static int
virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDefPtr inc,
virNWFilterHashTablePtr vars,
virNWFilterInstPtr inst)
{
virNWFilterHashTablePtr tmpvars = NULL;
int ret = -1;
char *xml;
if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml",
abs_srcdir, inc->filterref) < 0)
return -1;
/* create a temporary hashmap for depth-first tree traversal */
if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
vars)))
goto cleanup;
if (virNWFilterDefToInst(xml,
tmpvars,
inst) < 0)
goto cleanup;
ret = 0;
cleanup:
if (ret < 0)
virNWFilterInstReset(inst);
virNWFilterHashTableFree(tmpvars);
VIR_FREE(xml);
return ret;
}
static int
virNWFilterDetermineMissingVarsRec(virConnectPtr conn,
virNWFilterDefPtr filter,
virNWFilterHashTablePtr vars,
virNWFilterHashTablePtr missing_vars,
int useNewFilter,
virNWFilterDriverStatePtr driver)
{
virNWFilterObjPtr obj;
int rc = 0;
int i, j;
virNWFilterDefPtr next_filter;
for (i = 0; i < filter->nentries; i++) {
virNWFilterRuleDefPtr rule = filter->filterEntries[i]->rule;
virNWFilterIncludeDefPtr inc = filter->filterEntries[i]->include;
if (rule) {
/* check all variables of this rule */
for (j = 0; j < rule->nvars; j++) {
if (!virHashLookup(vars->hashTable, rule->vars[j])) {
virNWFilterHashTablePut(missing_vars, rule->vars[j],
strdup("1"), 1);
}
}
} else if (inc) {
VIR_DEBUG("Following filter %s\n", inc->filterref);
obj = virNWFilterObjFindByName(&driver->nwfilters, inc->filterref);
if (obj) {
if (obj->wantRemoved) {
virNWFilterReportError(VIR_ERR_NO_NWFILTER,
_("Filter '%s' is in use."),
inc->filterref);
rc = 1;
virNWFilterObjUnlock(obj);
break;
}
/* create a temporary hashmap for depth-first tree traversal */
virNWFilterHashTablePtr tmpvars =
virNWFilterCreateVarsFrom(inc->params,
vars);
if (!tmpvars) {
virReportOOMError();
rc = 1;
virNWFilterObjUnlock(obj);
break;
}
next_filter = obj->def;
switch (useNewFilter) {
case INSTANTIATE_FOLLOW_NEWFILTER:
if (obj->newDef) {
next_filter = obj->newDef;
}
break;
case INSTANTIATE_ALWAYS:
break;
}
rc = virNWFilterDetermineMissingVarsRec(conn,
next_filter,
tmpvars,
missing_vars,
useNewFilter,
driver);
virNWFilterHashTableFree(tmpvars);
virNWFilterObjUnlock(obj);
if (rc)
break;
} else {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
_("referenced filter '%s' is missing"),
inc->filterref);
rc = 1;
break;
}
}
}
return rc;
}
/*
* Call this function while holding the NWFilter filter update lock
*/
static int
__virNWFilterInstantiateFilter(virConnectPtr conn,
bool teardownOld,
const char *ifname,
int ifindex,
const char *linkdev,
enum virDomainNetType nettype,
const unsigned char *macaddr,
const char *filtername,
virNWFilterHashTablePtr filterparams,
enum instCase useNewFilter,
virNWFilterDriverStatePtr driver,
bool forceWithPendingReq,
bool *foundNewFilter)
{
int rc;
const char *drvname = EBIPTABLES_DRIVER_ID;
virNWFilterTechDriverPtr techdriver;
virNWFilterObjPtr obj;
virNWFilterHashTablePtr vars, vars1;
virNWFilterDefPtr filter;
char vmmacaddr[VIR_MAC_STRING_BUFLEN] = {0};
char *str_macaddr = NULL;
const char *ipaddr;
char *str_ipaddr = NULL;
techdriver = virNWFilterTechDriverForName(drvname);
if (!techdriver) {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
_("Could not get access to ACL tech "
"driver '%s'"),
drvname);
return 1;
}
VIR_DEBUG("filter name: %s", filtername);
obj = virNWFilterObjFindByName(&driver->nwfilters, filtername);
if (!obj) {
virNWFilterReportError(VIR_ERR_NO_NWFILTER,
_("Could not find filter '%s'"),
filtername);
return 1;
}
if (obj->wantRemoved) {
virNWFilterReportError(VIR_ERR_NO_NWFILTER,
_("Filter '%s' is in use."),
filtername);
rc = 1;
goto err_exit;
}
virFormatMacAddr(macaddr, vmmacaddr);
str_macaddr = strdup(vmmacaddr);
if (!str_macaddr) {
virReportOOMError();
rc = 1;
goto err_exit;
}
ipaddr = virNWFilterGetIpAddrForIfname(ifname);
if (ipaddr) {
str_ipaddr = strdup(ipaddr);
if (!str_ipaddr) {
virReportOOMError();
rc = 1;
