From nobody Thu Sep 19 01:16:07 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1715968417885422.2895829431185; Fri, 17 May 2024 10:53:37 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 9B8D01C9C; Fri, 17 May 2024 13:53:36 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id D9FEE1DCD; Fri, 17 May 2024 13:31:30 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E7DD81A29; Fri, 17 May 2024 13:30:18 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 1F53E19CD for ; Fri, 17 May 2024 13:30:12 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-249-UrJbh-j4NSCcQSFVOLehxg-1; Fri, 17 May 2024 13:30:09 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6060A3C025C0 for ; Fri, 17 May 2024 17:30:09 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 29FF040C6EB7 for ; Fri, 17 May 2024 17:30:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1715967011; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n1upCEpWggPdHHElYqjNw9o5jBLiRiqswVQOihOidEc=; b=TyyYFnmyH1c5Pj+5nEX0URh2EuiT/Loki06WGoSM4X1KPjFqqpB2D4l103nnwJ3l/csqGh MtlC8DqLFajRiud2YElHyNwogGtzt+FBNGs9/nQgh/59RlI/J52OvclnqVcLq+ZfbHeYPn eakHI7sKi4F/kzGrCX3Gv1zDal86qRk= X-MC-Unique: UrJbh-j4NSCcQSFVOLehxg-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v5 10/30] util/network: new virFirewallBackend enum Date: Fri, 17 May 2024 13:29:47 -0400 Message-ID: <20240517173007.8125-11-laine@redhat.com> In-Reply-To: <20240517173007.8125-1-laine@redhat.com> References: <20240517173007.8125-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: ON53GXOMFZN3TZCOQBMSIGB3XDY7QUV2 X-Message-ID-Hash: ON53GXOMFZN3TZCOQBMSIGB3XDY7QUV2 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1715968419590100001 Content-Type: text/plain; charset="utf-8" (This paragraph is for historical reference only, described only to avoid confusion of past use of the name with its new use) In a past life, virFirewallBackend had been a private static in virfirewall.c that was set at daemon init time, and used to globally (i.e. for all drivers in the daemon) determine whether to directly execute iptables commands, or to run them indirectly via the firewalld passthrough API. This was removed in commit d566cc55, since we decided that using the firewalld passthrough API is never appropriate. Now the same enum, virFirewallBackend, is being reintroduced, with a different meaning and usage pattern. It will be used to pick between using nftables commands or iptables commands (in either case directly handled by libvirt, *not* via firewalld). Additionally, rather than being a static known only within virfirewall.c and applying to all firewall commands for all drivers, each virFirewall object will have its own backend setting, which will be set during virFirewallNew() by the driver who wants to add a firewall rule. This will allow the nwfilter and network drivers to each have their own backend setting, even when they coexist in a single unified daemon. At least as important as that, it will also allow an instance of the network driver to remove iptables rules that had been added by a previous instance, and then add nftables rules for the new instance (in the case that an admin, or possibly an update, switches the driver backend from iptables to nftable) Initially, the enum will only have one usable value - VIR_FIREWALL_BACKEND_IPTABLES, and that will be hardcoded into all calls to virFirewallNew(). The other enum value (along with a method of setting it for each driver) will be added later, when it can be used (when the nftables backend is in the code). Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 3 +++ src/network/network_iptables.c | 6 +++--- src/nwfilter/nwfilter_ebiptables_driver.c | 16 ++++++++-------- src/util/virebtables.c | 4 ++-- src/util/virfirewall.c | 15 ++++++++++++++- src/util/virfirewall.h | 11 ++++++++++- tests/virfirewalltest.c | 20 ++++++++++---------- 7 files changed, 50 insertions(+), 25 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 533071d08c..6cb3003499 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2406,6 +2406,8 @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddCmdFull; virFirewallApply; +virFirewallBackendTypeFromString; +virFirewallBackendTypeToString; virFirewallCmdAddArg; virFirewallCmdAddArgFormat; virFirewallCmdAddArgList; @@ -2413,6 +2415,7 @@ virFirewallCmdAddArgSet; virFirewallCmdGetArgCount; virFirewallCmdToString; virFirewallFree; +virFirewallGetBackend; virFirewallNew; virFirewallRemoveCmd; virFirewallStartRollback; diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index d7e749adf0..db35a4c5a0 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -131,7 +131,7 @@ iptablesPrivateChainCreate(virFirewall *fw, int iptablesSetupPrivateChains(virFirewallLayer layer) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); iptablesGlobalChain filter_chains[] =3D { {"INPUT", VIR_IPTABLES_INPUT_CHAIN}, {"OUTPUT", VIR_IPTABLES_OUTPUT_CHAIN}, @@ -1597,7 +1597,7 @@ iptablesAddFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, 0); =20 @@ -1632,7 +1632,7 @@ iptablesRemoveFirewallRules(virNetworkDef *def) { size_t i; virNetworkIPDef *ipdef; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); iptablesRemoveChecksumFirewallRules(fw, def); diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 3ef1bb576e..5082b62577 