From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338528; cv=none; d=zohomail.com; s=zohoarc; b=VqL1VWBxRgHy4OPM/RpofN5U4lpuXpBlfevfkLgrxWkKes7vGNqKKPlf3tjK3SbPPEKx7vVizjH+sty1YjzwQgUVMpig6C6VZiC1bvzpT7xwCV4W/riKCgGzQgoBHYelE9yiT4yOlUrZWmMasBndEyH3S6cs1HRWowuzRuZECsY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338528; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=e4NyEeA3vgajWfUOXoIXh7xi7BZZRvWqPJ9+ULVjWp8=; b=GX/hXnz3gLnQxVcbJ6HbKAPjnLj09I9er0roB3u5qMH/BIW8oK+hNXilnJF42lwN6vbFfa1fhNjpGuxwpKmufe9x4s2V8PAlbSi/nEQg5kGcdj0UbjI1Lvrj3WyUyU0p06ewfptX675bFFMKXsKzppR2PAysWr/b04V7J33kbkU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1639338528652341.05688355893074; Sun, 12 Dec 2021 11:48:48 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-479-7S9Ts2kmMLukbn5uFcqQJw-1; Sun, 12 Dec 2021 14:48:44 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B09678042F6; Sun, 12 Dec 2021 19:48:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7E5E35D6D7; Sun, 12 Dec 2021 19:48:38 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 790801809CB8; Sun, 12 Dec 2021 19:48:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmYVa018830 for ; Sun, 12 Dec 2021 14:48:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id 2C6855BE03; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id DD1CB5D6D7 for ; Sun, 12 Dec 2021 19:48:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338527; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=e4NyEeA3vgajWfUOXoIXh7xi7BZZRvWqPJ9+ULVjWp8=; b=J+GPN5UG9oXevfc6sVmP12WuOgl8w3JzSIpZ5rBBahWkoL7QH6nnoZt4Fy6C98Ij3++Oee OsjLbioFSGZU4GxJQrgxcdK3SLTr5PZTyaErAeqz08Fa9OoIg4LJPoV3z8F5BamhTHX5Kq 6pH/6o2H7rpCjUbdPhvu8Yi8V3ifmwU= X-MC-Unique: 7S9Ts2kmMLukbn5uFcqQJw-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 01/12] network: eliminate code that uses default iptables chains Date: Sun, 12 Dec 2021 14:48:19 -0500 Message-Id: <20211212194830.292379-2-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338529044100003 Content-Type: text/plain; charset="utf-8" The network driver has put all its rules into private chains (created by libvirt) since commit 7431b3eb9a, which was included in libvirt-5.1.0. When the conversion was made, code was included that would attempt to delete existing rules in the default chains, to make it possible to upgrade libvirt without restarting the host OS. Almost 3 years has passed, and it is doubtful that anyone will be attempting to upgrade directly from a pre-5.1.0 libvirt to something as new as 8.0.0 (possibly with the exception of upgrading the entire OS to a new release, which would include also rebooting), so it is now safe to remove this code. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 1 - src/network/bridge_driver_linux.c | 37 ++--------- src/util/viriptables.c | 104 ++++++++++++------------------ src/util/viriptables.h | 2 - 4 files changed, 49 insertions(+), 95 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 7be5b51100..ff6f71054e 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2501,7 +2501,6 @@ iptablesRemoveTcpInput; iptablesRemoveTcpOutput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; -iptablesSetDeletePrivate; iptablesSetupPrivateChains; =20 =20 diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index d2eab33e5f..1c8be7103a 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -37,7 +37,7 @@ VIR_LOG_INIT("network.bridge_driver_linux"); =20 static virOnceControl createdOnce; static bool chainInitDone; /* true iff networkSetupPrivateChains was ever = called */ -static bool createdChains; /* true iff networkSetupPrivateChains created c= hains during most recent call */ + static virErrorPtr errInitV4; static virErrorPtr errInitV6; =20 @@ -50,7 +50,6 @@ static void networkSetupPrivateChains(void) =20 VIR_DEBUG("Setting up global firewall chains"); =20 - createdChains =3D false; virFreeError(errInitV4); errInitV4 =3D NULL; virFreeError(errInitV6); @@ -63,12 +62,10 @@ static void networkSetupPrivateChains(void) errInitV4 =3D virSaveLastError(); virResetLastError(); } else { - if (rc) { + if (rc) VIR_DEBUG("Created global IPv4 chains"); - createdChains =3D true; - } else { + else VIR_DEBUG("Global IPv4 chains already exist"); - } } =20 rc =3D iptablesSetupPrivateChains(VIR_FIREWALL_LAYER_IPV6); @@ -78,12 +75,10 @@ static void networkSetupPrivateChains(void) errInitV6 =3D virSaveLastError(); virResetLastError(); } else { - if (rc) { + if (rc) VIR_DEBUG("Created global IPv6 chains"); - createdChains =3D true; - } else { + else VIR_DEBUG("Global IPv6 chains already exist"); - } } =20 chainInitDone =3D true; @@ -145,7 +140,7 @@ networkHasRunningNetworksWithFW(virNetworkDriverState *= driver) =20 void networkPreReloadFirewallRules(virNetworkDriverState *driver, - bool startup, + bool startup G_GNUC_UNUSED, bool force) { /* @@ -183,31 +178,13 @@ networkPreReloadFirewallRules(virNetworkDriverState *= driver, } =20 ignore_value(virOnce(&createdOnce, networkSetupPrivateChains)); - - /* - * If this is initial startup, and we just created the - * top level private chains we either - * - * - upgraded from old libvirt - * - freshly booted from clean state - * - * In the first case we must delete the old rules from - * the built-in chains, instead of our new private chains. - * In the second case it doesn't matter, since no existing - * rules will be present. Thus we can safely just tell it - * to always delete from the builin chain - */ - if (startup && createdChains) { - VIR_DEBUG("Requesting cleanup of legacy firewall rules"); - iptablesSetDeletePrivate(false); - } } } =20 =20 void networkPostReloadFirewallRules(bool startup G_GNUC_UNUSED) { - iptablesSetDeletePrivate(true); + } =20 =20 diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 721e1eeae7..ac949efba7 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -47,8 +47,6 @@ enum { REMOVE }; =20 -static bool deletePrivate =3D true; - typedef struct { const char *parent; const char *child; @@ -162,17 +160,9 @@ iptablesSetupPrivateChains(virFirewallLayer layer) } =20 =20 -void -iptablesSetDeletePrivate(bool pvt) -{ - deletePrivate =3D pvt; -} - - static void iptablesInput(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int port, int action, @@ -186,7 +176,7 @@ iptablesInput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_INP" : "INPUT", + "LIBVIRT_INP", "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -197,7 +187,6 @@ iptablesInput(virFirewall *fw, static void iptablesOutput(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int port, int action, @@ -211,7 +200,7 @@ iptablesOutput(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_OUT" : "OUTPUT", + "LIBVIRT_OUT", "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", "--destination-port", portstr, @@ -234,7 +223,7 @@ iptablesAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, true, iface, port, ADD, 1); + iptablesInput(fw, layer, iface, port, ADD, 1); } =20 /** @@ -252,7 +241,7 @@ iptablesRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1); + iptablesInput(fw, layer, iface, port, REMOVE, 1); } =20 /** @@ -270,7 +259,7 @@ iptablesAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, true, iface, port, ADD, 0); + iptablesInput(fw, layer, iface, port, ADD, 0); } =20 /** @@ -288,7 +277,7 @@ iptablesRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0); + iptablesInput(fw, layer, iface, port, REMOVE, 0); } =20 /** @@ -306,7 +295,7 @@ iptablesAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, true, iface, port, ADD, 1); + iptablesOutput(fw, layer, iface, port, ADD, 1); } =20 /** @@ -324,7 +313,7 @@ iptablesRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 1); + iptablesOutput(fw, layer, iface, port, REMOVE, 1); } =20 /** @@ -342,7 +331,7 @@ iptablesAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, true, iface, port, ADD, 0); + iptablesOutput(fw, layer, iface, port, ADD, 0); } =20 /** @@ -360,7 +349,7 @@ iptablesRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, iface, port, REMOVE, 0); } =20 =20 @@ -400,7 +389,6 @@ static char *iptablesFormatNetwork(virSocketAddr *netad= dr, */ static int iptablesForwardAllowOut(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -418,7 +406,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWO" : "FORWARD", + "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, "--out-interface", physdev, @@ -428,7 +416,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWO" : "FORWARD", + "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, "--jump", "ACCEPT", @@ -457,7 +445,7 @@ iptablesAddForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physd= ev, ADD); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, AD= D); } =20 /** @@ -480,7 +468,7 @@ iptablesRemoveForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, ifa= ce, physdev, REMOVE); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, RE= MOVE); } =20 =20 @@ -489,7 +477,6 @@ iptablesRemoveForwardAllowOut(virFirewall *fw, */ static int iptablesForwardAllowRelatedIn(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -507,7 +494,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -519,7 +506,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, "--match", "conntrack", @@ -550,7 +537,7 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface,= physdev, ADD); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, ADD); } =20 /** @@ -573,14 +560,13 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefi= x, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, REMOVE); } =20 /* Allow all traffic destined to the bridge, with a valid network address */ static int iptablesForwardAllowIn(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *iface, @@ -598,7 +584,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, "--out-interface", iface, @@ -608,7 +594,7 @@ iptablesForwardAllowIn(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, "--jump", "ACCEPT", @@ -636,7 +622,7 @@ iptablesAddForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physde= v, ADD); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD= ); } =20 /** @@ -659,20 +645,19 @@ iptablesRemoveForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, ifac= e, physdev, REMOVE); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM= OVE); } =20 static void iptablesForwardAllowCross(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWX" : "FORWARD", + "LIBVIRT_FWX", "--in-interface", iface, "--out-interface", iface, "--jump", "ACCEPT", @@ -695,7 +680,7 @@ iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, true, iface, ADD); + iptablesForwardAllowCross(fw, layer, iface, ADD); } =20 /** @@ -714,20 +699,19 @@ iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, iface, REMOVE); } =20 static void iptablesForwardRejectOut(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWO" : "FORWARD", + "LIBVIRT_FWO", "--in-interface", iface, "--jump", "REJECT", NULL); @@ -748,7 +732,7 @@ iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, true, iface, ADD); + iptablesForwardRejectOut(fw, layer, iface, ADD); } =20 /** @@ -766,21 +750,20 @@ iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, iface, REMOVE); } =20 =20 static void iptablesForwardRejectIn(virFirewall *fw, virFirewallLayer