From nobody Wed Feb  5 07:44:35 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.129.124 as permitted sender) client-ip=170.10.129.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1682911217; cv=none;
	d=zohomail.com; s=zohoarc;
	b=Gs9/dJylceq185C6KzPs3Slf5MtSkvbUOBDkc4LyuCAD+CJWIsYd09KIOplYRy0QaTGj4yfUDOEfkKvQ2OqE5W+U3p72ypAGJYSmt+L7Wqwc/05HWkMCnkHb5oRe91TyBo4Yypl458gS98cWTeMeU8ucOzUL/2Tf+CR4bjiaACs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1682911217;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=WOnPm4r8UJAiYjki43sVaBj7pEz6r97SZYNMHz46M4o=;
	b=IFIwzteDqcoaYPvmdFa2vlFakk+nf/1JXj88oS7xtIn5bHDjJIUrB7/ttdEf+eZxjgU1NbkEADjEOfabbh/3X3qwaKaWtZ/4WpWFHCCFI26P6rGkKtveOQzgWNed/by7ipTspIIx/Vy60+72c/CgMEDIDISP9I0nxASSGZ68gbg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<laine@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com
	with SMTPS id 1682911217292764.1081889245337;
 Sun, 30 Apr 2023 20:20:17 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-483-sstQBl3RM9y1FbuXPzpwVA-1; Sun, 30 Apr 2023 23:20:12 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 839AE885624;
	Mon,  1 May 2023 03:20:09 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 6DBF840C94B1;
	Mon,  1 May 2023 03:20:09 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id F213219451FA;
	Mon,  1 May 2023 03:20:06 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id D202E1946A47 for <libvir-list@listman.corp.redhat.com>;
 Mon,  1 May 2023 03:20:05 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id DFF5F463ECA; Mon,  1 May 2023 03:19:46 +0000 (UTC)
Received: from vhost3.router.laine.org (unknown [10.22.8.105])
 by smtp.corp.redhat.com (Postfix) with ESMTP id C82D8475022
 for <libvir-list@redhat.com>; Mon,  1 May 2023 03:19:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1682911216;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=WOnPm4r8UJAiYjki43sVaBj7pEz6r97SZYNMHz46M4o=;
	b=FKgkXmLofLY8We7elgUAwGt6Ix1gYA/ciANhEPPdc+xC7OLtdxecdIEBhRL4Kp6LBvRAzA
	Bs1NoQSpxdeLRqDIODu7qxG8wMMEx4nuxfH6K6PPZH1dAS9mFmWrqw9UPlMf2bMqqW/EPZ
	KliD8KB/uZGtQujsGRMBQhTFXJvP7yk=
X-MC-Unique: sstQBl3RM9y1FbuXPzpwVA-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Laine Stump <laine@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 18/28] util: new functions to support adding
 individual rollback rules
Date: Sun, 30 Apr 2023 23:19:33 -0400
Message-Id: <20230501031943.288145-19-laine@redhat.com>
In-Reply-To: <20230501031943.288145-1-laine@redhat.com>
References: <20230501031943.288145-1-laine@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1682911219453100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

In the past virFirewall required all rollback rules for a group (those
commands necessary to "undo" any rules that had been added in that
group in case of a later failure) to be manually added by switching
into "rollback mode" and then re-calling the inverse of the exact
virFirewallAddRule*() APIs that had been called to add the original
rules (ie. for each --insert command, for rollback we would need to
add a rule with all arguments identical except that "--insert" would
be replaced by "--delete").

Because nftables can't search for rules to remove by comparing all the
arguments (it instead expects *only* a handle that was issued when the
rule was originally added), we want for the backends' vir*ApplyRule()
functions to be able to automatically add a single rollback rule to
the virFirewall object while applying its existing rules (this
automatically added rule would then be able to include the handle
returned by "nft add rule").

In order to make this happen, we need to be able to 1) learn whether
the user of the virFirewall API desires this behavior (handled by a new
transaction flag called VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK that
can be retrieved with the new virFirewallTransactionGetFlags() API),
and 2) add a new rule to the current group's rollback rule list (with
the new virFirewallAddRollbackRule()).

