Extend fwall-drv interface and call functions via interface

I am moving some of the eb/iptables related functions into the interface
of the firewall driver and am making them only accessible via the driver's
interface. Otherwise exsiting code is adapted where needed. I am adding one
new function to the interface that checks whether the 'basic' rules can be
applied,  which will then be used by a subsequent patch.

diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 8b6b4f25bc03cec537fb5bc16d5c187f2d5e0de4..f8ce834d0dbdb9b3c885e78ba1f053bff38538cb 100644 (file)
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -487,6 +487,17 @@ typedef int (*virNWFilterRuleFreeInstanceData)(void * _inst);
 typedef int (*virNWFilterRuleDisplayInstanceData)(virConnectPtr conn,
                                                   void *_inst);
 
+typedef int (*virNWFilterCanApplyBasicRules)(void);
+
+typedef int (*virNWFilterApplyBasicRules)(const char *ifname,
+                                          const unsigned char *macaddr);
+
+typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname,
+                                             const unsigned char *macaddr,
+                                             const char *dhcpserver);
+
+typedef int (*virNWFilterRemoveBasicRules)(const char *ifname);
+
 enum techDrvFlags {
     TECHDRV_FLAG_INITIALIZED = (1 << 0),
 };
@@ -506,6 +517,11 @@ struct _virNWFilterTechDriver {
     virNWFilterRuleAllTeardown allTeardown;
     virNWFilterRuleFreeInstanceData freeRuleInstance;
     virNWFilterRuleDisplayInstanceData displayRuleInstance;
+
+    virNWFilterCanApplyBasicRules canApplyBasicRules;
+    virNWFilterApplyBasicRules applyBasicRules;
+    virNWFilterApplyDHCPOnlyRules applyDHCPOnlyRules;
+    virNWFilterRemoveBasicRules removeBasicRules;
 };
 
 

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index eef9e5245fb382ca59dd51a16ec45444e9b3ff8e..2bae2dc3f7af226aba810cf262718eba2f138455 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -98,6 +98,7 @@ static const char *m_physdev_out_str = "-m physdev " PHYSDEV_OUT;
 #define MATCH_PHYSDEV_OUT  m_physdev_out_str
 
 
+static int ebtablesRemoveBasicRules(const char *ifname);
 static int ebiptablesDriverInit(void);
 static void ebiptablesDriverShutdown(void);
 
@@ -2577,6 +2578,18 @@ ebiptablesInstCommand(virBufferPtr buf,
 }
 
 
+/**
+ * ebiptablesCanApplyBasicRules
+ *
+ * Determine whether this driver can apply the basic rules, meaning
+ * run ebtablesApplyBasicRules and ebtablesApplyDHCPOnlyRules.
+ * In case of this driver we need the ebtables tool available.
+ */
+static int
+ebiptablesCanApplyBasicRules(void) {
+    return (ebtables_cmd_path != NULL);
+}
+
 /**
  * ebtablesApplyBasicRules
  *
@@ -2591,7 +2604,7 @@ ebiptablesInstCommand(virBufferPtr buf,
  * - filtering for MAC address spoofing
  * - allowing IPv4 & ARP traffic
  */
-int
+static int
 ebtablesApplyBasicRules(const char *ifname,
                         const unsigned char *macaddr)
 {
@@ -2685,7 +2698,7 @@ tear_down_tmpebchains:
  * Apply filtering rules so that the VM can only send and receive
  * DHCP traffic and nothing else.
  */
-int
+static int
 ebtablesApplyDHCPOnlyRules(const char *ifname,
                            const unsigned char *macaddr,
                            const char *dhcpserver)
@@ -2794,7 +2807,7 @@ tear_down_tmpebchains:
 }
 
 
-int
+static int
 ebtablesRemoveBasicRules(const char *ifname)
 {
     virBuffer buf = VIR_BUFFER_INITIALIZER;
@@ -3188,6 +3201,11 @@ virNWFilterTechDriver ebiptables_driver = {
     .removeRules         = ebiptablesRemoveRules,
     .freeRuleInstance    = ebiptablesFreeRuleInstance,
     .displayRuleInstance = ebiptablesDisplayRuleInstance,
+
+    .canApplyBasicRules  = ebiptablesCanApplyBasicRules,
+    .applyBasicRules     = ebtablesApplyBasicRules,
+    .applyDHCPOnlyRules  = ebtablesApplyDHCPOnlyRules,
+    .removeBasicRules    = ebtablesRemoveBasicRules,
 };
 
 

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.h b/src/nwfilter/nwfilter_ebiptables_driver.h
index 4129d05d8d8dd24c4a351a4bca332fa81ab22030..d99de3b719b3d4a48ece2ffecadfff8d929e3400 100644 (file)
--- a/src/nwfilter/nwfilter_ebiptables_driver.h
+++ b/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -45,12 +45,4 @@ extern virNWFilterTechDriver ebiptables_driver;
 