layer, - bool pvt, const char *iface, int action) { virFirewallAddRule(fw, layer, "--table", "filter", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_FWI" : "FORWARD", + "LIBVIRT_FWI", "--out-interface", iface, "--jump", "REJECT", NULL); @@ -801,7 +784,7 @@ iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, true, iface, ADD); + iptablesForwardRejectIn(fw, layer, iface, ADD); } =20 /** @@ -819,7 +802,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, iface, REMOVE); } =20 =20 @@ -828,7 +811,6 @@ iptablesRemoveForwardRejectIn(virFirewall *fw, */ static int iptablesForwardMasquerade(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -863,7 +845,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--dele= te", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--source", networkstr, "-p", protocol, "!", "--destination", networkstr, @@ -872,7 +854,7 @@ iptablesForwardMasquerade(virFirewall *fw, rule =3D virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--dele= te", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--source", networkstr, "!", "--destination", networkstr, NULL); @@ -944,7 +926,7 @@ iptablesAddForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, true, netaddr, prefix, + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, ADD); } =20 @@ -970,7 +952,7 @@ iptablesRemoveForwardMasquerade(virFirewall *fw, virPortRange *port, const char *protocol) { - return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix, + return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port, protocol, REMOVE= ); } =20 @@ -980,7 +962,6 @@ iptablesRemoveForwardMasquerade(virFirewall *fw, */ static int iptablesForwardDontMasquerade(virFirewall *fw, - bool pvt, virSocketAddr *netaddr, unsigned int prefix, const char *physdev, @@ -998,7 +979,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--out-interface", physdev, "--source", networkstr, "--destination", destaddr, @@ -1008,7 +989,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallAddRule(fw, layer, "--table", "nat", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--source", networkstr, "--destination", destaddr, "--jump", "RETURN", @@ -1038,7 +1019,7 @@ iptablesAddDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, true, netaddr, prefix, + return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, ADD); } =20 @@ -1063,14 +1044,13 @@ iptablesRemoveDontMasquerade(virFirewall *fw, const char *physdev, const char *destaddr) { - return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefi= x, + return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr, REMOVE); } =20 =20 static void iptablesOutputFixUdpChecksum(virFirewall *fw, - bool pvt, const char *iface, int port, int action) @@ -1083,7 +1063,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", action =3D=3D ADD ? "--insert" : "--delete", - pvt ? "LIBVIRT_PRT" : "POSTROUTING", + "LIBVIRT_PRT", "--out-interface", iface, "--protocol", "udp", "--destination-port", portstr, @@ -1107,7 +1087,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, iface, port, ADD); } =20 /** @@ -1124,5 +1104,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index 41c493d3eb..bb13f3292d 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -25,8 +25,6 @@ =20 int iptablesSetupPrivateChains (virFirewallLayer layer); =20 -void iptablesSetDeletePrivate (bool pvt); - void iptablesAddTcpInput (virFirewall *fw, virFirewallLayer layer, const char *iface, --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338560; cv=none; d=zohomail.com; s=zohoarc; b=KGJNXCKr6iaEHi05UBkY6RAmRknPzAbS0EMQ/i24ceS4SBZH9915pM2gFgfPoflE2IL+Swic05vVjl9TOS1isHa768kH4SjLsFA2H+1WeIsaesvT/Bmz6kS2TuWz3KIduU/DrRDrl+uv67ZfDvFR28kfvfwYAEtWcVfv3oD0JBg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338560; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ENMw32m/MWBPKnms3a4hTqIwyR0KJfyMxcvKnZocm9M=; b=X5AKLJ9ZsfCz7AzsI3J34GO2RBXG79InIXPXzSe3HafSn0rLbL89cL+SAtp7UHlLYvFEG9TdiZywuZ4+XJH63i2yaC1QY/TnJDIvfDwdcmPXDU/E7bzNCgsOMqfbQZ6/CNq1BrMcrp9qOVmgVHkB+QTIoEoY2bGyio5gc9/svvU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338560646914.5297408276915; Sun, 12 Dec 2021 11:49:20 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-250-mFzlEQgPPNOk6h4s2ZLiPA-1; Sun, 12 Dec 2021 14:48:59 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B11188042E0; Sun, 12 Dec 2021 19:48:54 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9389D22E02; Sun, 12 Dec 2021 19:48:54 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 66BF84A7C9; Sun, 12 Dec 2021 19:48:54 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmYqT018836 for ; Sun, 12 Dec 2021 14:48:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id 8015B5BE03; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4B0BF5D6D7 for ; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338559; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ENMw32m/MWBPKnms3a4hTqIwyR0KJfyMxcvKnZocm9M=; b=M77gpgZ9/AELfE3GSat3t0RXssfYL0DfblM3wmhTpsqR7ct+CHuJlWRASlKlNJKensaBTD QH/gBlcSqlY7kywVvJN00JX69gn1Lx9cJYXfK6+TjPvgtHl14v3pw1cwb1nCVFzACoGXgf Em9vVITh4Ld1oXg4MBR6aoKCsZHuYLw= X-MC-Unique: mFzlEQgPPNOk6h4s2ZLiPA-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 02/12] util: rename/move iptablesFormatNetwork to virSocketAddrFormatWithPrefix Date: Sun, 12 Dec 2021 14:48:20 -0500 Message-Id: <20211212194830.292379-3-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338561094100001 Content-Type: text/plain; charset="utf-8" This function formats an address + prefix as, e.g. 192.168.122.0/24, which is useful in places other than iptables. Move it to virsocketaddr.c and make it public so that others can use it. While moving, the bit that masks off the host bits of the address is made optional, so that the function is more generally useful. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 1 + src/util/viriptables.c | 41 +++++-------------------------------- src/util/virsocketaddr.c | 44 ++++++++++++++++++++++++++++++++++++++++ src/util/virsocketaddr.h | 3 +++ 4 files changed, 53 insertions(+), 36 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index ff6f71054e..72b38a970d 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -3269,6 +3269,7 @@ virSocketAddrCheckNetmask; virSocketAddrEqual; virSocketAddrFormat; virSocketAddrFormatFull; +virSocketAddrFormatWithPrefix; virSocketAddrGetIPPrefix; virSocketAddrGetNumNetmaskBits; virSocketAddrGetPath; diff --git a/src/util/viriptables.c b/src/util/viriptables.c index ac949efba7..78d979cfe8 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -353,37 +353,6 @@ iptablesRemoveUdpOutput(virFirewall *fw, } =20 =20 -static char *iptablesFormatNetwork(virSocketAddr *netaddr, - unsigned int prefix) -{ - virSocketAddr network; - g_autofree char *netstr =3D NULL; - char *ret; - - if (!(VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET) || - VIR_SOCKET_ADDR_IS_FAMILY(netaddr, AF_INET6))) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("Only IPv4 or IPv6 addresses can be used with ipt= ables")); - return NULL; - } - - if (virSocketAddrMaskByPrefix(netaddr, prefix, &network) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Failure to mask address")); - return NULL; - } - - netstr =3D virSocketAddrFormat(&network); - - if (!netstr) - return NULL; - - ret =3D g_strdup_printf("%s/%d", netstr, prefix); - - return ret; -} - - /* Allow all traffic coming from the bridge, with a valid network address * to proceed to WAN */ @@ -399,7 +368,7 @@ iptablesForwardAllowOut(virFirewall *fw, virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; =20 - if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) return -1; =20 if (physdev && physdev[0]) @@ -487,7 +456,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; g_autofree char *networkstr =3D NULL; =20 - if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) return -1; =20 if (physdev && physdev[0]) @@ -577,7 +546,7 @@ iptablesForwardAllowIn(virFirewall *fw, VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; g_autofree char *networkstr =3D NULL; =20 - if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) return -1; =20 if (physdev && physdev[0]) @@ -829,7 +798,7 @@ iptablesForwardMasquerade(virFirewall *fw, virFirewallLayer layer =3D af =3D=3D AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; =20 - if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) return -1; =20 if (VIR_SOCKET_ADDR_IS_FAMILY(&addr->start, af)) { @@ -972,7 +941,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, virFirewallLayer layer =3D VIR_SOCKET_ADDR_FAMILY(netaddr) =3D=3D AF_I= NET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; =20 - if (!(networkstr =3D iptablesFormatNetwork(netaddr, prefix))) + if (!(networkstr =3D virSocketAddrFormatWithPrefix(netaddr, prefix, tr= ue))) return -1; =20 if (physdev && physdev[0]) diff --git a/src/util/virsocketaddr.c b/src/util/virsocketaddr.c index 94cbfc6264..430e43f2eb 100644 --- a/src/util/virsocketaddr.c +++ b/src/util/virsocketaddr.c @@ -511,6 +511,50 @@ virSocketAddrFormatFull(const virSocketAddr *addr, } =20 =20 +/* + * virSocketAddrFormatWithPrefix: + * @addr: an initialized virSocketAddr * + * @prefix: an IP network prefix (0-32 if IPv4, 0-128 if IPv6) + * @masked: true to mask off the host bits of the address + * + * Returns a string representation of the IP network described by + * @netaddr/@prefix. If @masked is true, the address is masked to + * remove the host bits according to prefix. So, for example, sending + * f(1.2.3.4, 24, true) would return "1.2.3.0/24", but f(1.2.3.4, 24, + * false) would return "1.2.3.4/24". + * + * returns false on failure (and logs an error message) + */ +char * +virSocketAddrFormatWithPrefix(virSocketAddr *addr, + unsigned int prefix, + bool masked) +{ + virSocketAddr network; + g_autofree char *netstr =3D NULL; + + if (!