From nobody Mon Feb 9 19:05:55 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1639338545; cv=none; d=zohomail.com; s=zohoarc; b=iEJf+7hbd9O7x+3S07UIiRPTUSH5p/tCjcUycRZmPEgGxBEle5Dyedk6jU554GGb4eXeLWdFGvaa7c27W8xvlJLJTFeYqJIBcL7APlJchhfuYkUvV1B228gX/N4bcwEqT1USWGzoUjNL1halHhNWmDJC29UXUO+NQmF1//QrlNc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1639338545; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Ph8nuPMpRh+MHZk6UFmeNQSZaSlh98Z7+Pcl7llHrrc=; b=oEiWlNqOQHtpZt0wLaAQIIIdjKP+LvBkNsKnJIKMjpSsVAB1x2kzw3YmF73KZ9KY3fuNwZvf43gBe5JX6WOxs+SKl3TH5cu3bhXXkXjipHEFnNAA9MNsvNMKncCwTlLxk4CHQxQg/BTdGJ+qnIn5L+p+O+e8lOVYJwRFPvMYvm0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1639338545885538.7708437893265; Sun, 12 Dec 2021 11:49:05 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-521-Q4Rv6T4IMf6SDltQ4bEbwA-1; Sun, 12 Dec 2021 14:49:03 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 898202F31; Sun, 12 Dec 2021 19:48:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F36822DFE; Sun, 12 Dec 2021 19:48:57 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4366C1806D1D; Sun, 12 Dec 2021 19:48:57 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1BCJmYsL018843 for ; Sun, 12 Dec 2021 14:48:34 -0500 Received: by smtp.corp.redhat.com (Postfix) id E14405BE03; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.2.16.52]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9F6095D6D7 for ; Sun, 12 Dec 2021 19:48:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639338544; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Ph8nuPMpRh+MHZk6UFmeNQSZaSlh98Z7+Pcl7llHrrc=; b=PdiM1j/JJ6/hMciahxT0b5p5NqBMkFj2fgUD873FNfBRsZ7K6U2FULj01XxaZ/UQAjFPs9 1zhXsA2o1xb+Jlon4HWg8jZtvNelqL5ME1NFvIw3xdGEJLssumpV8z9CiMy4wNddxlNVnf jcXLAvtcZlRCE3RZ+DnKAWSS/MmHxwI= X-MC-Unique: Q4Rv6T4IMf6SDltQ4bEbwA-1 From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 03/12] util: rename iptables operators to something less generic Date: Sun, 12 Dec 2021 14:48:21 -0500 Message-Id: <20211212194830.292379-4-laine@redhat.com> In-Reply-To: <20211212194830.292379-1-laine@redhat.com> References: <20211212194830.292379-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1639339446951100001 Content-Type: text/plain; charset="utf-8" Rather than calling these "ADD" and "REMOVE", which could be confused with some other random items with the same names, make them more specific by prepending "VIR_NETFILTER_" (because they will also be used by the nftables backend) and rename them to match the iptables/nftables operators they signify, i.e. INSERT and DELETE, just to eliminate confusion (in particular, in case someone ever decides that we need to also use the nftables "add" operator, which appends a rule to a chain rather than inserting it at the beginning of the chain). Signed-off-by: Laine Stump --- src/util/viriptables.c | 97 +++++++++++++++++++++++------------------- 1 file changed, 53 insertions(+), 44 deletions(-) diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 78d979cfe8..d2bc10a652 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -43,8 +43,8 @@ VIR_LOG_INIT("util.iptables"); #define VIR_FROM_THIS VIR_FROM_NONE =20 enum { - ADD =3D 0, - REMOVE + VIR_NETFILTER_INSERT =3D 0, + VIR_NETFILTER_DELETE }; =20 typedef struct { @@ -175,7 +175,7 @@ iptablesInput(virFirewall *fw, =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_INP", "--in-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -199,7 +199,7 @@ iptablesOutput(virFirewall *fw, =20 virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_OUT", "--out-interface", iface, "--protocol", tcp ? "tcp" : "udp", @@ -223,7 +223,7 @@ iptablesAddTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 1); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } =20 /** @@ -241,7 +241,7 @@ iptablesRemoveTcpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 1); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } =20 /** @@ -259,7 +259,7 @@ iptablesAddUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, ADD, 0); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } =20 /** @@ -277,7 +277,7 @@ iptablesRemoveUdpInput(virFirewall *fw, const char *iface, int port) { - iptablesInput(fw, layer, iface, port, REMOVE, 0); + iptablesInput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } =20 /** @@ -295,7 +295,7 @@ iptablesAddTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 1); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 1); } =20 /** @@ -313,7 +313,7 @@ iptablesRemoveTcpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 1); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 1); } =20 /** @@ -331,7 +331,7 @@ iptablesAddUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, ADD, 0); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_INSERT, 0); } =20 /** @@ -349,7 +349,7 @@ iptablesRemoveUdpOutput(virFirewall *fw, const char *iface, int port) { - iptablesOutput(fw, layer, iface, port, REMOVE, 0); + iptablesOutput(fw, layer, iface, port, VIR_NETFILTER_DELETE, 0); } =20 =20 @@ -374,7 +374,7 @@ iptablesForwardAllowOut(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -384,7 +384,7 @@ iptablesForwardAllowOut(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWO", "--source", networkstr, "--in-interface", iface, @@ -414,7 +414,8 @@ iptablesAddForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, AD= D); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); } =20 /** @@ -437,7 +438,8 @@ iptablesRemoveForwardAllowOut(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, RE= MOVE); + return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); } =20 =20 @@ -462,7 +464,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -474,7 +476,7 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -506,7 +508,8 @@ iptablesAddForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, ADD); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, + VIR_NETFILTER_INSERT); } =20 /** @@ -529,7 +532,8 @@ iptablesRemoveForwardAllowRelatedIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, REMOVE); + return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd= ev, + VIR_NETFILTER_DELETE); } =20 /* Allow all traffic destined to the bridge, with a valid network address @@ -552,7 +556,7 @@ iptablesForwardAllowIn(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--in-interface", physdev, @@ -562,7 +566,7 @@ iptablesForwardAllowIn(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_FWI", "--destination", networkstr, "--out-interface", iface, @@ -591,7 +595,8 @@ iptablesAddForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD= ); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_INSERT); } =20 /** @@ -614,7 +619,8 @@ iptablesRemoveForwardAllowIn(virFirewall *fw, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM= OVE); + return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, + VIR_NETFILTER_DELETE); } =20 static void @@ -625,7 +631,7 @@ iptablesForwardAllowCross(virFirewall *fw, { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_FWX", "--in-interface", iface, "--out-interface", iface, @@ -649,7 +655,7 @@ iptablesAddForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, ADD); + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** @@ -668,7 +674,7 @@ iptablesRemoveForwardAllowCross(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardAllowCross(fw, layer, iface, REMOVE); + iptablesForwardAllowCross(fw, layer, iface, VIR_NETFILTER_DELETE); } =20 static void @@ -679,7 +685,7 @@ iptablesForwardRejectOut(virFirewall *fw, { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_FWO", "--in-interface", iface, "--jump", "REJECT", @@ -701,7 +707,7 @@ iptablesAddForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, ADD); + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** @@ -719,7 +725,7 @@ iptablesRemoveForwardRejectOut(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectOut(fw, layer, iface, REMOVE); + iptablesForwardRejectOut(fw, layer, iface, VIR_NETFILTER_DELETE); } =20 =20 @@ -731,7 +737,7 @@ iptablesForwardRejectIn(virFirewall *fw, { virFirewallAddRule(fw, layer, "--table", "filter", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_FWI", "--out-interface", iface, "--jump", "REJECT", @@ -753,7 +759,7 @@ iptablesAddForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, ADD); + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_INSERT); } =20 /** @@ -771,7 +777,7 @@ iptablesRemoveForwardRejectIn(virFirewall *fw, virFirewallLayer layer, const char *iface) { - iptablesForwardRejectIn(fw, layer, iface, REMOVE); + iptablesForwardRejectIn(fw, layer, iface, VIR_NETFILTER_DELETE); } =20 =20 @@ -813,7 +819,7 @@ iptablesForwardMasquerade(virFirewall *fw, if (protocol && protocol[0]) { rule =3D virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", + action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", "LIBVIRT_PRT", "--source", networkstr, "-p", protocol, @@ -822,7 +828,7 @@ iptablesForwardMasquerade(virFirewall *fw, } else { rule =3D virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--dele= te", + action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", "LIBVIRT_PRT", "--source", networkstr, "!", "--destination", networkstr, @@ -896,7 +902,8 @@ iptablesAddForwardMasquerade(virFirewall *fw, const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, ADD); + physdev, addr, port, protocol, + VIR_NETFILTER_INSERT); } =20 /** @@ -922,7 +929,8 @@ iptablesRemoveForwardMasquerade(virFirewall *fw, const char *protocol) { return iptablesForwardMasquerade(fw, netaddr, prefix, - physdev, addr, port, protocol, REMOVE= ); + physdev, addr, port, protocol, + VIR_NETFILTER_DELETE); } =20 =20 @@ -947,7 +955,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, if (physdev && physdev[0]) virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_PRT", "--out-interface", physdev, "--source", networkstr, @@ -957,7 +965,7 @@ iptablesForwardDontMasquerade(virFirewall *fw, else virFirewallAddRule(fw, layer, "--table", "nat", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", "LIBVIRT_PRT", "--source", networkstr, "--destination", destaddr, @@ -989,7 +997,7 @@ iptablesAddDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, ADD); + physdev, destaddr, VIR_NETFILTER_= INSERT); } =20 /** @@ -1014,7 +1022,8 @@ iptablesRemoveDontMasquerade(virFirewall *fw, const char *destaddr) { return iptablesForwardDontMasquerade(fw, netaddr, prefix, - physdev, destaddr, REMOVE); + physdev, destaddr, + VIR_NETFILTER_DELETE); } =20 =20 @@ -1031,7 +1040,7 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "--table", "mangle", - action =3D=3D ADD ? "--insert" : "--delete", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", "LIBVIRT_PRT", "--out-interface", iface, "--protocol", "udp", @@ -1056,7 +1065,7 @@ iptablesAddOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, ADD); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_INSERT); } =20 /** @@ -1073,5 +1082,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewall *fw, const char *iface, int port) { - iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE); + iptablesOutputFixUdpChecksum(fw, iface, port, VIR_NETFILTER_DELETE); } --=20 2.33.1