goto err_exit;
}
}
vars1 = virNWFilterCreateVarHashmap(str_macaddr, str_ipaddr);
if (!vars1) {
rc = 1;
goto err_exit;
}
str_macaddr = NULL;
str_ipaddr = NULL;
vars = virNWFilterCreateVarsFrom(vars1,
filterparams);
if (!vars) {
rc = 1;
goto err_exit_vars1;
}
filter = obj->def;
switch (useNewFilter) {
case INSTANTIATE_FOLLOW_NEWFILTER:
if (obj->newDef) {
filter = obj->newDef;
*foundNewFilter = true;
}
break;
case INSTANTIATE_ALWAYS:
break;
}
rc = virNWFilterInstantiate(conn,
techdriver,
nettype,
filter,
ifname,
ifindex,
linkdev,
vars,
useNewFilter, foundNewFilter,
teardownOld,
macaddr,
driver,
forceWithPendingReq);
virNWFilterHashTableFree(vars);
err_exit_vars1:
virNWFilterHashTableFree(vars1);
err_exit:
virNWFilterObjUnlock(obj);
VIR_FREE(str_ipaddr);
VIR_FREE(str_macaddr);
return rc;
}
/**
* _virNWFilterInstantiateRec:
* @conn: pointer to virConnect object
* @techdriver: The driver to use for instantiation
* @filter: The filter to instantiate
* @ifname: The name of the interface to apply the rules to
* @vars: A map holding variable names and values used for instantiating
* the filter and its subfilters.
* @nEntries: number of virNWFilterInst objects collected
* @insts: pointer to array for virNWFilterIns object pointers
* @useNewFilter: instruct whether to use a newDef pointer rather than a
* def ptr which is useful during a filter update
* @foundNewFilter: pointer to int indivating whether a newDef pointer was
* ever used; variable expected to be initialized to 0 by caller
*
* Returns 0 on success, a value otherwise.
*
* Recursively instantiate a filter by instantiating the given filter along
* with all its subfilters in a depth-first traversal of the tree of
* referenced filters. The name of the interface to which the rules belong
* must be provided. Apply the values of variables as needed. Terminate with
* error when a referenced filter is missing or a variable could not be
* resolved -- among other reasons.
*/
static int
_virNWFilterInstantiateRec(virConnectPtr conn,
virNWFilterTechDriverPtr techdriver,
enum virDomainNetType nettype,
virNWFilterDefPtr filter,
const char *ifname,
virNWFilterHashTablePtr vars,
int *nEntries,
virNWFilterRuleInstPtr **insts,
enum instCase useNewFilter, bool *foundNewFilter,
virNWFilterDriverStatePtr driver)
{
virNWFilterObjPtr obj;
int rc = 0;
int i;
virNWFilterRuleInstPtr inst;
virNWFilterDefPtr next_filter;
for (i = 0; i < filter->nentries; i++) {
virNWFilterRuleDefPtr rule = filter->filterEntries[i]->rule;
virNWFilterIncludeDefPtr inc = filter->filterEntries[i]->include;
if (rule) {
inst = virNWFilterRuleInstantiate(conn,
techdriver,
nettype,
filter,
rule,
ifname,
vars);
if (!inst) {
rc = 1;
break;
}
if (VIR_REALLOC_N(*insts, (*nEntries)+1) < 0) {
virReportOOMError();
rc = 1;
break;
}
(*insts)[(*nEntries)++] = inst;
} else if (inc) {
VIR_DEBUG("Instantiating filter %s", inc->filterref);
obj = virNWFilterObjFindByName(&driver->nwfilters, inc->filterref);
if (obj) {
if (obj->wantRemoved) {
virNWFilterReportError(VIR_ERR_NO_NWFILTER,
_("Filter '%s' is in use."),
inc->filterref);
rc = 1;
virNWFilterObjUnlock(obj);
break;
}
/* create a temporary hashmap for depth-first tree traversal */
virNWFilterHashTablePtr tmpvars =
virNWFilterCreateVarsFrom(inc->params,
vars);
if (!tmpvars) {
virReportOOMError();
rc = 1;
virNWFilterObjUnlock(obj);
break;
}
next_filter = obj->def;
switch (useNewFilter) {
case INSTANTIATE_FOLLOW_NEWFILTER:
if (obj->newDef) {
next_filter = obj->newDef;
*foundNewFilter = true;
}
break;
case INSTANTIATE_ALWAYS:
break;
}
rc = _virNWFilterInstantiateRec(conn,
techdriver,
nettype,
next_filter,
ifname,
tmpvars,
nEntries, insts,
useNewFilter,
foundNewFilter,
driver);
virNWFilterHashTableFree(tmpvars);
virNWFilterObjUnlock(obj);
if (rc)
break;
} else {
virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
_("referenced filter '%s' is missing"),
inc->filterref);
rc = 1;
break;
}
}
}
return rc;
}