From nobody Fri Oct 18 09:16:33 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 170.10.133.124 as permitted sender) client-ip=170.10.133.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1682911455; cv=none;
	d=zohomail.com; s=zohoarc;
	b=X/MYwT10nm2bG4WaEyMi3nfK45C0hb2Jba4olMYn9plUT9VRktT5Hrngb6d/7cV7h9/fHDG6WmjBUoIYRK8MGMigeLzTblBg156Rch4HU5/ipP1u9J7D8QhsviqgQNI008U5++dBY6vLc5WDVU93DsxEkLgAwRGOiLcVqON2bTM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1682911455;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=tlWEN3ije9ggFDQpL7bUMlA81/SCKFTXrVwfTnd15qc=;
	b=IUXx9xxFNoQdOpk9l9oJrZAxAJIatJXdpworCTrpmaYmtZu3l3+gDD74pusWdec73Pg64HsYTei5M4ALgBuTXJvpDbkgPNyXjs6IwQxqNowFvhhHuK275YjHq7veYMZG21Y0Xp+UbrNBT2pR9YfTdInT+t0cj+JiTMIsQILGhPg=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<laine@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com
	with SMTPS id 1682911455251869.8234474952138;
 Sun, 30 Apr 2023 20:24:15 -0700 (PDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-141-37PXhqx1NnmywbpRh66L7g-1; Sun, 30 Apr 2023 23:20:35 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4100D84852B;
	Mon,  1 May 2023 03:20:25 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2D5B840C6E67;
	Mon,  1 May 2023 03:20:25 +0000 (UTC)
Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com
 (localhost [IPv6:::1])
	by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id 2AD4519543B8;
	Mon,  1 May 2023 03:20:15 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com
 [10.11.54.10])
 by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with
 ESMTP id D3F021946589 for <libvir-list@listman.corp.redhat.com>;
 Mon,  1 May 2023 03:20:05 +0000 (UTC)
Received: by smtp.corp.redhat.com (Postfix)
 id 36AB2463ECF; Mon,  1 May 2023 03:19:47 +0000 (UTC)
Received: from vhost3.router.laine.org (unknown [10.22.8.105])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 1D0B8475022
 for <libvir-list@redhat.com>; Mon,  1 May 2023 03:19:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1682911454;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=tlWEN3ije9ggFDQpL7bUMlA81/SCKFTXrVwfTnd15qc=;
	b=PU7QEnovZb3/7bYyeAoKBZFrHlPYuHo8YhAv52jGfKiOfl6v8ru+To+oiJFMhysosPCo2L
	1WgA1wc61XH7mCf65Ixgg2mg4KEDQdRJaFtoBSzz4wvD0fmmX/5aFBW4ynNorZSZ7IEoXN
	78AxCq3LbBGXPY/FlWaJEW13xfUSeKw=
X-MC-Unique: 37PXhqx1NnmywbpRh66L7g-1
X-Original-To: libvir-list@listman.corp.redhat.com
From: Laine Stump <laine@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 20/28] util: implement rollback rule autosave for
 iptables backend
Date: Sun, 30 Apr 2023 23:19:35 -0400
Message-Id: <20230501031943.288145-21-laine@redhat.com>
In-Reply-To: <20230501031943.288145-1-laine@redhat.com>
References: <20230501031943.288145-1-laine@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <http://listman.redhat.com/archives/libvir-list/>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
Errors-To: libvir-list-bounces@redhat.com
Sender: "libvir-list" <libvir-list-bounces@redhat.com>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1682911455716100001
Content-Type: text/plain; charset="utf-8"; x-default="true"

This isn't yet used anywhere, since
VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK isn't being set.

Signed-off-by: Laine Stump <laine@redhat.com>
---
 src/util/viriptables.c | 49 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 3 deletions(-)

diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 4e3188e4d1..b332c036cf 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -63,15 +63,21 @@ VIR_ENUM_IMPL(virIptablesAction,
               "--delete",
 );
=20
+#define VIR_ARG_IS_INSERT(arg) \
+    (STREQ(arg, "--insert") || STREQ(arg, "-I") \
+     || STREQ(arg, "--append") || STREQ(arg, "-A"))
=20
 int
-virIptablesApplyFirewallRule(virFirewall *firewall G_GNUC_UNUSED,
+virIptablesApplyFirewallRule(virFirewall *firewall,
                              virFirewallRule *rule,
                              char **output)
 {
     virFirewallLayer layer =3D virFirewallRuleGetLayer(rule);
     const char *bin =3D virIptablesLayerCommandTypeToString(layer);
     size_t count =3D virFirewallRuleGetArgCount(rule);
+    bool checkRollback =3D (virFirewallTransactionGetFlags(firewall)
+                          & VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
+    bool needRollback =3D false;
     g_autoptr(virCommand) cmd =3D NULL;
     g_autofree char *cmdStr =3D NULL;
     g_autofree char *error =3D NULL;
@@ -105,8 +111,15 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_G=
NUC_UNUSED,
         break;
     }
=20
-    for (i =3D 0; i < count; i++)
-        virCommandAddArg(cmd, virFirewallRuleGetArg(rule, i));
+    for (i =3D 0; i < count; i++) {
+        const char *arg =3D virFirewallRuleGetArg(rule, i);
+
+        /* the -I/-A arg could be at any position in the list */
+        if (checkRollback && VIR_ARG_IS_INSERT(arg))
+            needRollback =3D true;
+
+        virCommandAddArg(cmd, arg);
+    }
=20
     cmdStr =3D virCommandToString(cmd, false);
     VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr));
@@ -118,8 +131,10 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_G=
NUC_UNUSED,
         return -1;
=20
     if (status !=3D 0) {
+        /* the command failed, decide whether or not to report it */
         if (virFirewallRuleGetIgnoreErrors(rule)) {
             VIR_DEBUG("Ignoring error running command");
+            return 0;
         } else {
             virReportError(VIR_ERR_INTERNAL_ERROR,
                            _("Failed to apply firewall rules %1$s: %2$s"),
@@ -129,6 +144,34 @@ virIptablesApplyFirewallRule(virFirewall *firewall G_G=
NUC_UNUSED,
         }
     }
=20
+    /* the command was successful, see if we need to add a
+     * rollback rule
+     */
+
+    if (needRollback) {
+        virFirewallRule *rollback
+            =3D virFirewallAddRollbackRule(firewall, layer, NULL);
+        g_autofree char *rollbackStr =3D NULL;
+
+        for (i =3D 0; i < count; i++) {
+            const char *arg =3D virFirewallRuleGetArg(rule, i);
+
+            /* iptables --delete wants the entire commandline that
+             * was used for --insert but with s/insert/delete/
+             */
+            if (VIR_ARG_IS_INSERT(arg)) {
+                virFirewallRuleAddArg(firewall, rollback, "--delete");
+            } else {
+                virFirewallRuleAddArg(firewall, rollback, arg);
+            }
+        }
+
+        rollbackStr
+            =3D virFirewallRuleToString(virIptablesLayerCommandTypeToStrin=
g(layer),
+                                      rollback);
+        VIR_DEBUG("Recording Rollback rule '%s'", NULLSTR(rollbackStr));
+    }
+
     return 0;
 }
=20
--=20
2.39.2