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -2820,7 +2820,7 @@ static int ebtablesApplyBasicRules(const char *ifname, const virMacAddr *macaddr) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); char chain[MAX_CHAINNAME_LENGTH]; char chainPrefix =3D CHAINPREFIX_HOST_IN_TEMP; char macaddr_str[VIR_MAC_STRING_BUFLEN]; @@ -2893,7 +2893,7 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, char macaddr_str[VIR_MAC_STRING_BUFLEN]; unsigned int idx =3D 0; unsigned int num_dhcpsrvrs; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virMacAddrFormat(macaddr, macaddr_str); =20 @@ -2995,7 +2995,7 @@ ebtablesApplyDropAllRules(const char *ifname) { char chain_in [MAX_CHAINNAME_LENGTH], chain_out[MAX_CHAINNAME_LENGTH]; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 if (ebiptablesAllTeardown(ifname) < 0) return -1; @@ -3042,7 +3042,7 @@ ebtablesRemoveBasicRules(const char *ifname) static int ebtablesCleanAll(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3302,7 +3302,7 @@ ebiptablesApplyNewRules(const char *ifname, size_t nrules) { size_t i, j; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); g_autoptr(GHashTable) chains_in_set =3D virHashNew(NULL); g_autoptr(GHashTable) chains_out_set =3D virHashNew(NULL); bool haveEbtables =3D false; @@ -3527,7 +3527,7 @@ ebiptablesTearNewRulesFW(virFirewall *fw, const char = *ifname) static int ebiptablesTearNewRules(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3539,7 +3539,7 @@ ebiptablesTearNewRules(const char *ifname) static int ebiptablesTearOldRules(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 @@ -3574,7 +3574,7 @@ ebiptablesTearOldRules(const char *ifname) static int ebiptablesAllTeardown(const char *ifname) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 diff --git a/src/util/virebtables.c b/src/util/virebtables.c index cabcbb3e81..8a361a2dbb 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -78,7 +78,7 @@ ebtablesContextFree(ebtablesContext *ctx) int ebtablesAddForwardPolicyReject(ebtablesContext *ctx) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, @@ -106,7 +106,7 @@ ebtablesForwardAllowIn(ebtablesContext *ctx, const char *macaddr, int action) { - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); =20 virFirewallStartTransaction(fw, 0); virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 56d43bfdde..77de34533d 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -35,6 +35,10 @@ =20 VIR_LOG_INIT("util.firewall"); =20 +VIR_ENUM_IMPL(virFirewallBackend, + VIR_FIREWALL_BACKEND_LAST, + "iptables"); + typedef struct _virFirewallGroup virFirewallGroup; =20 VIR_ENUM_DECL(virFirewallLayerCommand); @@ -77,6 +81,7 @@ struct _virFirewall { size_t ngroups; virFirewallGroup **groups; size_t currentGroup; + virFirewallBackend backend; }; =20 static virMutex fwCmdLock =3D VIR_MUTEX_INITIALIZER; @@ -98,14 +103,22 @@ virFirewallGroupNew(void) * * Returns the new firewall ruleset */ -virFirewall *virFirewallNew(void) +virFirewall *virFirewallNew(virFirewallBackend backend) { virFirewall *firewall =3D g_new0(virFirewall, 1); =20 + firewall->backend =3D backend; return firewall; } =20 =20 +virFirewallBackend +virFirewallGetBackend(virFirewall *firewall) +{ + return firewall->backend; +} + + static void virFirewallCmdFree(virFirewallCmd *fwCmd) { diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 956bf0e2bf..1ca1cce10a 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -21,6 +21,7 @@ #pragma once =20 #include "internal.h" +#include "virenum.h" =20 typedef struct _virFirewall virFirewall; =20 @@ -34,9 +35,17 @@ typedef enum { VIR_FIREWALL_LAYER_LAST, } virFirewallLayer; =20 -virFirewall *virFirewallNew(void); +typedef enum { + VIR_FIREWALL_BACKEND_IPTABLES, + + VIR_FIREWALL_BACKEND_LAST, +} virFirewallBackend; + +VIR_ENUM_DECL(virFirewallBackend); =20 +virFirewall *virFirewallNew(virFirewallBackend backend); void virFirewallFree(virFirewall *firewall); +virFirewallBackend virFirewallGetBackend(virFirewall *firewall); =20 /** * virFirewallAddCmd: diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index 45bb67cb21..38726dcc7a 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -62,7 +62,7 @@ static int testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -102,7 +102,7 @@ static int testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -148,7 +148,7 @@ static int testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -222,7 +222,7 @@ static int testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -275,7 +275,7 @@ static int testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -327,7 +327,7 @@ static int testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -372,7 +372,7 @@ static int testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -437,7 +437,7 @@ static int testFirewallManyRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -505,7 +505,7 @@ static int testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" @@ -682,7 +682,7 @@ static int testFirewallQuery(const void *opaque G_GNUC_UNUSED) { g_auto(virBuffer) cmdbuf =3D VIR_BUFFER_INITIALIZER; - g_autoptr(virFirewall) fw =3D virFirewallNew(); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_IPTA= BLES); const char *actual =3D NULL; const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" --=20 2.45.0