From nobody Thu Sep 19 01:55:18 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1715968722898312.63436033464245; Fri, 17 May 2024 10:58:42 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 7E4301C7C; Fri, 17 May 2024 13:58:41 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 7C0291AB4; Fri, 17 May 2024 13:31:44 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 698EF175D; Fri, 17 May 2024 13:30:20 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 27DF316D6 for ; Fri, 17 May 2024 13:30:11 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-169-BF0rH2MMN1OQ2uEHTWCrTQ-1; Fri, 17 May 2024 13:30:08 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 929CD1C05153 for ; Fri, 17 May 2024 17:30:08 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6F8AC40C6EB7 for ; Fri, 17 May 2024 17:30:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1715967010; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ouY8lVhi749/Cu+Soe9yeD//Gmknl/ef5/An6O48le0=; b=CkFUcUlQeCo1lOPlvIq8hnU5/kRRppsWR2kX8izkQCyH/Ypfb4OxIHvlo4eu5HF9MjZO+b Lh/edveoxyHln3aPpRsTjiz4FR0dX1cBWxjVxgNWF90oKpkHZQKd3V44x+qdvwG3kb8Pg/ VzPSiQ7wr848o8Vb9ZxljB94N3mgJNk= X-MC-Unique: BF0rH2MMN1OQ2uEHTWCrTQ-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v5 05/30] util: change name of virFirewallRule to virFirewallCmd Date: Fri, 17 May 2024 13:29:42 -0400 Message-ID: <20240517173007.8125-6-laine@redhat.com> In-Reply-To: <20240517173007.8125-1-laine@redhat.com> References: <20240517173007.8125-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: J66MPPG4IONZNLH45UFMSIPMOJQ72ZAZ X-Message-ID-Hash: J66MPPG4IONZNLH45UFMSIPMOJQ72ZAZ X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1715968724834100001 Content-Type: text/plain; charset="utf-8" These objects aren't rules, they are commands that are executed that may create a firewall rule, delete a firewall rule, or simply list the existing firewall rules. It's confusing for the objects to be called "Rule" (especially in the case of the function virFirewallRemoveRule(), which doesn't remove a rule from the firewall, it takes one of the objects out of the list of commands to execute! In order to remove a rule from the host's firewall, you have to Add a "rule" (now "cmd" aka command) to the list that will, when applied/run, remove a rule from the host firewall.) Changing the name to virFirewallCmd makes it all much less confusing. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 16 +- src/network/network_iptables.c | 286 +++---- src/nwfilter/nwfilter_ebiptables_driver.c | 988 +++++++++++----------- src/util/virebtables.c | 32 +- src/util/virfirewall.c | 223 +++-- src/util/virfirewall.h | 54 +- tests/virfirewalltest.c | 404 ++++----- 7 files changed, 1000 insertions(+), 1003 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index b006b84262..533071d08c 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2404,17 +2404,17 @@ virFileCacheSetPriv; =20 =20 # util/virfirewall.h -virFirewallAddRuleFull; +virFirewallAddCmdFull; virFirewallApply; +virFirewallCmdAddArg; +virFirewallCmdAddArgFormat; +virFirewallCmdAddArgList; +virFirewallCmdAddArgSet; +virFirewallCmdGetArgCount; +virFirewallCmdToString; virFirewallFree; virFirewallNew; -virFirewallRemoveRule; -virFirewallRuleAddArg; -virFirewallRuleAddArgFormat; -virFirewallRuleAddArgList; -virFirewallRuleAddArgSet; -virFirewallRuleGetArgCount; -virFirewallRuleToString; +virFirewallRemoveCmd; virFirewallStartRollback; virFirewallStartTransaction; =20 diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c index ac3e60b79f..5c16683cff 100644 --- a/src/network/network_iptables.c +++ b/src/network/network_iptables.c @@ -98,18 +98,18 @@ iptablesPrivateChainCreate(virFirewall *fw, for (i =3D 0; i < data->nchains; i++) { const char *from; if (!virHashLookup(chains, data->chains[i].child)) { - virFirewallAddRule(fw, layer, - "--table", data->table, - "--new-chain", data->chains[i].child, NULL); + virFirewallAddCmd(fw, layer, + "--table", data->table, + "--new-chain", data->chains[i].child, NULL); *data->changed =3D true; } =20 from =3D virHashLookup(links, data->chains[i].child); if (!from || STRNEQ(from, data->chains[i].parent)) - virFirewallAddRule(fw, layer, - "--table", data->table, - "--insert", data->chains[i].parent, - "--jump", data->chains[i].child, NULL); + virFirewallAddCmd(fw, layer, + "--table", data->table, + "--insert", data->chains[i].parent, + "--jump", data->chains[i].child, NULL); } =20 return 0; @@ -151,10 +151,10 @@ iptablesSetupPrivateChains(virFirewallLayer layer) virFirewallStartTransaction(fw, 0); =20 for (i =3D 0; i < G_N_ELEMENTS(data); i++) - virFirewallAddRuleFull(fw, data[i].layer, - false, iptablesPrivateChainCreate, - &(data[i]), "--table", data[i].table, - "--list-rules", NULL); + virFirewallAddCmdFull(fw, data[i].layer, + false, iptablesPrivateChainCreate, + &(data[i]), "--table", data[i].table, + "--list-rules", NULL); =20 if (virFirewallApply(fw) < 0) return -1; @@ -173,15 +173,15 @@ iptablesInput(virFirewall *fw, { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_INPUT_CHAIN, - "--in-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_INPUT_CHAIN, + "--in-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } =20 static void @@ -194,15 +194,15 @@ iptablesOutput(virFirewall *fw, { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_OUTPUT_CHAIN, - "--out-interface", iface, - "--protocol", tcp ? "tcp" : "udp", - "--destination-port", portstr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_OUTPUT_CHAIN, + "--out-interface", iface, + "--protocol", tcp ? "tcp" : "udp", + "--destination-port", portstr, + "--jump", "ACCEPT", + NULL); } =20 /** @@ -369,24 +369,24 @@ iptablesForwardAllowOut(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--source", networkstr, - "--in-interface", iface, - "--out-interface", physdev, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--source", networkstr, + "--in-interface", iface, + "--out-interface", physdev, + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--source", networkstr, - "--in-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--source", networkstr, + "--in-interface", iface, + "--jump", "ACCEPT", + NULL); =20 return 0; } @@ -459,28 +459,28 @@ iptablesForwardAllowRelatedIn(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--out-interface", iface, - "--match", "conntrack", - "--ctstate", "ESTABLISHED,RELATED", - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--out-interface", iface, + "--match", "conntrack", + "--ctstate", "ESTABLISHED,RELATED", + "--jump", "ACCEPT", + NULL); =20 return 0; } @@ -551,24 +551,24 @@ iptablesForwardAllowIn(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--in-interface", physdev, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--in-interface", physdev, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--destination", networkstr, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--destination", networkstr, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); return 0; } =20 @@ -626,14 +626,14 @@ iptablesForwardAllowCross(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_FWD_X_CHAIN, - "--in-interface", iface, - "--out-interface", iface, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_FWD_X_CHAIN, + "--in-interface", iface, + "--out-interface", iface, + "--jump", "ACCEPT", + NULL); } =20 /** @@ -680,13 +680,13 @@ iptablesForwardRejectOut(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_FWD_OUT_CHAIN, - "--in-interface", iface, - "--jump", "REJECT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_FWD_OUT_CHAIN, + "--in-interface", iface, + "--jump", "REJECT", + NULL); } =20 /** @@ -732,13 +732,13 @@ iptablesForwardRejectIn(virFirewall *fw, const char *iface, int action) { - virFirewallAddRule(fw, layer, - "--table", "filter", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_FWD_IN_CHAIN, - "--out-interface", iface, - "--jump", "REJECT", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "filter", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_FWD_IN_CHAIN, + "--out-interface", iface, + "--jump", "REJECT", + NULL); } =20 /** @@ -796,7 +796,7 @@ iptablesForwardMasquerade(virFirewall *fw, g_autofree char *addrEndStr =3D NULL; g_autofree char *portRangeStr =3D NULL; g_autofree char *natRangeStr =3D NULL; - virFirewallRule *rule; + virFirewallCmd *fwCmd; int af =3D VIR_SOCKET_ADDR_FAMILY(netaddr); virFirewallLayer layer =3D af =3D=3D AF_INET ? VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6; @@ -814,7 +814,7 @@ iptablesForwardMasquerade(virFirewall *fw, } =20 if (protocol && protocol[0]) { - rule =3D virFirewallAddRule(fw, layer, + fwCmd =3D virFirewallAddCmd(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", VIR_IPTABLES_NAT_POSTROUTE_CHAIN, @@ -823,7 +823,7 @@ iptablesForwardMasquerade(virFirewall *fw, "!", "--destination", networkstr, NULL); } else { - rule =3D virFirewallAddRule(fw, layer, + fwCmd =3D virFirewallAddCmd(fw, layer, "--table", "nat", action =3D=3D VIR_NETFILTER_INSERT ? "--= insert" : "--delete", VIR_IPTABLES_NAT_POSTROUTE_CHAIN, @@ -833,7 +833,7 @@ iptablesForwardMasquerade(virFirewall *fw, } =20 if (physdev && physdev[0]) - virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NU= LL); + virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NU= LL); =20 if (protocol && protocol[0]) { if (port->start =3D=3D 0 && port->end =3D=3D 0) { @@ -861,16 +861,16 @@ iptablesForwardMasquerade(virFirewall *fw, portRangeStr ? portRangeStr : ""= ); } =20 - virFirewallRuleAddArgList(fw, rule, - "--jump", "SNAT", - "--to-source", natRangeStr, NULL); + virFirewallCmdAddArgList(fw, fwCmd, + "--jump", "SNAT", + "--to-source", natRangeStr, NULL); } else { - virFirewallRuleAddArgList(fw, rule, - "--jump", "MASQUERADE", NULL); + virFirewallCmdAddArgList(fw, fwCmd, + "--jump", "MASQUERADE", NULL); =20 if (portRangeStr && portRangeStr[0]) - virFirewallRuleAddArgList(fw, rule, - "--to-ports", &portRangeStr[1], NULL= ); + virFirewallCmdAddArgList(fw, fwCmd, + "--to-ports", &portRangeStr[1], NULL); } =20 return 0; @@ -950,24 +950,24 @@ iptablesForwardDontMasquerade(virFirewall *fw, return -1; =20 if (physdev && physdev[0]) - virFirewallAddRule(fw, layer, - "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--out-interface", physdev, - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "nat", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--out-interface", physdev, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); else - virFirewallAddRule(fw, layer, - "--table", "nat", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert"= : "--delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--source", networkstr, - "--destination", destaddr, - "--jump", "RETURN", - NULL); + virFirewallAddCmd(fw, layer, + "--table", "nat", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" = : "--delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--source", networkstr, + "--destination", destaddr, + "--jump", "RETURN", + NULL); =20 return 0; } @@ -1032,15 +1032,15 @@ iptablesOutputFixUdpChecksum(virFirewall *fw, { g_autofree char *portstr =3D g_strdup_printf("%d", port); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "--table", "mangle", - action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "= --delete", - VIR_IPTABLES_NAT_POSTROUTE_CHAIN, - "--out-interface", iface, - "--protocol", "udp", - "--destination-port", portstr, - "--jump", "CHECKSUM", "--checksum-fill", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "--table", "mangle", + action =3D=3D VIR_NETFILTER_INSERT ? "--insert" : "-= -delete", + VIR_IPTABLES_NAT_POSTROUTE_CHAIN, + "--out-interface", iface, + "--protocol", "udp", + "--destination-port", portstr, + "--jump", "CHECKSUM", "--checksum-fill", + NULL); } =20 /** diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 56bddb9097..3ef1bb576e 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -334,7 +334,7 @@ printDataTypeAsHex(virNWFilterVarCombIter *vars, =20 static int ebtablesHandleEthHdr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ethHdrDataDef *ethHdr, bool reverse) @@ -348,11 +348,11 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataSrcMACAddr) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - reverse ? "-d" : "-s", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + reverse ? "-d" : "-s", + NULL); if (ENTRY_WANT_NEG_SIGN(ðHdr->dataSrcMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACMask)) { if (printDataType(vars, @@ -360,10 +360,10 