 # define EBIPTABLES_DRIVER_ID "ebiptables"
 
-
-int ebtablesApplyBasicRules(const char *ifname,
-                            const unsigned char *macaddr);
-int ebtablesApplyDHCPOnlyRules(const char *ifname,
-                               const unsigned char *macaddr,
-                               const char *dhcpServer);
-int ebtablesRemoveBasicRules(const char *ifname);
-
 #endif

diff --git a/src/nwfilter/nwfilter_gentech_driver.c b/src/nwfilter/nwfilter_gentech_driver.c
index d5a16934ea71705b662e55bc5d1e4ef2c8db4c69..2457fd6922ee594955daf813d9cedcc31bd5480b 100644 (file)
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -593,7 +593,8 @@ virNWFilterInstantiate(virConnectPtr conn,
         if (virHashLookup(missing_vars->hashTable,
                           NWFILTER_STD_VAR_IP) != NULL) {
             if (virNWFilterLookupLearnReq(ifname) == NULL) {
-                rc = virNWFilterLearnIPAddress(ifname,
+                rc = virNWFilterLearnIPAddress(techdriver,
+                                               ifname,
                                                linkdev,
                                                nettype, macaddr,
                                                filter->name,

diff --git a/src/nwfilter/nwfilter_learnipaddr.c b/src/nwfilter/nwfilter_learnipaddr.c
index bd4f3a56a29a33038a38ed5a6bf57905d71f8e7d..7d6422b7a65d21d2282193c8df6f3295cd44016f 100644 (file)
--- a/src/nwfilter/nwfilter_learnipaddr.c
+++ b/src/nwfilter/nwfilter_learnipaddr.c
@@ -293,6 +293,7 @@ learnIPAddressThread(void *arg)
     char *filter= NULL;
     uint16_t etherType;
     enum howDetect howDetected = 0;
+    virNWFilterTechDriverPtr techdriver = req->techdriver;
 
     req->status = 0;
 
@@ -458,7 +459,7 @@ learnIPAddressThread(void *arg)
     if (handle)
         pcap_close(handle);
 
-    ebtablesRemoveBasicRules(req->ifname);
+    techdriver->removeBasicRules(req->ifname);
 
     if (req->status == 0) {
         int ret;
@@ -493,7 +494,7 @@ learnIPAddressThread(void *arg)
 
 /**
  * virNWFilterLearnIPAddress
- * @conn: pointer to virConnect object
+ * @techdriver : driver to build firewalls
  * @ifname: the name of the interface
  * @linkdev : the name of the link device; currently only used in case of a
  *     macvtap device
@@ -513,7 +514,8 @@ learnIPAddressThread(void *arg)
  * firewall rules on the interface.
  */
 int
-virNWFilterLearnIPAddress(const char *ifname,
+virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
+                          const char *ifname,
                           const char *linkdev,
                           enum virDomainNetType nettype,
                           const unsigned char *macaddr,
@@ -569,6 +571,7 @@ virNWFilterLearnIPAddress(const char *ifname,
     req->filterparams = ht;
     ht = NULL;
     req->howDetect = howDetect;
+    req->techdriver = techdriver;
 
     rc = virNWFilterRegisterLearnReq(req);
 
@@ -577,14 +580,14 @@ virNWFilterLearnIPAddress(const char *ifname,
 
     switch (howDetect) {
     case DETECT_DHCP:
-        if (ebtablesApplyDHCPOnlyRules(ifname,
-                                       macaddr,
-                                       NULL))
+        if (techdriver->applyDHCPOnlyRules(ifname,
+                                           macaddr,
+                                           NULL))
             goto err_free_ht;
         break;
     default:
-        if (ebtablesApplyBasicRules(ifname,
-                                    macaddr))
+        if (techdriver->applyBasicRules(ifname,
+                                        macaddr))
             goto err_free_ht;
     }
 
@@ -598,7 +601,7 @@ virNWFilterLearnIPAddress(const char *ifname,
     return 0;
 
 err_remove_rules:
-    ebtablesRemoveBasicRules(ifname);
+    techdriver->removeBasicRules(ifname);
 err_free_ht:
     virNWFilterHashTableFree(ht);
 err_no_ht:
@@ -610,7 +613,8 @@ err_no_req:
 #else
 
 int
-virNWFilterLearnIPAddress(const char *ifname ATTRIBUTE_UNUSED,
+virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver ATTRIBUTE_UNUSED,
+                          const char *ifname ATTRIBUTE_UNUSED,
                           const char *linkdev ATTRIBUTE_UNUSED,
                           enum virDomainNetType nettype ATTRIBUTE_UNUSED,
                           const unsigned char *macaddr ATTRIBUTE_UNUSED,

diff --git a/src/nwfilter/nwfilter_learnipaddr.h b/src/nwfilter/nwfilter_learnipaddr.h
index ffdd342a958ceba5c22d67ad87983d5041032288..5fd8119f8bbec845c4686500ec52b950997407c0 100644 (file)
--- a/src/nwfilter/nwfilter_learnipaddr.h
+++ b/src/nwfilter/nwfilter_learnipaddr.h
@@ -33,6 +33,7 @@ enum howDetect {
 typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
 typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
 struct _virNWFilterIPAddrLearnReq {
+    virNWFilterTechDriverPtr techdriver;
     char ifname[IF_NAMESIZE];
     char linkdev[IF_NAMESIZE];
     enum virDomainNetType nettype;
@@ -46,7 +47,8 @@ struct _virNWFilterIPAddrLearnReq {
     pthread_t thread;
 };
 
-int virNWFilterLearnIPAddress(const char *ifname,
+int virNWFilterLearnIPAddress(virNWFilterTechDriverPtr techdriver,
+                              const char *ifname,
                               const char *linkdev,
                               enum virDomainNetType nettype,
                               const unsigned char *macaddr,