We will actually use these in the backends in an upcoming patch.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/libvirt_private.syms |  2 ++
 src/util/virfirewall.c   | 53 ++++++++++++++++++++++++++++++++++++----
 src/util/virfirewall.h   | 10 ++++++++
 3 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index a93143638f..df84c5520c 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2371,6 +2371,7 @@ virFileCacheSetPriv;
=20
=20
 # util/virfirewall.h
+virFirewallAddRollbackRule;
 virFirewallAddRuleFull;
 virFirewallApply;
 virFirewallBackendTypeFromString;
@@ -2390,6 +2391,7 @@ virFirewallRuleGetLayer;
 virFirewallRuleToString;
 virFirewallStartRollback;
 virFirewallStartTransaction;
+virFirewallTransactionGetFlags;
=20
=20
 # util/virfirewalld.h
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 17acc2adc3..c59166b843 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -209,6 +209,7 @@ static virFirewallRule *
 virFirewallAddRuleFullV(virFirewall *firewall,
                         virFirewallLayer layer,
                         bool ignoreErrors,
+                        bool isRollback,
                         virFirewallQueryCallback cb,
                         void *opaque,
                         va_list args)
@@ -225,18 +226,17 @@ virFirewallAddRuleFullV(virFirewall *firewall,
     }
     group =3D firewall->groups[firewall->currentGroup];
=20
-
     rule =3D g_new0(virFirewallRule, 1);
=20
     rule->layer =3D layer;
-    rule->queryCB =3D cb;
-    rule->queryOpaque =3D opaque;
=20
     while ((str =3D va_arg(args, char *)) !=3D NULL)
         ADD_ARG(rule, str);
=20
-    if (group->addingRollback) {
+    if (isRollback || group->addingRollback) {
         rule->ignoreErrors =3D true; /* always ignore errors when rolling =
back */
+        rule->queryCB =3D NULL; /* rollback rules can't have a callback */
+        rule->queryOpaque =3D NULL;
         VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule);
     } else {
         /* when not rolling back, ignore errors if this group (transaction)
@@ -245,6 +245,8 @@ virFirewallAddRuleFullV(virFirewall *firewall,
          */
         rule->ignoreErrors =3D ignoreErrors
             || (group->actionFlags & VIR_FIREWALL_TRANSACTION_IGNORE_ERROR=
S);
+        rule->queryCB =3D cb;
+        rule->queryOpaque =3D opaque;
         VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule);
     }
=20
@@ -285,7 +287,33 @@ virFirewallRule *virFirewallAddRuleFull(virFirewall *f=
irewall,
     virFirewallRule *rule;
     va_list args;
     va_start(args, opaque);
-    rule =3D virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, op=
aque, args);
+    rule =3D virFirewallAddRuleFullV(firewall, layer, ignoreErrors, false,=
 cb, opaque, args);
+    va_end(args);
+    return rule;
+}
+
+
+/**
+ * virFirewallAddRollbackRule:
+ * @firewall: firewall ruleset to add to
+ * @layer: the firewall layer to change
+ * @...: NULL terminated list of strings for the rule
+ *
+ * Add a rule to the current firewall group "rollback"
+ * ruleset. Rollback rules always ignore errors and don't support any
+ * callbacks.
+ *
+ * Returns the new rule
+ */
+virFirewallRule *
+virFirewallAddRollbackRule(virFirewall *firewall,
+                           virFirewallLayer layer,
+                           ...)
+{
+    virFirewallRule *rule;
+    va_list args;
+    va_start(args, layer);
+    rule =3D virFirewallAddRuleFullV(firewall, layer, true, true, NULL, NU=
LL, args);
     va_end(args);
     return rule;
 }
@@ -472,6 +500,21 @@ void virFirewallStartTransaction(virFirewall *firewall,
     firewall->currentGroup =3D firewall->ngroups - 1;
 }
=20
+
+/**
+ * virFirewallTransactionGetFlags:
+ * @firewall: the firewall to look at
+ *
+ * Returns the virFirewallTransactionFlags for the currently active
+ * group (transaction) in @firewall.
+ */
+virFirewallTransactionFlags
+virFirewallTransactionGetFlags(virFirewall *firewall)
+{
+    return firewall->groups[firewall->currentGroup]->actionFlags;
+}
+
+
 /**
  * virFirewallBeginRollback:
  * @firewall: the firewall ruleset
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 4d03dc3b3b..f81b63567a 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -83,6 +83,11 @@ virFirewallRule *virFirewallAddRuleFull(virFirewall *fir=
ewall,
                                           ...)
     G_GNUC_NULL_TERMINATED;
=20
+virFirewallRule *virFirewallAddRollbackRule(virFirewall *firewall,
+                                            virFirewallLayer layer,
+                                            ...)
+    G_GNUC_NULL_TERMINATED;
+
 void virFirewallRemoveRule(virFirewall *firewall,
                            virFirewallRule *rule);
=20
@@ -125,11 +130,16 @@ typedef enum {
     /* Ignore all errors when applying rules, so no
      * rollback block will be required */
     VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS =3D (1 << 0),
+    /* Set to auto-add a rollback rule for each rule that is applied */
+    VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK =3D (1 << 1),
 } virFirewallTransactionFlags;
=20
 void virFirewallStartTransaction(virFirewall *firewall,
                                  unsigned int flags);
=20
+virFirewallTransactionFlags
+virFirewallTransactionGetFlags(virFirewall *firewall);
+
 typedef enum {
     /* Execute previous rollback block before this
      * one, to chain cleanup */
--=20
2.39.2