util: add new "tc" layer for virFirewallCmd objects

If the layer of a virFirewallCmd is "tc", then the "tc" utility will
be executed using the arguments that had been added to the
virFirewallCmd

tc layer doesn't support auto-rollback command creation (any rollback
needs to be added manually with virFirewallAddRollbackCmd()), and also
tc layer isn't supported by the iptables backend (it would have been
straightforward to add, but the iptables backend doesn't need it, and
I didn't want to take the chance of causing a regression in that
code for no good reason).

Signed-off-by: Laine Stump <laine@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index f8b5ab665d3c43e00443d5dbc40fc944ea965c24..b3605bd40e967f00c940bc693011019a58c3c837 100644 (file)
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -73,6 +73,7 @@ VIR_ENUM_IMPL(nftablesLayer,
               "",
               "ip",
               "ip6",
+              "",
 );
 
 

diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 811b787ecccf624842f749351ae20428a4869f2d..9389bcf541644a79b4aecad2b102a2d589cd1beb 100644 (file)
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -47,6 +47,7 @@ VIR_ENUM_IMPL(virFirewallLayer,
               "ethernet",
               "ipv4",
               "ipv6",
+              "tc",
 );
 
 typedef struct _virFirewallGroup virFirewallGroup;
@@ -57,6 +58,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand,
               EBTABLES,
               IPTABLES,
               IP6TABLES,
+              TC,
 );
 
 struct _virFirewallCmd {
@@ -591,6 +593,7 @@ virFirewallCmdIptablesApply(virFirewall *firewall,
     case VIR_FIREWALL_LAYER_IPV6:
         virCommandAddArg(cmd, "-w");
         break;
+    case VIR_FIREWALL_LAYER_TC:
     case VIR_FIREWALL_LAYER_LAST:
         break;
     }
@@ -672,39 +675,52 @@ virFirewallCmdNftablesApply(virFirewall *firewall G_GNUC_UNUSED,
     size_t i;
     int status;
 
-    cmd = virCommandNew(NFT);
+    if (fwCmd->layer == VIR_FIREWALL_LAYER_TC) {
 
-    if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) &&
-        fwCmd->argsLen > 1) {
-        /* skip any leading options to get to command verb */
-        for (i = 0; i < fwCmd->argsLen - 1; i++) {
-            if (fwCmd->args[i][0] != '-')
-                break;
-        }
+        /* for VIR_FIREWALL_LAYER_TC, we run the 'tc' (traffic control) command with
+         * the supplied args.
+         */
+        cmd = virCommandNew(TC);
 
-        if (i + 1 < fwCmd->argsLen &&
-            VIR_NFTABLES_ARG_IS_CREATE(fwCmd->args[i])) {
+        /* NB: RAW commands don't support auto-rollback command creation */
 
-            cmdIdx = i;
-            objectType = fwCmd->args[i + 1];
+    } else {
 
-            /* we currently only handle auto-rollback for rules,
-             * chains, and tables, and those all can be "rolled
-             * back" by a delete command using the handle that is
-             * returned when "-ae" is added to the add/insert
-             * command.
-             */
-            if (STREQ_NULLABLE(objectType, "rule") ||
-                STREQ_NULLABLE(objectType, "chain") ||
-                STREQ_NULLABLE(objectType, "table")) {
+        cmd = virCommandNew(NFT);
 
-                needRollback = true;
-                /* this option to nft instructs it to add the
-                 * "handle" of the created object to stdout
+        if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK) &&
+            fwCmd->argsLen > 1) {
+            /* skip any leading options to get to command verb */
+            for (i = 0; i < fwCmd->argsLen - 1; i++) {
+                if (fwCmd->args[i][0] != '-')
+                    break;
+            }
+
+            if (i + 1 < fwCmd->argsLen &&
+                VIR_NFTABLES_ARG_IS_CREATE(fwCmd->args[i])) {
+
+                cmdIdx = i;
+                objectType = fwCmd->args[i + 1];
+
+                /* we currently only handle auto-rollback for rules,
+                 * chains, and tables, and those all can be "rolled
+                 * back" by a delete command using the handle that is
+                 * returned when "-ae" is added to the add/insert
+                 * command.
                  */
-                virCommandAddArg(cmd, "-ae");
+                if (STREQ_NULLABLE(objectType, "rule") ||
+                    STREQ_NULLABLE(objectType, "chain") ||
+                    STREQ_NULLABLE(objectType, "table")) {
+
+                    needRollback = true;
+                    /* this option to nft instructs it to add the
+                     * "handle" of the created object to stdout
+                     */
+                    virCommandAddArg(cmd, "-ae");
+                }
             }
         }
+
     }
 
     for (i = 0; i < fwCmd->argsLen; i++)

diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index bce51259d2b94f2cee42d9ced56c5536ba14840b..d42e60884bea7fce6fa0831895c8a68565ae08fa 100644 (file)
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -39,6 +39,7 @@ typedef enum {
     VIR_FIREWALL_LAYER_ETHERNET,
     VIR_FIREWALL_LAYER_IPV4,
     VIR_FIREWALL_LAYER_IPV6,
+    VIR_FIREWALL_LAYER_TC,
 
     VIR_FIREWALL_LAYER_LAST,
 } virFirewallLayer;

diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c
index 0a886780add0ee821a651b88592f2785d3c8c8f3..21a9e0206194ea9dd1910c8c88f18503a3888454 100644 (file)
--- a/src/util/virfirewalld.c
+++ b/src/util/virfirewalld.c
@@ -43,6 +43,7 @@ VIR_LOG_INIT("util.firewalld");
 VIR_ENUM_DECL(virFirewallLayerFirewallD);
 VIR_ENUM_IMPL(virFirewallLayerFirewallD,
               VIR_FIREWALL_LAYER_LAST,
+              "",
               "eb",
               "ipv4",
               "ipv6",