWFilterLearnIPAddress(techdriver,
ifname,
ifindex,
linkdev,
nettype, macaddr,
filter->name,
vars, driver,
DETECT_DHCP|DETECT_STATIC);
}
goto err_exit;
}
rc = 1;
goto err_exit;
} else if (virHashSize(missing_vars->hashTable) > 1) {
rc = 1;
goto err_exit;
} else if (!forceWithPendingReq &&
virNWFilterLookupLearnReq(ifindex) != NULL) {
goto err_exit;
}
rc = _virNWFilterInstantiateRec(conn,
techdriver,
nettype,
filter,
ifname,
vars,
&nEntries, &insts,
useNewFilter, foundNewFilter,
driver);
if (rc)
goto err_exit;
switch (useNewFilter) {
case INSTANTIATE_FOLLOW_NEWFILTER:
instantiate = *foundNewFilter;
break;
case INSTANTIATE_ALWAYS:
instantiate = 1;
break;
}
if (instantiate) {
rc = virNWFilterRuleInstancesToArray(nEntries, insts,
&ptrs, &nptrs);
if (rc)
goto err_exit;
if (virNWFilterLockIface(ifname))
goto err_exit;
rc = techdriver->applyNewRules(conn, ifname, nptrs, ptrs);
if (teardownOld && rc == 0)
techdriver->tearOldRules(conn, ifname);
if (rc == 0 && ifaceCheck(false, ifname, NULL, ifindex)) {
/* interface changed/disppeared */
techdriver->allTeardown(ifname);
rc = 1;
}
virNWFilterUnlockIface(ifname);
}
err_exit:
for (j = 0; j < nEntries; j++)
virNWFilterRuleInstFree(insts[j]);
VIR_FREE(insts);
VIR_FREE(ptrs);
virNWFilterHashTableFree(missing_vars);
return rc;
}