diff options
Diffstat (limited to 'main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch')
| -rw-r--r-- | main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch | 200 |
1 files changed, 200 insertions, 0 deletions
diff --git a/main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch b/main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch new file mode 100644 index 000000000..6441577b1 --- /dev/null +++ b/main/libvirt/0001-util-refactor-iptables-command-construction-into-mul.patch @@ -0,0 +1,200 @@ +From d1be257a85234f139c073f7c41f845065dd7246e Mon Sep 17 00:00:00 2001 +From: Natanael Copa <ncopa@alpinelinux.org> +Date: Thu, 22 Nov 2012 13:33:23 +0100 +Subject: [PATCH] util: refactor iptables command construction into multiple + steps + +Instead of creating an iptables command in one shot, do it in steps +so we can add conditional options like physdev and protocol. + +This removes code duplication while keeping existing behaviour. + +Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> +--- + src/util/iptables.c | 130 +++++++++++++++++++++++----------------------------- + 1 file changed, 58 insertions(+), 72 deletions(-) + +diff --git a/src/util/iptables.c b/src/util/iptables.c +index 00a1c29..407ca3a 100644 +--- a/src/util/iptables.c ++++ b/src/util/iptables.c +@@ -127,15 +127,10 @@ iptRulesNew(const char *table, + return NULL; + } + +-static int ATTRIBUTE_SENTINEL +-iptablesAddRemoveRule(iptRules *rules, int family, int action, +- const char *arg, ...) ++static virCommandPtr ++iptablesCommandNew(iptRules *rules, int family, int action) + { +- va_list args; +- int ret; + virCommandPtr cmd = NULL; +- const char *s; +- + #if HAVE_FIREWALLD + virIpTablesInitialize(); + if (firewall_cmd_path) { +@@ -152,16 +147,36 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action, + + virCommandAddArgList(cmd, "--table", rules->table, + action == ADD ? "--insert" : "--delete", +- rules->chain, arg, NULL); ++ rules->chain, NULL); ++ return cmd; ++} ++ ++static int ++iptablesCommandRunAndFree(virCommandPtr cmd) ++{ ++ int ret; ++ ret = virCommandRun(cmd, NULL); ++ virCommandFree(cmd); ++ return ret; ++} ++ ++static int ATTRIBUTE_SENTINEL ++iptablesAddRemoveRule(iptRules *rules, int family, int action, ++ const char *arg, ...) ++{ ++ va_list args; ++ virCommandPtr cmd = NULL; ++ const char *s; ++ ++ cmd = iptablesCommandNew(rules, family, action); ++ virCommandAddArg(cmd, arg); + + va_start(args, arg); + while ((s = va_arg(args, const char *))) + virCommandAddArg(cmd, s); + va_end(args); + +- ret = virCommandRun(cmd, NULL); +- virCommandFree(cmd); +- return ret; ++ return iptablesCommandRunAndFree(cmd); + } + + /** +@@ -370,28 +385,24 @@ iptablesForwardAllowOut(iptablesContext *ctx, + { + int ret; + char *networkstr; ++ virCommandPtr cmd = NULL; + + if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) + return -1; + +- if (physdev && physdev[0]) { +- ret = iptablesAddRemoveRule(ctx->forward_filter, +- VIR_SOCKET_ADDR_FAMILY(netaddr), +- action, +- "--source", networkstr, +- "--in-interface", iface, +- "--out-interface", physdev, +- "--jump", "ACCEPT", +- NULL); +- } else { +- ret = iptablesAddRemoveRule(ctx->forward_filter, +- VIR_SOCKET_ADDR_FAMILY(netaddr), +- action, +- "--source", networkstr, +- "--in-interface", iface, +- "--jump", "ACCEPT", +- NULL); +- } ++ cmd = iptablesCommandNew(ctx->forward_filter, ++ VIR_SOCKET_ADDR_FAMILY(netaddr), ++ action); ++ virCommandAddArgList(cmd, ++ "--source", networkstr, ++ "--in-interface", iface, NULL); ++ ++ if (physdev && physdev[0]) ++ virCommandAddArgList(cmd, "--out-interface", physdev, NULL); ++ ++ virCommandAddArgList(cmd, "--jump", "ACCEPT", NULL); ++ ++ ret = iptablesCommandRunAndFree(cmd); + VIR_FREE(networkstr); + return ret; + } +@@ -797,6 +808,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, + { + int ret; + char *networkstr; ++ virCommandPtr cmd = NULL; + + if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) + return -1; +@@ -810,49 +822,23 @@ iptablesForwardMasquerade(iptablesContext *ctx, + return -1; + } + +- if (protocol && protocol[0]) { +- if (physdev && physdev[0]) { +- ret = iptablesAddRemoveRule(ctx->nat_postrouting, +- AF_INET, +- action, +- "--source", networkstr, +- "-p", protocol, +- "!", "--destination", networkstr, +- "--out-interface", physdev, +- "--jump", "MASQUERADE", +- "--to-ports", "1024-65535", +- NULL); +- } else { +- ret = iptablesAddRemoveRule(ctx->nat_postrouting, +- AF_INET, +- action, +- "--source", networkstr, +- "-p", protocol, +- "!", "--destination", networkstr, +- "--jump", "MASQUERADE", +- "--to-ports", "1024-65535", +- NULL); +- } +- } else { +- if (physdev && physdev[0]) { +- ret = iptablesAddRemoveRule(ctx->nat_postrouting, +- AF_INET, +- action, +- "--source", networkstr, +- "!", "--destination", networkstr, +- "--out-interface", physdev, +- "--jump", "MASQUERADE", +- NULL); +- } else { +- ret = iptablesAddRemoveRule(ctx->nat_postrouting, +- AF_INET, +- action, +- "--source", networkstr, +- "!", "--destination", networkstr, +- "--jump", "MASQUERADE", +- NULL); +- } +- } ++ cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action); ++ virCommandAddArgList(cmd, "--source", networkstr, NULL); ++ ++ if (protocol && protocol[0]) ++ virCommandAddArgList(cmd, "-p", protocol, NULL); ++ ++ virCommandAddArgList(cmd, "!", "--destination", networkstr, NULL); ++ ++ if (physdev && physdev[0]) ++ virCommandAddArgList(cmd, "--out-interface", physdev, NULL); ++ ++ virCommandAddArgList(cmd, "--jump", "MASQUERADE", NULL); ++ ++ if (protocol && protocol[0]) ++ virCommandAddArgList(cmd, "--to-ports", "1024-65535", NULL); ++ ++ ret = iptablesCommandRunAndFree(cmd); + VIR_FREE(networkstr); + return ret; + } +-- +1.8.0.1 + |