(VIR_SOCKET_ADDR_IS_FAMILY(addr, AF_INET) || + VIR_SOCKET_ADDR_IS_FAMILY(addr, AF_INET6))) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Only IPv4 or IPv6 addresses can be used with a p= refix")); + return NULL; + } + + if (masked && virSocketAddrMaskByPrefix(addr, prefix, &network) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Failure to mask address")); + return NULL; + } + + netstr =3D virSocketAddrFormat(&network); + + if (!netstr) + return NULL; + + return g_strdup_printf("%s/%d", netstr, prefix); +} + + /* * virSocketAddrSetPort: * @addr: an initialized virSocketAddr * diff --git a/src/util/virsocketaddr.h b/src/util/virsocketaddr.h index f76e229730..ec265d6e44 100644 --- a/src/util/virsocketaddr.h +++ b/src/util/virsocketaddr.h @@ -88,6 +88,9 @@ char *virSocketAddrFormat(const virSocketAddr *addr); char *virSocketAddrFormatFull(const virSocketAddr *addr, bool withService, const char *separator); +char *virSocketAddrFormatWithPrefix(virSocketAddr *addr, + unsigned int prefix, + bool masked); =20 char *virSocketAddrGetPath(virSocketAddr *addr); =20 --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338545; cv=none; d=zohomail.com; s=zohoarc; b=iEJf+7hbd9O7x+3S07UIiRPTUSH5p/tCjcUycRZmPEgGxBEle5Dyedk6jU554GGb4eXeLWdFGvaa7c27W8xvlJLJTFeYqJIBcL7APlJchhfuYkUvV1B228gX/N4bcwEqT1USWGzoUjNL1halHhNWmDJC29UXUO+NQmF1//QrlNc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338545; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Ph8nuPMpRh+MHZk6UFmeNQSZaSlh98Z7+Pcl7llHrrc=; b=oEiWlNqOQHtpZt0wLaAQIIIdjKP+LvBkNsKnJIKMjpSsVAB1x2kzw3YmF73KZ9KY3fuNwZvf43gBe5JX6WOxs+SKl3TH5cu3bhXXkXjipHEFnNAA9MNsvNMKncCwTlLxk4CHQxQg/BTdGJ+qnIn5L+p+O+e8lOVYJwRFPvMYvm0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1639338545885538.7708437893265; Sun, 12 Dec 2021 11:49:05 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-521-Q4Rv6T4IMf6SDltQ4bEbwA-1; Sun, 12 Dec 2021 14:49:03 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 898202F31; Sun, 12 Dec 2021 19:48:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F36822DFE; Sun, 12 Dec 2021 19:48:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4366C1806D1D; Sun, 12 Dec 2021 19:48:57 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmYsL018843 for ; Sun, 12 Dec 2021 14:48:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id E14405BE03; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9F6095D6D7 for ; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338544; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Ph8nuPMpRh+MHZk6UFmeNQSZaSlh98Z7+Pcl7llHrrc=; b=PdiM1j/JJ6/hMciahxT0b5p5NqBMkFj2fgUD873FNfBRsZ7K6U2FULj01XxaZ/UQAjFPs9 1zhXsA2o1xb+Jlon4HWg8jZtvNelqL5ME1NFvIw3xdGEJLssumpV8z9CiMy4wNddxlNVnf jcXLAvtcZlRCE3RZ+DnKAWSS/MmHxwI= X-MC-Unique: Q4Rv6T4IMf6SDltQ4bEbwA-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 03/12] util: rename iptables operators to something less generic Date: Sun, 12 Dec 2021 14:48:21 -0500 Message-Id: <20211212194830.292379-4-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639339446951100001 Content-Type: text/plain; charset="utf-8" Rather than calling these "ADD" and "REMOVE", which could be confused with some other random items with the same names, make them more specific by prepending "VIR_NETFILTER_" (because they will also be used by the nftables backend) and rename them to match the iptables/nftables operators they signify, i.e. INSERT and DELETE, just to eliminate confusion (in particular, in case someone ever decides that we need to also use the nftables "add" operator, which appends a rule to a chain rather than inserting it at the beginning of the chain). Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/util/viriptables.c | 97 +++++++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 44 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 78d979cfe8..d2bc10a652 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -43,8 +43,8 @@ VIR_LOG_INIT("util.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE =20 enum { - ADD =3D 0, - REMOVE + VIR_NETFILTER_INSERT =3D 0, + VIR_NETFILTER_DELETE }; =20 typedef struct { @@ -175,7 +175,7 @@ iptablesInput(virFirewall *fw, =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_INP", "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -199,7 +199,7 @@ iptablesOutput(virFirewall *fw, =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_OUT", "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -223,7 +223,7 @@ iptablesAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } =20 /** @@ -241,7 +241,7 @@ iptablesRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } =20 /** @@ -259,7 +259,7 @@ iptablesAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } =20 /** @@ -277,7 +277,7 @@ iptablesRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 0); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } =20 /** @@ -295,7 +295,7 @@ iptablesAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 1); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } =20 /** @@ -313,7 +313,7 @@ iptablesRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 1); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } =20 /** @@ -331,7 +331,7 @@ iptablesAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } =20 /** @@ -349,7 +349,7 @@ iptablesRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } =20 =20 @@ -374,7 +374,7 @@ iptablesForwardAllowOut(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -384,7 +384,7 @@ iptablesForwardAllowOut(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -414,7 +414,8 @@ iptablesAddForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, AD= D); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); } =20 /** @@ -437,7 +438,8 @@ iptablesRemoveForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, RE= MOVE); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); } =20 =20 @@ -462,7 +464,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -474,7 +476,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -506,7 +508,8 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, ADD); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, + VIR_NETFILTER_INSERT); } =20 /** @@ -529,7 +532,8 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, + VIR_NETFILTER_DELETE); } =20 /* Allow all traffic destined to the bridge, with a valid network address @@ -552,7 +556,7 @@ iptablesForwardAllowIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -562,7 +566,7 @@ iptablesForwardAllowIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -591,7 +595,8 @@ iptablesAddForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD= ); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); } =20 /** @@ -614,7 +619,8 @@ iptablesRemoveForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM= OVE); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); } =20 static void @@ -625,7 +631,7 @@ iptablesForwardAllowCross(virFirewall *fw, { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_FWX", "--in-interface", iface, "--out-interface", iface, @@ -649,7 +655,7 @@ iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** @@ -668,7 +674,7 @@ iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); } =20 static void @@ -679,7 +685,7 @@ iptablesForwardRejectOut(virFirewall *fw, { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_FWO", "--in-interface", iface, "--jump", "REJECT", @@ -701,7 +707,7 @@ iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** @@ -719,7 +725,7 @@ iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); } =20 =20 @@ -731,7 +737,7 @@ iptablesForwardRejectIn(virFirewall *fw, { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_FWI", "--out-interface", iface, "--jump", "REJECT", @@ -753,7 +759,7 @@ iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** @@ -771,7 +777,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); } =20 =20 @@ -813,7 +819,7 @@ iptablesForwardMasquerade(virFirewall *fw, if (protocol && protocol[0]) { rule =3D virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", + action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", "LIBVIRT_PRT", "--source", networkstr, "-p", protocol, @@ -822,7 +828,7 @@ iptablesForwardMasquerade(virFirewall *fw, } else { rule =3D virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", + action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", "LIBVIRT_PRT", "--source", networkstr, "!", "--destination", networkstr, @@ -896,7 +902,8 @@ iptablesAddForwardMasquerade(virFirewall *fw, const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, ADD); + physdev, addr, port, protocol, + VIR_NETFILTER_INSERT); } =20 /** @@ -922,7 +929,8 @@ iptablesRemoveForwardMasquerade(virFirewall *fw, const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, REMOVE= ); + physdev, addr, port, protocol, + VIR_NETFILTER_DELETE); } =20 =20 @@ -947,7 +955,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_PRT", "--out-interface", physdev, "--source", networkstr, @@ -957,7 +965,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_PRT", "--source", networkstr, "--destination", destaddr, @@ -989,7 +997,7 @@ iptablesAddDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, ADD); + physdev, destaddr, VIR_NETFILTER_= INSERT); } =20 /** @@ -1014,7 +1022,8 @@ iptablesRemoveDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, REMOVE); + physdev, destaddr, + VIR_NETFILTER_DELETE); } =20 =20 @@ -1031,7 +1040,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_PRT", "--out-interface", iface, "--protocol", "udp", @@ -1056,7 +1065,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); } =20 /** @@ -1073,5 +1082,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); } --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338527; cv=none; d=zohomail.com; s=zohoarc; b=VvxRJVrd3MXUParHp08CvbH1fwttyCbAUidrMOsNYeFHD8VCxVWTvI3dkf/dQOPGd0e60e5ANVQiDxlubEIycDHJ+AKEWh5eyphnidcu6QCBATOLdemHVg5v1rCz9neuhHlbYT0qwdsWltykmks08KSk3C85i6lUSjZshFB5mIA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338527; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=QjjRp7369puIJ3cr/YuQ2e12m/yR74QqkMtCuyd4r6A=; b=lwyqDUtU12qEOtDIWq5zivgoAUHHZbcy0MEOjtvIVbowpktwlgJNWHMlEQQz1wDjki2zOiKmiFl4awn3KZmMFXRspHqSiDF9eV3DyGajKoZUkyYxtJDPvf+LCSiXzHWAwZ9I6+NKGMtvCipXtnbBRWnCUMkwZTkAzSVLcAPkg8A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338527881213.727265343; Sun, 12 Dec 2021 11:48:47 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-412-QbyKsWSiOtyLsqf7QW6IBw-1; Sun, 12 Dec 2021 14:48:43 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A03F22F31; Sun, 12 Dec 2021 19:48:38 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7A78D2B88B; Sun, 12 Dec 2021 19:48:38 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9E83F1809CB9; Sun, 12 Dec 2021 19:48:36 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmZ6X018853 for ; Sun, 12 Dec 2021 14:48:35 -0500 Received: by smtp.corp.redhat.com (Postfix) id 3FE925BE03; Sun, 12 Dec 2021 19:48:35 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0C1725D6D7 for ; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338526; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=QjjRp7369puIJ3cr/YuQ2e12m/yR74QqkMtCuyd4r6A=; b=GPa7uFMrq/a0/N47yPOJ4AbGg6b8WT8YlmV8jkIHFjoZll0r9TE1f0ie+Oov9x/YEKsDUA EIpp4zZqMCAG4KjcYfREOHlZMIEjlJCDXsi+5aIc7nI2A+56Ls3GwUSOCVJa5KGmXOp5g/ 1r9u+Mqc9finon3CMHkWZauPRYmLVfo= X-MC-Unique: QbyKsWSiOtyLsqf7QW6IBw-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 04/12] tests: remove firewalld backend tests from virfirewalltest.c Date: Sun, 12 Dec 2021 14:48:22 -0500 Message-Id: <20211212194830.292379-5-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338529025100002 Content-Type: text/plain; charset="utf-8" When libvirt added support for firewalld, all iptables/ebtables rules were added via the firewalld "passthrough" API when firewalld was enabled (the "firewalld backend"), or run directly by libvirt when firewalld was disabled (the so-called "direct backend"). virfirewalltest.c dutifully ran each test twice, once with the each backend enabled. But commit b19863640d changed the code to *always* directly run iptables/ebtables commands, and never use the firewalld passthrough API, effectively making the direct and firewalld backends identical, except that when libvirt receives notice that firewalld has restarted or reloaded its rules, the firewalld backend sends an extra "iptables -V" command via firewalld's passthrough API (and waits for a response) prior to running all the rest of the iptables commands directly; this assures that a newly-restarted firewalld has finished its work on the filter tables before libvirt starts messing with it. (Because this code is only executed in response to an event from dbus, it isn't tested in the unit tests). In spite of this, we still go through all the virfirewall tests twice though - once for the direct backend, and once for the firewalld backend, even though these take the same codepath. In commit b19863640d I had left this double-testing in thinking that someday we might go back to actually doing something useful with the firewalld backend in the course of adding support for native nftables, but I've now realized that for the case of nftables we will be *even more* divorced from firewalld, so there is really no point in keeping this code around any longer. (It's likely/probable that the tests will be done twice again in the future, but it will be enough different that it is better to remove this code and re-implement from scratch when adding the nftables backend, rather than trying to directly modify the existing code and end up with something even more confusing). This patch eliminates all the test duplication in virfirewalltest.c, including mocking dbus, which is unnecessary since none of the tests use dbus (for now we ensure that by explicitly setting the virfirewall backend to DIRECT before any of the tests have run. Eventually the concept of a "firewalld backend" will disappear completely, but that's for another patch.) Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- tests/virfirewalltest.c | 293 +++------------------------------------- 1 file changed, 20 insertions(+), 273 deletions(-) diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index c6f4ca05e2..e6c41d89fa 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -35,10 +35,6 @@ =20 # define VIR_FROM_THIS VIR_FROM_FIREWALL =20 -static bool fwDisabled =3D true; -static virBuffer *fwBuf; -static bool fwError; - # define TEST_FILTER_TABLE_LIST \ "Chain INPUT (policy ACCEPT)\n" \ "target prot opt source destination\n" \ @@ -62,124 +58,9 @@ static bool fwError; "Chain POSTROUTING (policy ACCEPT)\n" \ "target prot opt source destination\n" =20 -VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync, - GVariant *, - GDBusConnection *, connection, - const gchar *, bus_name, - const gchar *, object_path, - const gchar *, interface_name, - const gchar *, method_name, - GVariant *, parameters, - const GVariantType *, reply_type, - GDBusCallFlags, flags, - gint, timeout_msec, - GCancellable *, cancellable, - GError **, error) -{ - GVariant *reply =3D NULL; - g_autoptr(GVariant) params =3D parameters; - - if (params) - g_variant_ref_sink(params); - - VIR_MOCK_REAL_INIT(g_dbus_connection_call_sync); - - if (STREQ(bus_name, "org.freedesktop.DBus") && - STREQ(method_name, "ListNames")) { - GVariantBuilder builder; - - g_variant_builder_init(&builder, G_VARIANT_TYPE("(as)")); - g_variant_builder_open(&builder, G_VARIANT_TYPE("as")); - - g_variant_builder_add(&builder, "s", "org.foo.bar.wizz"); - - if (!fwDisabled) - g_variant_builder_add(&builder, "s", VIR_FIREWALL_FIREWALLD_SE= RVICE); - - g_variant_builder_close(&builder); - - reply =3D g_variant_builder_end(&builder); - } else if (STREQ(bus_name, VIR_FIREWALL_FIREWALLD_SERVICE) && - STREQ(method_name, "passthrough")) { - g_autoptr(GVariantIter) iter =3D NULL; - static const size_t maxargs =3D 5; - g_auto(GStrv) args =3D NULL; - size_t nargs =3D 0; - char *type =3D NULL; - char *item =3D NULL; - bool isAdd =3D false; - bool doError =3D false; - - g_variant_get(params, "(&sas)", &type, &iter); - - args =3D g_new0(char *, maxargs); - - if (fwBuf) { - if (STREQ(type, "ipv4")) - virBufferAddLit(fwBuf, IPTABLES); - else if (STREQ(type, "ipv6")) - virBufferAddLit(fwBuf, IP6TABLES); - else - virBufferAddLit(fwBuf, EBTABLES); - } - - while (g_variant_iter_loop(iter, "s", &item)) { - /* Fake failure on the command with this IP addr */ - if (STREQ(item, "-A")) { - isAdd =3D true; - } else if (isAdd && STREQ(item, "192.168.122.255")) { - doError =3D true; - } - - if (nargs < maxargs) - args[nargs] =3D g_strdup(item); - nargs++; - - if (fwBuf) { - virBufferAddLit(fwBuf, " "); - virBufferEscapeShell(fwBuf, item); - } - } - - if (fwBuf) - virBufferAddLit(fwBuf, "\n"); - - if (doError) { - if (error) - *error =3D g_dbus_error_new_for_dbus_error("org.firewalld.= error", - "something bad ha= ppened"); - } else { - if (nargs =3D=3D 2 && - STREQ(type, "ipv4") && - STREQ(args[0], "-w") && - STREQ(args[1], "-L")) { - reply =3D g_variant_new("(s)", TEST_FILTER_TABLE_LIST); - } else if (nargs =3D=3D 4 && - STREQ(type, "ipv4") && - STREQ(args[0], "-w") && - STREQ(args[1], "-t") && - STREQ(args[2], "nat") && - STREQ(args[3], "-L")) { - reply =3D g_variant_new("(s)", TEST_NAT_TABLE_LIST); - } else { - reply =3D g_variant_new("(s)", "success"); - } - } - } else { - reply =3D g_variant_new("()"); - } - - return reply; -} - -struct testFirewallData { - virFirewallBackend tryBackend; - virFirewallBackend expectBackend; - bool fwDisabled; -}; =20 static int -testFirewallSingleGroup(const void *opaque) +testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); @@ -188,18 +69,10 @@ testFirewallSingleGroup(const void *opaque) const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"; - const struct testFirewallData *data =3D opaque; - g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL= ); - else - fwBuf =3D &cmdbuf; + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -226,13 +99,12 @@ testFirewallSingleGroup(const void *opaque) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 =20 static int -testFirewallRemoveRule(const void *opaque) +testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); @@ -241,19 +113,10 @@ testFirewallRemoveRule(const void *opaque) const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"; - const struct testFirewallData *data =3D opaque; virFirewallRule *fwrule; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL= ); - else - fwBuf =3D &cmdbuf; + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -286,7 +149,6 @@ testFirewallRemoveRule(const void *opaque) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -303,18 +165,9 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSE= D) IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n" IPTABLES " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A OUTPUT --jump DROP\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL= ); - else - fwBuf =3D &cmdbuf; + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -353,7 +206,6 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -391,20 +243,9 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_= UNUSED) IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n" IPTABLES " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A OUTPUT --jump DROP\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewa= llRollbackHook, NULL); - } else { - fwBuf =3D &cmdbuf; - fwError =3D true; - } + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRo= llbackHook, NULL); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -443,7 +284,6 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_U= NUSED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -460,20 +300,9 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_U= NUSED) IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n" IPTABLES " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A OUTPUT --jump DROP\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewa= llRollbackHook, NULL); - } else { - fwBuf =3D &cmdbuf; - fwError =3D true; - } + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRo= llbackHook, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -511,7 +340,6 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UN= USED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -526,20 +354,9 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSE= D) const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewa= llRollbackHook, NULL); - } else { - fwBuf =3D &cmdbuf; - fwError =3D true; - } + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRo= llbackHook, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -573,7 +390,6 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -590,20 +406,9 @@ testFirewallSingleRollback(const void *opaque G_GNUC_U= NUSED) IPTABLES " -w -D INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -D INPUT --source 192.168.122.255 --jump REJECT\n" IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewa= llRollbackHook, NULL); - } else { - fwError =3D true; - fwBuf =3D &cmdbuf; - } + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRo= llbackHook, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -654,7 +459,6 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UN= USED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -670,20 +474,9 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNU= SED) IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n" IPTABLES " -w -D INPUT --source 192.168.122.255 --jump REJECT\n" IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewa= llRollbackHook, NULL); - } else { - fwBuf =3D &cmdbuf; - fwError =3D true; - } + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRo= llbackHook, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -738,7 +531,6 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUS= ED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -758,20 +550,9 @@ testFirewallChainedRollback(const void *opaque G_GNUC_= UNUSED) IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n" IPTABLES " -w -D INPUT --source 192.168.122.255 --jump REJECT\n" IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; - - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewa= llRollbackHook, NULL); - } else { - fwBuf =3D &cmdbuf; - fwError =3D true; - } + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRo= llbackHook, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -852,7 +633,6 @@ testFirewallChainedRollback(const void *opaque G_GNUC_U= NUSED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -952,22 +732,12 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) IPTABLES " -w -A INPUT --source '!192.168.122.129' --jump REJECT\n" IPTABLES " -w -A INPUT --source 192.168.122.128 --jump REJECT\n" IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"; - const struct testFirewallData *data =3D opaque; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 expectedLineNum =3D 0; expectedLineError =3D false; - fwDisabled =3D data->fwDisabled; - if (virFirewallSetBackend(data->tryBackend) < 0) - goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || - data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewa= llQueryHook, NULL); - } else { - fwBuf =3D &cmdbuf; - fwError =3D true; - } + virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallQu= eryHook, NULL); =20 virFirewallStartTransaction(fw, 0); =20 @@ -1030,7 +800,6 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) =20 ret =3D 0; cleanup: - fwBuf =3D NULL; return ret; } =20 @@ -1040,40 +809,15 @@ mymain(void) { int ret =3D 0; =20 -# define RUN_TEST_DIRECT(name, method) \ - do { \ - struct testFirewallData data; \ - data.tryBackend =3D VIR_FIREWALL_BACKEND_AUTOMATIC; \ - data.expectBackend =3D VIR_FIREWALL_BACKEND_DIRECT; \ - data.fwDisabled =3D true; \ - if (virTestRun(name " auto direct", method, &data) < 0) \ - ret =3D -1; \ - data.tryBackend =3D VIR_FIREWALL_BACKEND_DIRECT; \ - data.expectBackend =3D VIR_FIREWALL_BACKEND_DIRECT; \ - data.fwDisabled =3D true; \ - if (virTestRun(name " manual direct", method, &data) < 0) \ - ret =3D -1; \ - } while (0) + if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) + return EXIT_FAILURE; =20 -# define RUN_TEST_FIREWALLD(name, method) \ +# define RUN_TEST(name, method) \ do { \ - struct testFirewallData data; \ - data.tryBackend =3D VIR_FIREWALL_BACKEND_AUTOMATIC; \ - data.expectBackend =3D VIR_FIREWALL_BACKEND_FIREWALLD; \ - data.fwDisabled =3D false; \ - if (virTestRun(name " auto firewalld", method, &data) < 0) \ - ret =3D -1; \ - data.tryBackend =3D VIR_FIREWALL_BACKEND_FIREWALLD; \ - data.expectBackend =3D VIR_FIREWALL_BACKEND_FIREWALLD; \ - data.fwDisabled =3D false; \ - if (virTestRun(name " manual firewalld", method, &data) < 0) \ + if (virTestRun(name, method, NULL) < 0) \ ret =3D -1; \ } while (0) =20 -# define RUN_TEST(name, method) \ - RUN_TEST_DIRECT(name, method); \ - RUN_TEST_FIREWALLD(name, method) - RUN_TEST("single group", testFirewallSingleGroup); RUN_TEST("remove rule", testFirewallRemoveRule); RUN_TEST("many groups", testFirewallManyGroups); @@ -1088,8 +832,11 @@ mymain(void) return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; } =20 +# if 0 VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virgdbus"), VIR_TEST_MOCK("virfirewall")) +# endif +VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall")) =20 #else /* ! defined (__linux__) */ =20 --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338545; cv=none; d=zohomail.com; s=zohoarc; b=NO48GqppssVzT41koTtUS3HmhAPDDj/P9AB8lScDHI+JbZjywb1dvX2BwbALWi31FoYHYT41lBKGzcTWr7SSCSzw1f5/KEjOn6sSFqa1tKEM33Wz6y/zO+VHn1bOLJDWIP/9EkXTOik56tx8XTugzQC1TaAQabEemjid2HYIx/4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338545; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=/LvcJF1C+maNmNrd/X22BjRqSnyYA+dUbE0XxIMDq3g=; b=GriXZ23tdt7Tjayr6cYmnl7o0AsYUB8Shu2CnYaA8LHExJXu2DCMcuW9nYjbINeY7sKbhk84W+5XoZ7Wiaj5rJ7rlo+MlVVtBTqEHmq3yJaB6EpKswR1Bhk0IMtnIPETn3Y4VqxtDut2fXgoe3kpaWYBEDq9hRuXfe6/nt7LzsA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338545029721.5108542538679; Sun, 12 Dec 2021 11:49:05 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-480-LhVMFwD1NT2yydSbvf5fvA-1; Sun, 12 Dec 2021 14:49:00 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 518352F26; Sun, 12 Dec 2021 19:48:56 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3587760FDD; Sun, 12 Dec 2021 19:48:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id ECB954A7CB; Sun, 12 Dec 2021 19:48:55 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmZil018860 for ; Sun, 12 Dec 2021 14:48:35 -0500 Received: by smtp.corp.redhat.com (Postfix) id 919C55BE03; Sun, 12 Dec 2021 19:48:35 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5EC1F5D6D7 for ; Sun, 12 Dec 2021 19:48:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338544; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=/LvcJF1C+maNmNrd/X22BjRqSnyYA+dUbE0XxIMDq3g=; b=TGkU05kFQ2AbMt8VDNESyzQ1Y2LzvNygmwl+QBW5LhXCXRiz/nFE9TmKhyxnh+07JYmR6/ 2a9lgaXeudH5Dsn+FGwc78TQ32oTfqOZ5rbCSovgTQNlf6HFRj2oyjbZ+EHvUSyxg2a0IT z1Os3CFZ0X353DiIgPYlAVHeEljhHiU= X-MC-Unique: LhVMFwD1NT2yydSbvf5fvA-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 05/12] tests: remove unnecessary ret variables and cleanup labels Date: Sun, 12 Dec 2021 14:48:23 -0500 Message-Id: <20211212194830.292379-6-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338546307100002 Content-Type: text/plain; charset="utf-8" Several functions were simplified to remove the only cleanup code at the cleanup label, making it unnecessary. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- tests/virfirewalltest.c | 92 ++++++++++++++--------------------------- 1 file changed, 31 insertions(+), 61 deletions(-) diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index e6c41d89fa..724d3081f1 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -64,7 +64,6 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -87,19 +86,17 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSE= D) "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) - goto cleanup; + return -1; =20 actual =3D virBufferCurrentContent(&cmdbuf); =20 if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 =20 @@ -108,7 +105,6 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -137,19 +133,17 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUS= ED) virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) - goto cleanup; + return -1; =20 actual =3D virBufferCurrentContent(&cmdbuf); =20 if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 =20 @@ -158,7 +152,6 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -194,19 +187,17 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUS= ED) =20 =20 if (virFirewallApply(fw) < 0) - goto cleanup; + return -1; =20 actual =3D virBufferCurrentContent(&cmdbuf); =20 if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 static void @@ -236,7 +227,6 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_U= NUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -272,19 +262,17 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC= _UNUSED) =20 =20 if (virFirewallApply(fw) < 0) - goto cleanup; + return -1; =20 actual =3D virBufferCurrentContent(&cmdbuf); =20 if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 =20 @@ -293,7 +281,6 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UN= USED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -328,19 +315,17 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_= UNUSED) =20 =20 if (virFirewallApply(fw) < 0) - goto cleanup; + return -1; =20 actual =3D virBufferCurrentContent(&cmdbuf); =20 if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 =20 @@ -349,7 +334,6 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -377,7 +361,7 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); - goto cleanup; + return -1; } =20 actual =3D virBufferCurrentContent(&cmdbuf); @@ -385,12 +369,10 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUS= ED) if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 static int @@ -398,7 +380,6 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UN= USED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -446,7 +427,7 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UN= USED) =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); - goto cleanup; + return -1; } =20 actual =3D virBufferCurrentContent(&cmdbuf); @@ -454,12 +435,10 @@ testFirewallSingleRollback(const void *opaque G_GNUC_= UNUSED) if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 static int @@ -467,7 +446,6 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUS= ED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -518,7 +496,7 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUS= ED) =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); - goto cleanup; + return -1; } =20 actual =3D virBufferCurrentContent(&cmdbuf); @@ -526,12 +504,10 @@ testFirewallManyRollback(const void *opaque G_GNUC_UN= USED) if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 static int @@ -539,7 +515,6 @@ testFirewallChainedRollback(const void *opaque G_GNUC_U= NUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -620,7 +595,7 @@ testFirewallChainedRollback(const void *opaque G_GNUC_U= NUSED) =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); - goto cleanup; + return -1; } =20 actual =3D virBufferCurrentContent(&cmdbuf); @@ -628,12 +603,10 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 =20 @@ -720,7 +693,6 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; g_autoptr(virFirewall) fw =3D virFirewallNew(); - int ret =3D -1; const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -783,24 +755,22 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) - goto cleanup; + return -1; =20 actual =3D virBufferCurrentContent(&cmdbuf); =20 if (expectedLineError) { fprintf(stderr, "Got some unexpected query data\n"); - goto cleanup; + return -1; } =20 if (STRNEQ_NULLABLE(expected, actual)) { fprintf(stderr, "Unexpected command execution\n"); virTestDifference(stderr, expected, actual); - goto cleanup; + return -1; } =20 - ret =3D 0; - cleanup: - return ret; + return 0; } =20 =20 --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338603; cv=none; d=zohomail.com; s=zohoarc; b=OIj9D6IZFhqRWPIIwfiLCWoipH/TpfF7rEnG4s64TJQaqOBQC1hM0qbZ6MLAH1deeF8J/dMFgH5EC5sqe/zeGEexY5rN9Wa9SRuk4JwXEwiiq6ZIh9yZAV0MdlX67ceHckZ6d7oAW8a25pnPv6Dy7+YlyY1EwvtQB1Q5yDoGPT4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338603; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=e8o2J3Wm+V2TEokc5zCg+zINDjePL+3LqfHWUC7Cmqo=; b=Zcix9ZK4PY1M6GipQ4/feUHuYx5NOwgXkg7SQwx7f2WFOhzOaCAuemhj5CTslU7rNxeHoFlepIg8hltvOk3zWLTHnWSGxXk2bm2D3R4gL0ktLd9THltzVgCzqIQGKzJwA2As7eL0aB+Rliu1FIfSOEwTTzNDqT7UKbl12n+bvc8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338603193237.12944515013885; Sun, 12 Dec 2021 11:50:03 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-482-FcMuLIuZO6CovMg3Y3o9LQ-1; Sun, 12 Dec 2021 14:49:01 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A671D801AC5; Sun, 12 Dec 2021 19:48:56 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 674965BE22; Sun, 12 Dec 2021 19:48:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3BE32180B654; Sun, 12 Dec 2021 19:48:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmZNN018865 for ; Sun, 12 Dec 2021 14:48:35 -0500 Received: by smtp.corp.redhat.com (Postfix) id E2C305BE03; Sun, 12 Dec 2021 19:48:35 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id B05B45D6D7 for ; Sun, 12 Dec 2021 19:48:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338602; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=e8o2J3Wm+V2TEokc5zCg+zINDjePL+3LqfHWUC7Cmqo=; b=cfWD9keh9GXEcpz6mHHWPouZ9lGRXMmbL1R5otf+xV3/Ll3m0EBYtVetg1p4XO27EVaSIx RYSnpYjXlXs+69jUYCx9XpjBGl7IIl2yECYbUS5KVd3wHOSFzKqI9on2LCSrUReRFoWl7U Ow3gvOUQ3f4Ab+0ifYJn388ShCXjDXI= X-MC-Unique: FcMuLIuZO6CovMg3Y3o9LQ-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 06/12] tests: document why virgdbus must be mocked in networkxml2firewalltest.c Date: Sun, 12 Dec 2021 14:48:24 -0500 Message-Id: <20211212194830.292379-7-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338605293100001 Content-Type: text/plain; charset="utf-8" It isn't intuitive (to me) that a test just converting xml text into iptables commands should need to call dbus, so rather than forcing the next person to look through the commit logs and/or run the test under gdb to understand why this is needed, just add a short comment in the source. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- tests/networkxml2firewalltest.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index e4f86bc3fc..68a82e60d6 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -187,6 +187,12 @@ mymain(void) return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; } =20 +/* NB: virgdbus must be mocked because this test calls + * networkAddFirewallRules(), which will always call + * virFirewallDIsRegistered(), which calls + * virGDBusIsServiceRegistered(). + */ + VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virgdbus"), VIR_TEST_MOCK("virfirewall")) =20 --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338611; cv=none; d=zohomail.com; s=zohoarc; b=HkIVYqtxvbljf1g2Jl6wLYm2+Cn3NbwobMPPZq0xdzQJKxYtNa2pc9ckAKq/CcBLqyM917tdKMRppikBaO9PD2/vmSXAngQLDO5eoUa1473DUR0huTvKHtZtBmM7tc7mVSpSU6mXb0TGfgsZGvtEg7xoULnLS/rqSoy9j6rSSgY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338611; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=SQadjvOl+BxeQptzctNFTpUQ4zVEief++4HR3s6vDcA=; b=F+xpZGlit6o+9JJusj6amnwUqXpTOA1lM/lqlkp4OyPZXRTfgFT46j7RTlu49TNBwSOULCqxu/nH8cXTnaTSvbyPa0DKa7vFsRbQFdHDHAFRzULLpudSccuFrGD08OPa49MIQqWzPCAg9E5/iIcxfOSwgZIRYUxYRWtv+DkiKNE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338611840759.5542010234408; Sun, 12 Dec 2021 11:50:11 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-95-7W4MF5MiNvOUUV6wi2Kdyw-1; Sun, 12 Dec 2021 14:49:09 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D5459802C96; Sun, 12 Dec 2021 19:49:01 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B7B4360FDD; Sun, 12 Dec 2021 19:49:01 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8BE2B1806D2E; Sun, 12 Dec 2021 19:49:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmaBp018870 for ; Sun, 12 Dec 2021 14:48:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id 41F0F5BE14; Sun, 12 Dec 2021 19:48:36 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0E10D5D6D7 for ; Sun, 12 Dec 2021 19:48:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338610; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=SQadjvOl+BxeQptzctNFTpUQ4zVEief++4HR3s6vDcA=; b=WidLLg5MJK5pgR5CHzQGOwKlc0eKv8ur4vPU9DWIuqz+qIdlgXTbGEA1fsTNvVq3S8Xw3p scBSL91rK395V2c7Sex6baqkaqlfWBsd7HJbXhvxU89gf4WiIGJcjwTfaWX9DWFSqhv+f3 xX5yKiod/yO2XRLpGy0jfuCTAGFZKtw= X-MC-Unique: 7W4MF5MiNvOUUV6wi2Kdyw-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 07/12] util: eliminate pointless switch in virFirewallApplyRule Date: Sun, 12 Dec 2021 14:48:25 -0500 Message-Id: <20211212194830.292379-8-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338613805100001 Content-Type: text/plain; charset="utf-8" Since commit b19863640 both useful cases of the switch statement in this function have made the same call (and the other/default case is just an error that can never happen). Eliminate the switch to help eliminate use of currentBackend. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/util/virfirewall.c | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 1a546335f6..bb14a367d9 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -653,31 +653,8 @@ virFirewallApplyRule(virFirewall *firewall, if (rule->ignoreErrors) ignoreErrors =3D rule->ignoreErrors; =20 - switch (currentBackend) { - case VIR_FIREWALL_BACKEND_DIRECT: - if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) - return -1; - break; - case VIR_FIREWALL_BACKEND_FIREWALLD: - /* Since we are using raw iptables rules, there is no - * advantage to going through firewalld, so instead just add - * them directly rather that via dbus calls to firewalld. This - * has the useful side effect of eliminating extra unwanted - * warning messages in the system logs when trying to delete - * rules that don't exist (which is something that happens - * often when libvirtd is started, and *always* when firewalld - * is restarted) - */ - if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) - return -1; - break; - - case VIR_FIREWALL_BACKEND_AUTOMATIC: - case VIR_FIREWALL_BACKEND_LAST: - default: - virReportEnumRangeError(virFirewallBackend, currentBackend); + if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) return -1; - } =20 if (rule->queryCB && output) { if (!(lines =3D g_strsplit(output, "\n", -1))) --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338554; cv=none; d=zohomail.com; s=zohoarc; b=naeGHoA7JbsS6HziiqPGk5ISh5OQ1atlULw93lN1LdoAaCqwiI4eE6X6dqiShgFYU+Zmmd6q0uHf4PbEKXPnVBYtmSKQuwOJV8ZewOWVFulzNi/6722KsVYntsb3tuarqf3aeIYNUSAUU4Us4SmZPo3dwKxkArROEiwynNjxC54= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338554; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=TkkbRhzUCxXUQvj+rev3Lup0acOHON19BDKEscGkb6E=; b=egeHgYHYVsbomcCf11lyTnXq6Qj0UALbAYVWFSPzRm5BXcQb7Uw4dm/GsgCw0uvH6xnCHDigpY11FksOXfSmFHuJ+ojCBEJ7dpNbHivH5ldRYolaga/ouIrsfzYUrKq/8NK29+jNuh6w0ZjY9xzw3EIVLR5KHIkRurHokSYC7Eg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1639338554700479.9786735567152; Sun, 12 Dec 2021 11:49:14 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-548-aFjo7Q7xNkWyvsJ81IhRVw-1; Sun, 12 Dec 2021 14:49:09 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 18A6E804305; Sun, 12 Dec 2021 19:49:04 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F1D1745D7A; Sun, 12 Dec 2021 19:49:03 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C0D191803390; Sun, 12 Dec 2021 19:49:03 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmatS018878 for ; Sun, 12 Dec 2021 14:48:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id 949C15BE14; Sun, 12 Dec 2021 19:48:36 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 609185D6D7 for ; Sun, 12 Dec 2021 19:48:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338553; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=TkkbRhzUCxXUQvj+rev3Lup0acOHON19BDKEscGkb6E=; b=O8OsppDb/EiGUC+W+lAChtHRwFHDv/sFyoR7IUbrW28YY48Pd5JO6uo7+VIkaCYn/9ckU9 nvVCCwPXY7wDPrGdNqlI/kCWLxAcQiXPD5Hb2JYgLh0RFkm+39a8K2aIplDyqaLZfcrOi2 d6OphYQ6oqtHy5CvTGEBWerZ6ajoOLY= X-MC-Unique: aFjo7Q7xNkWyvsJ81IhRVw-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 08/12] util: simplify virFirewallBackendSynchronize() Date: Sun, 12 Dec 2021 14:48:26 -0500 Message-Id: <20211212194830.292379-9-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338556611100005 Content-Type: text/plain; charset="utf-8" This function doesn't need to check for a backend - synchronization with firewalld should always be done whenever firewalld is registered and available, not just when the firewalld backend is selected. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/util/virfirewall.c | 54 ++++++++++++++++++++++++++---------------- src/util/viriptables.c | 6 ++--- 2 files changed, 37 insertions(+), 23 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index bb14a367d9..2fc9f94729 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -616,27 +616,41 @@ virFirewallBackendSynchronize(void) { const char *arg =3D "-V"; g_autofree char *output =3D NULL; + int firewallDRegistered =3D virFirewallDIsRegistered(); + + /* + * virFirewallBackendSynchronize() should be called after + * receiving an ownership-change event or reload event for + * firewalld from dbus, prior to performing any operations on the + * default table "filter". + * + * Our iptables filter rules are added to (private chains within) + * the default table named "filter", which is flushed by firewalld + * any time it is restarted or reloads its rules. libvirt watches + * for notifications that firewalld has been restarted / its rules + * reloaded, and then reloads the libvirt rules. But it's possible + * for libvirt to be notified that firewalld has restarted prior + * to firewalld completing initialization, and when that race + * happens, firewalld can potentially flush out rules that libvirt + * has just added! + * + * To prevent this, we send a simple command ("iptables -V") via + * firewalld's passthrough iptables API, and wait until it's + * finished before sending our own directly-executed iptables + * commands. This assures that firewalld has fully initialized and + * caught up with its internal queue of iptables commands, and + * won't stomp all over the new rules we subsequently add. + * + */ =20 - switch (currentBackend) { - case VIR_FIREWALL_BACKEND_DIRECT: - /* nobody to synchronize with */ - break; - case VIR_FIREWALL_BACKEND_FIREWALLD: - /* Send a simple rule via firewalld's passthrough iptables - * command so that we'll be sure firewalld has fully - * initialized and caught up with its internal queue of - * iptables commands. Waiting for this will prevent our own - * directly-executed iptables commands from being run while - * firewalld is still initializing. - */ - ignore_value(virFirewallDApplyRule(VIR_FIREWALL_LAYER_IPV4, - (char **)&arg, 1, true, &output= )); - VIR_DEBUG("Result of 'iptables -V' via firewalld: %s", NULLSTR(out= put)); - break; - case VIR_FIREWALL_BACKEND_AUTOMATIC: - case VIR_FIREWALL_BACKEND_LAST: - break; - } + VIR_DEBUG("Firewalld is registered ? %d", firewallDRegistered); + + if (firewallDRegistered < 0) + return; /* firewalld (or dbus?) not functional, don't sync */ + + ignore_value(virFirewallDApplyRule(VIR_FIREWALL_LAYER_IPV4, + (char **)&arg, 1, true, &output)); + VIR_DEBUG("Result of 'iptables -V' via firewalld: %s", NULLSTR(output)= ); } =20 =20 diff --git a/src/util/viriptables.c b/src/util/viriptables.c index d2bc10a652..34ce9cd018 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -138,10 +138,10 @@ iptablesSetupPrivateChains(virFirewallLayer layer) }; size_t i; =20 - /* When the backend is firewalld, we need to make sure that + /* When firewalld.service is active, we need to make sure that * firewalld has been fully started and completed its - * initialization, otherwise firewalld might delete our rules soon - * after we add them! + * initialization, otherwise it might delete our rules soon after + * we add them! */ virFirewallBackendSynchronize(); =20 --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338553; cv=none; d=zohomail.com; s=zohoarc; b=NUdCJJKrvYjUHYzEaWJYH/V4G8lfqXlTwM1YGTsiBqGsp6WsE4svZFHmtAPI1XlseOwRzYfsstiw1Uv0h5OXrWfX/J5BEi682COEiTYhvJyopcRxhPnWRUvKlu0nEEIUuASZ31yHUIY7dGqs+ZcLEa75qzfE0RnDfmr01SAhs3o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338553; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=HoNrJURwLpLbSq3ZKzmUVR0YoY36YHvznXCfvNnP+/E=; b=dzUHmUhVehr5bv21hpOBXUEuGE88hrbF4qxwV9hzBNs4+yPvoXzSPDtd+DVZDJjO7YvxErzg9wemV1uSce5aOHMEY1DZRAskLzRKB3q+CL50M8YPWP6v+d3g7yH2kb6sgREl/7lvTddUerhwoVjQsCPzaU8rY2Vf1HqNRh/iEMU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338553738865.8803094408122; Sun, 12 Dec 2021 11:49:13 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-570-3T0WUhoyPliPD6IqVUFF8A-1; Sun, 12 Dec 2021 14:49:11 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CC7581030C24; Sun, 12 Dec 2021 19:49:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 945A160FDD; Sun, 12 Dec 2021 19:49:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 46E444A70C; Sun, 12 Dec 2021 19:49:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJma1R018883 for ; Sun, 12 Dec 2021 14:48:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id E78B95BE03; Sun, 12 Dec 2021 19:48:36 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id B4E285D6D7 for ; Sun, 12 Dec 2021 19:48:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338552; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=HoNrJURwLpLbSq3ZKzmUVR0YoY36YHvznXCfvNnP+/E=; b=faegN9h7G6aXHjVXxDMP5yy0U/O2aW44k4RLy0EjGZyxXMYSqUUXFjxjjmWOUFeLX4qp+F zMrgKu1YjGbJMDa4haeWcqDKaVsU+yTnUc9PKM4mUrW55ScWOBICOLRWB2ltReBjklPaxH DIxgapujbQ3/1OlsSwUFuriBY8YOG1Y= X-MC-Unique: 3T0WUhoyPliPD6IqVUFF8A-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 09/12] util: move and rename virFirewallBackendSynchronize() Date: Sun, 12 Dec 2021 14:48:27 -0500 Message-Id: <20211212194830.292379-10-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338554581100002 Content-Type: text/plain; charset="utf-8" This function doesn't have anything to do with manipulating virFirewall objects, but rather should be called in response to dbus events about the firewalld service. Move this function into virfirewalld.c, and rename it to virFirewallDSynchronize(). Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 2 +- src/util/virfirewall.c | 43 ---------------------------------------- src/util/virfirewall.h | 2 -- src/util/virfirewalld.c | 43 ++++++++++++++++++++++++++++++++++++++++ src/util/virfirewalld.h | 2 ++ src/util/viriptables.c | 3 ++- 6 files changed, 48 insertions(+), 47 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 72b38a970d..23385ec7a1 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2308,7 +2308,6 @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddRuleFull; virFirewallApply; -virFirewallBackendSynchronize; virFirewallFree; virFirewallNew; virFirewallRemoveRule; @@ -2329,6 +2328,7 @@ virFirewallDGetVersion; virFirewallDGetZones; virFirewallDInterfaceSetZone; virFirewallDIsRegistered; +virFirewallDSynchronize; virFirewallDZoneExists; =20 =20 diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 2fc9f94729..f3172e5c96 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -611,49 +611,6 @@ virFirewallApplyRuleFirewallD(virFirewallRule *rule, } =20 =20 -void -virFirewallBackendSynchronize(void) -{ - const char *arg =3D "-V"; - g_autofree char *output =3D NULL; - int firewallDRegistered =3D virFirewallDIsRegistered(); - - /* - * virFirewallBackendSynchronize() should be called after - * receiving an ownership-change event or reload event for - * firewalld from dbus, prior to performing any operations on the - * default table "filter". - * - * Our iptables filter rules are added to (private chains within) - * the default table named "filter", which is flushed by firewalld - * any time it is restarted or reloads its rules. libvirt watches - * for notifications that firewalld has been restarted / its rules - * reloaded, and then reloads the libvirt rules. But it's possible - * for libvirt to be notified that firewalld has restarted prior - * to firewalld completing initialization, and when that race - * happens, firewalld can potentially flush out rules that libvirt - * has just added! - * - * To prevent this, we send a simple command ("iptables -V") via - * firewalld's passthrough iptables API, and wait until it's - * finished before sending our own directly-executed iptables - * commands. This assures that firewalld has fully initialized and - * caught up with its internal queue of iptables commands, and - * won't stomp all over the new rules we subsequently add. - * - */ - - VIR_DEBUG("Firewalld is registered ? %d", firewallDRegistered); - - if (firewallDRegistered < 0) - return; /* firewalld (or dbus?) not functional, don't sync */ - - ignore_value(virFirewallDApplyRule(VIR_FIREWALL_LAYER_IPV4, - (char **)&arg, 1, true, &output)); - VIR_DEBUG("Result of 'iptables -V' via firewalld: %s", NULLSTR(output)= ); -} - - static int virFirewallApplyRule(virFirewall *firewall, virFirewallRule *rule, diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 169d99fe2b..7448825dbc 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -109,6 +109,4 @@ void virFirewallStartRollback(virFirewall *firewall, =20 int virFirewallApply(virFirewall *firewall); =20 -void virFirewallBackendSynchronize(void); - G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index 3178bf4b3d..4795bf7925 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -368,3 +368,46 @@ virFirewallDInterfaceSetZone(const char *iface, "changeZoneOfInterface", message); } + + +void +virFirewallDSynchronize(void) +{ + const char *arg =3D "-V"; + g_autofree char *output =3D NULL; + int firewallDRegistered =3D virFirewallDIsRegistered(); + + /* + * virFirewallDSynchronize() should be called after receiving an + * ownership-change event or reload event for firewalld from dbus, + * prior to performing any operations on the default table + * "filter". + * + * Our iptables filter rules are added to (private chains within) + * the default table named "filter", which is flushed by firewalld + * any time it is restarted or reloads its rules. libvirt watches + * for notifications that firewalld has been restarted / its rules + * reloaded, and then reloads the libvirt rules. But it's possible + * for libvirt to be notified that firewalld has restarted prior + * to firewalld completing initialization, and when that race + * happens, firewalld can potentially flush out rules that libvirt + * has just added! + * + * To prevent this, we send a simple command ("iptables -V") via + * firewalld's passthrough iptables API, and wait until it's + * finished before sending our own directly-executed iptables + * commands. This assures that firewalld has fully initialized and + * caught up with its internal queue of iptables commands, and + * won't stomp all over the new rules we subsequently add. + * + */ + + VIR_DEBUG("Firewalld is registered ? %d", firewallDRegistered); + + if (firewallDRegistered < 0) + return; /* firewalld (or dbus?) not functional, don't sync */ + + ignore_value(virFirewallDApplyRule(VIR_FIREWALL_LAYER_IPV4, + (char **)&arg, 1, true, &output)); + VIR_DEBUG("Result of 'iptables -V' via firewalld: %s", NULLSTR(output)= ); +} diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h index d2db3b6f47..c396802a2f 100644 --- a/src/util/virfirewalld.h +++ b/src/util/virfirewalld.h @@ -41,3 +41,5 @@ int virFirewallDApplyRule(virFirewallLayer layer, =20 int virFirewallDInterfaceSetZone(const char *iface, const char *zone); + +void virFirewallDSynchronize(void); diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 34ce9cd018..7db09a0d80 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -28,6 +28,7 @@ =20 #include "internal.h" #include "viriptables.h" +#include "virfirewalld.h" #include "vircommand.h" #include "viralloc.h" #include "virerror.h" @@ -143,7 +144,7 @@ iptablesSetupPrivateChains(virFirewallLayer layer) * initialization, otherwise it might delete our rules soon after * we add them! */ - virFirewallBackendSynchronize(); + virFirewallDSynchronize(); =20 virFirewallStartTransaction(fw, 0); =20 --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338549; cv=none; d=zohomail.com; s=zohoarc; b=L2HNWarI61qrsPpr8iB1V4pq3QdQ5wF2zKCAPDe8lkOMRt+Kd7OOqzkLhw2dEsKXNTlsmDCUa9mTLLkiWO6w1tmBbuMHr433+D+bRBn5JqPrbOoywQn8relL3PtHGGrIprcGN6chFFraOrvguCQinaofUEqc4gStRkbnoXkERtg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338549; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7Qx8hss8/28gjOZbZ0p/VGvaSJIzW7PDg0uduJNw0s8=; b=ZbIWasEajw3cVpD5XCZLlzlPBs6/D6lPPKKvQZGl+F1TvttDBzuhUaUYSZ+QC1Hs92IRNaEGhfCx2aTZI+kk2AN3+s6tRQT+U1pkEy0ACfN6gk4JApA9b3T7iwVkEA+8a54qEs5xe2Q4imBL8ND8QsXvCwMyCBWnhkJhta8hdZE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1639338549434331.1285582906038; Sun, 12 Dec 2021 11:49:09 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-471-pKh3tJeBN-eUA_kLy_5zLQ-1; Sun, 12 Dec 2021 14:49:05 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 210DF104ED3F; Sun, 12 Dec 2021 19:48:59 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 041EE1017E27; Sun, 12 Dec 2021 19:48:59 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CB3884A706; Sun, 12 Dec 2021 19:48:58 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmbA3018893 for ; Sun, 12 Dec 2021 14:48:37 -0500 Received: by smtp.corp.redhat.com (Postfix) id 46E945BE03; Sun, 12 Dec 2021 19:48:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 12E365D6D7 for ; Sun, 12 Dec 2021 19:48:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338548; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7Qx8hss8/28gjOZbZ0p/VGvaSJIzW7PDg0uduJNw0s8=; b=GQrRZAhnqDRgK7jn8yfgeZmiub1AF71NJmqcaOPOEtMz940RfBTbIURkxQkMt6nlumU9cf wFSOt45mb2qDBceJpiNEqxhc5s1xwmF/LFK7tJ5T0p7O9Q5wH27/Q6AJyi3dkpjDr446hs WD6wYRRvxDczSqxm3euZdz6khv/Rcfw= X-MC-Unique: pKh3tJeBN-eUA_kLy_5zLQ-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 10/12] util: remove check for iptables binary during virFirewallInit Date: Sun, 12 Dec 2021 14:48:28 -0500 Message-Id: <20211212194830.292379-11-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338550353100001 Content-Type: text/plain; charset="utf-8" It's unclear exactly why this check exists; possibly a parallel to a long-removed check for the firewall-cmd binary (added to viriptables.c with the initial support for firewalld in commit bf156385a03 in 2012, and long since removed), or possibly because virFirewallOnceInit() was intended to be called at daemon startup, and it seemed like a good idea to just log this error once when trying to determine whether to use firewalld, or direct iptables commands, and then not waste time building commands that could never be executed. The odd thing is that it would sometimes result in logging an error when it couldn't find a binary that wasn't needed anyway (e.g., if all the rules were iptables rules, but ebtables and/or ip6tables weren't also installed). If we just remove this check, then virCommandRun() will end up logging an error and failing if the needed binary isn't found when we try to execute it, which seems like it should just as good (or at least good enough, especially since we eventually want to get rid of iptables completely). So let's remove it! Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/util/virfirewall.c | 25 ------------------------- 1 file changed, 25 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index f3172e5c96..1e6c667ee1 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -98,23 +98,6 @@ VIR_ONCE_GLOBAL_INIT(virFirewall); static int virFirewallValidateBackend(virFirewallBackend backend) { - const char *commands[] =3D { - IPTABLES, IP6TABLES, EBTABLES - }; - size_t i; - - for (i =3D 0; i < G_N_ELEMENTS(commands); i++) { - g_autofree char *path =3D virFindFileInPath(commands[i]); - - if (!path) { - virReportSystemError(errno, - _("%s not available, firewall backend wil= l not function"), - commands[i]); - return -1; - } - } - VIR_DEBUG("found iptables/ip6tables/ebtables"); - if (backend =3D=3D VIR_FIREWALL_BACKEND_AUTOMATIC || backend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { int rv =3D virFirewallDIsRegistered(); @@ -694,14 +677,6 @@ virFirewallApply(virFirewall *firewall) =20 virMutexLock(&ruleLock); =20 - if (currentBackend =3D=3D VIR_FIREWALL_BACKEND_AUTOMATIC) { - /* a specific backend should have been set when the firewall - * object was created. If not, it means none was found. - */ - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Failed to initialize a valid firewall backend")); - goto cleanup; - } if (!firewall || firewall->err) { int err =3D EINVAL; =20 --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338623; cv=none; d=zohomail.com; s=zohoarc; b=RUy3X7m1e3E8/FNrTEvM+gJyABm6eixJGxnqtJfZi2YuoQY/DKGdbGqQYLiboV+UJPnts5NFkTfAasBM4ZvWTh9UQFBukPE17+hRzU0sFKKl7BqTlUcn8dgXD7QEliI905L0OLO3slnwZnR0R0wYHr8zZaKZY91mq5tdfUgu0RI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338623; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=c29730AugVVetIJL1KChhF/mR2vSFJGupO4eeElN3Gw=; b=QdvXJtmjoDKqCUOFgg11y6jXyxeI5vr2MZk2atZJJu5DwKpeBD2VzuiiPndWrPj5BVIQQUXaOLnPv+G3yqmBdNtyFQMXZYATru73GTtpTkU6mMyu68feQyTRjvz203k6e1QeWHIzXLkuY3epFOXwbxEt3aEU6d3A9QeOTnk2yCc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338623383700.5689759971041; Sun, 12 Dec 2021 11:50:23 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-546-XgqGkAbONameybyvknn3jA-1; Sun, 12 Dec 2021 14:49:11 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A63DD1853036; Sun, 12 Dec 2021 19:49:01 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8872B22DFE; Sun, 12 Dec 2021 19:49:01 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5D22F4A70B; Sun, 12 Dec 2021 19:49:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmbZY018904 for ; Sun, 12 Dec 2021 14:48:37 -0500 Received: by smtp.corp.redhat.com (Postfix) id 9ADB65BE03; Sun, 12 Dec 2021 19:48:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 67ED05D6D7 for ; Sun, 12 Dec 2021 19:48:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338622; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=c29730AugVVetIJL1KChhF/mR2vSFJGupO4eeElN3Gw=; b=PxbY4T0WYtABVSHa/nqQPwHDnT5d3e/+TkgwLoL7Ds9Kz3VGQSX8j1Re3ey8ug4AQ+B58R YfklHz5g/oE0/ye4uYFcruthDytgHFE5Ghm1TWuthyD/FjZlbC02QzR3l5RBBn00PA115W Yvh7gpe7R309/N4hCo+iAqTUcVVc8Hw= X-MC-Unique: XgqGkAbONameybyvknn3jA-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 11/12] util: remove currentBackend from virfirewall.c Date: Sun, 12 Dec 2021 14:48:29 -0500 Message-Id: <20211212194830.292379-12-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338624965100001 Content-Type: text/plain; charset="utf-8" Since the currentBackend (direct vs. firewalld) setting is no longer used for anything, we don't need to set it (either explicitly from tests, or implicitly during init), and can completely remove it. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/libvirt_private.syms | 1 - src/util/virfirewall.c | 50 ++------------------------------ src/util/virfirewallpriv.h | 37 ----------------------- tests/networkxml2firewalltest.c | 8 +---- tests/nwfilterebiptablestest.c | 7 ----- tests/nwfilterxml2firewalltest.c | 8 +---- tests/virfirewalltest.c | 7 ++--- 7 files changed, 6 insertions(+), 112 deletions(-) delete mode 100644 src/util/virfirewallpriv.h diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 23385ec7a1..bb90659365 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2316,7 +2316,6 @@ virFirewallRuleAddArgFormat; virFirewallRuleAddArgList; virFirewallRuleAddArgSet; virFirewallRuleGetArgCount; -virFirewallSetBackend; virFirewallStartRollback; virFirewallStartTransaction; =20 diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 1e6c667ee1..98d78857df 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -22,8 +22,7 @@ =20 #include =20 -#define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW -#include "virfirewallpriv.h" +#include "virfirewall.h" #include "virfirewalld.h" #include "viralloc.h" #include "virerror.h" @@ -81,61 +80,16 @@ struct _virFirewall { size_t currentGroup; }; =20 -static virFirewallBackend currentBackend =3D VIR_FIREWALL_BACKEND_AUTOMATI= C; static virMutex ruleLock =3D VIR_MUTEX_INITIALIZER; =20 -static int -virFirewallValidateBackend(virFirewallBackend backend); - static int virFirewallOnceInit(void) { - return virFirewallValidateBackend(currentBackend); -} - -VIR_ONCE_GLOBAL_INIT(virFirewall); - -static int -virFirewallValidateBackend(virFirewallBackend backend) -{ - if (backend =3D=3D VIR_FIREWALL_BACKEND_AUTOMATIC || - backend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - int rv =3D virFirewallDIsRegistered(); - - VIR_DEBUG("Firewalld is registered ? %d", rv); - - if (rv =3D=3D -1) - return -1; - - if (rv =3D=3D -2) { - if (backend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("firewalld backend requested, but service= is not running")); - return -1; - } else { - VIR_DEBUG("firewalld service not running, using direct bac= kend"); - backend =3D VIR_FIREWALL_BACKEND_DIRECT; - } - } else { - VIR_DEBUG("firewalld service running, using firewalld backend"= ); - backend =3D VIR_FIREWALL_BACKEND_FIREWALLD; - } - } - - currentBackend =3D backend; return 0; } =20 -int -virFirewallSetBackend(virFirewallBackend backend) -{ - currentBackend =3D backend; - - if (virFirewallInitialize() < 0) - return -1; +VIR_ONCE_GLOBAL_INIT(virFirewall); =20 - return virFirewallValidateBackend(backend); -} =20 static virFirewallGroup * virFirewallGroupNew(void) diff --git a/src/util/virfirewallpriv.h b/src/util/virfirewallpriv.h deleted file mode 100644 index b846f8799c..0000000000 --- a/src/util/virfirewallpriv.h +++ /dev/null @@ -1,37 +0,0 @@ -/* - * virfirewallpriv.h: integration with firewalls private APIs - * - * Copyright (C) 2013 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library. If not, see - * . - */ - -#ifndef LIBVIRT_VIRFIREWALLPRIV_H_ALLOW -# error "virfirewallpriv.h may only be included by virfirewall.c or test s= uites" -#endif /* LIBVIRT_VIRFIREWALLPRIV_H_ALLOW */ - -#pragma once - -#include "virfirewall.h" - -typedef enum { - VIR_FIREWALL_BACKEND_AUTOMATIC, - VIR_FIREWALL_BACKEND_DIRECT, - VIR_FIREWALL_BACKEND_FIREWALLD, - - VIR_FIREWALL_BACKEND_LAST, -} virFirewallBackend; - -int virFirewallSetBackend(virFirewallBackend backend); diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 68a82e60d6..11be85e06f 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -31,9 +31,7 @@ # include "network/bridge_driver_platform.h" # include "virbuffer.h" # include "virmock.h" - -# define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW -# include "virfirewallpriv.h" +# include "virfirewall.h" =20 # define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW # include "vircommandpriv.h" @@ -167,10 +165,6 @@ mymain(void) ret =3D -1; \ } while (0) =20 - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { - return EXIT_FAILURE; - } - basefile =3D g_strdup_printf("%s/networkxml2firewalldata/base.args", a= bs_srcdir); =20 if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c index 9307a10229..35c1c772ae 100644 --- a/tests/nwfilterebiptablestest.c +++ b/tests/nwfilterebiptablestest.c @@ -26,9 +26,6 @@ #include "virbuffer.h" #include "virfirewall.h" =20 -#define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW -#include "virfirewallpriv.h" - #define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW #include "vircommandpriv.h" =20 @@ -460,10 +457,6 @@ mymain(void) { int ret =3D 0; =20 - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { - return EXIT_FAILURE; - } - if (virTestRun("ebiptablesAllTeardown", testNWFilterEBIPTablesAllTeardown, NULL) < 0) diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewallt= est.c index 857214dde5..ec37a4ae11 100644 --- a/tests/nwfilterxml2firewalltest.c +++ b/tests/nwfilterxml2firewalltest.c @@ -26,9 +26,7 @@ # include "testutils.h" # include "nwfilter/nwfilter_ebiptables_driver.h" # include "virbuffer.h" - -# define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW -# include "virfirewallpriv.h" +# include "virfirewall.h" =20 # define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW # include "vircommandpriv.h" @@ -423,10 +421,6 @@ mymain(void) ret =3D -1; \ } while (0) =20 - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { - return EXIT_FAILURE; - } - DO_TEST("ah"); DO_TEST("ah-ipv6"); DO_TEST("all"); diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index 724d3081f1..8a0ca6be07 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -25,10 +25,10 @@ # include =20 # include "virbuffer.h" +# include "virfirewall.h" + # define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW # include "vircommandpriv.h" -# define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW -# include "virfirewallpriv.h" # define LIBVIRT_VIRFIREWALLDPRIV_H_ALLOW # include "virfirewalldpriv.h" # include "virmock.h" @@ -779,9 +779,6 @@ mymain(void) { int ret =3D 0; =20 - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) - return EXIT_FAILURE; - # define RUN_TEST(name, method) \ do { \ if (virTestRun(name, method, NULL) < 0) \ --=20 2.33.1 From nobody Fri May 3 09:14:30 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338553; cv=none; d=zohomail.com; s=zohoarc; b=Fd+fgYRDf342ytEEWHDUReFqfSffGe3kg3s4qyl9BZ9koQzpXjAn7i1RLFk14CkhoAR7uCKEnlxEsz7DEVqpBUINbl2dlQpYGOyuUC+fceJZCGLDgyg1hEqBzm1bYDB5EfCxoLx3bP//MriAY+mioEUbu8T0zrw1h25QR2PmNxY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338553; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WhWmXYGPwj/Knap+EwzrTYP8JzLuMbb47RBw/wwT/SQ=; b=cpHnohMvFPqmOv14FaPvXeV6J3N+R6fRURekejIXsc65wheWtcRkxDXU7QdimIS1rC8lRJAUTwczDxyNbaQKLkfbY/MPbJ4UT46+mcFUGxbAUJ0P1UmSXE+qpHYdOC5jKgw5mg0+j6ns5rn8R3j2RILtuZEG5MZxeXhjhjKdRL0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1639338553649509.8643850926394; Sun, 12 Dec 2021 11:49:13 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-362-noevF32yPJ2OUWIsdC-dJg-1; Sun, 12 Dec 2021 14:49:09 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 026871853038; Sun, 12 Dec 2021 19:49:04 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D770460FDD; Sun, 12 Dec 2021 19:49:03 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id AA24118045C5; Sun, 12 Dec 2021 19:49:03 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmbhx018911 for ; Sun, 12 Dec 2021 14:48:38 -0500 Received: by smtp.corp.redhat.com (Postfix) id EFAF65BE03; Sun, 12 Dec 2021 19:48:37 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id BA8235D6D7 for ; Sun, 12 Dec 2021 19:48:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338552; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WhWmXYGPwj/Knap+EwzrTYP8JzLuMbb47RBw/wwT/SQ=; b=HXvXt+X/SxJrOGa7RhY+4sMf50nv1XPzqLxKF6f7OB4gzyNwbXWXTNqnWba+MNWyXwKU/u mbNnzdbPW3c/RQGB+j6Q93BeHAqCYVc/a5xIGneaQXCPHFm/ED3lZzY2oJFM/JvZd7VFQs xWq4W+xeIXcM7TS3hgXgxOjZbvcL1d8= X-MC-Unique: noevF32yPJ2OUWIsdC-dJg-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 12/12] util: remove virFirewallOnceInit() Date: Sun, 12 Dec 2021 14:48:30 -0500 Message-Id: <20211212194830.292379-13-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639338554546100001 Content-Type: text/plain; charset="utf-8" There is no longer anything to initialize at binary startup time. Signed-off-by: Laine Stump Reviewed-by: Michal Privoznik --- src/util/virfirewall.c | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 98d78857df..70092f2ef6 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -82,15 +82,6 @@ struct _virFirewall { =20 static virMutex ruleLock =3D VIR_MUTEX_INITIALIZER; =20 -static int -virFirewallOnceInit(void) -{ - return 0; -} - -VIR_ONCE_GLOBAL_INIT(virFirewall); - - static virFirewallGroup * virFirewallGroupNew(void) { @@ -110,12 +101,7 @@ virFirewallGroupNew(void) */ virFirewall *virFirewallNew(void) { - virFirewall *firewall; - - if (virFirewallInitialize() < 0) - return NULL; - - firewall =3D g_new0(virFirewall, 1); + virFirewall *firewall =3D g_new0(virFirewall, 1); =20 return firewall; } --=20 2.33.1