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataSrcMACMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", macaddr, macmask); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", macaddr, macmask); } else { - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, macaddr); } } =20 @@ -373,11 +373,11 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataDstMACAddr) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - reverse ? "-s" : "-d", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + reverse ? "-s" : "-d", + NULL); if (ENTRY_WANT_NEG_SIGN(ðHdr->dataDstMACAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(ðHdr->dataDstMACMask)) { if (printDataType(vars, @@ -385,10 +385,10 @@ ebtablesHandleEthHdr(virFirewall *fw, ðHdr->dataDstMACMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", macaddr, macmask); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", macaddr, macmask); } else { - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, macaddr); } } =20 @@ -403,38 +403,38 @@ static void iptablesCreateBaseChainsFW(virFirewall *fw, virFirewallLayer layer) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_OUT_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", VIRT_IN_POST_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-N", HOST_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL= ); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); - virFirewallAddRule(fw, layer, - "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NUL= L); - virFirewallAddRule(fw, layer, - "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", VIRT_IN_POST_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-N", HOST_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL); + virFirewallAddCmd(fw, layer, + "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL= ); + virFirewallAddCmd(fw, layer, + "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL); } =20 =20 @@ -453,8 +453,8 @@ iptablesCreateTmpRootChainFW(virFirewall *fw, =20 PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, layer, - "-N", chain, NULL); + virFirewallAddCmd(fw, layer, + "-N", chain, NULL); } =20 =20 @@ -490,12 +490,12 @@ _iptablesRemoveRootChainFW(virFirewall *fw, =20 PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-F", chain, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-X", chain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-F", chain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-X", chain, NULL); } =20 =20 @@ -561,17 +561,17 @@ iptablesLinkTmpRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 if (incoming) - virFirewallAddRule(fw, layer, - "-A", basechain, - MATCH_PHYSDEV_IN_FW, - ifname, - "-g", chain, NULL); + virFirewallAddCmd(fw, layer, + "-A", basechain, + MATCH_PHYSDEV_IN_FW, + ifname, + "-g", chain, NULL); else - virFirewallAddRule(fw, layer, - "-A", basechain, - MATCH_PHYSDEV_OUT_FW, - ifname, - "-g", chain, NULL); + virFirewallAddCmd(fw, layer, + "-A", basechain, + MATCH_PHYSDEV_OUT_FW, + ifname, + "-g", chain, NULL); } =20 =20 @@ -591,15 +591,15 @@ iptablesSetupVirtInPostFW(virFirewall *fw G_GNUC_UNUS= ED, virFirewallLayer layer G_GNUC_UNUSED, const char *ifname G_GNUC_UNUSED) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, layer, - "-A", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, layer, + "-A", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); } =20 =20 @@ -608,11 +608,11 @@ iptablesClearVirtInPostFW(virFirewall *fw, virFirewallLayer layer, const char *ifname) { - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", VIRT_IN_POST_CHAIN, - MATCH_PHYSDEV_IN_FW, - ifname, "-j", "ACCEPT", NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", VIRT_IN_POST_CHAIN, + MATCH_PHYSDEV_IN_FW, + ifname, "-j", "ACCEPT", NULL); } =20 =20 @@ -638,19 +638,19 @@ _iptablesUnlinkRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 if (incoming) - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_IN_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_IN_FW, ifname, + "-g", chain, + NULL); else - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_OUT_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_OUT_FW, ifname, + "-g", chain, + NULL); =20 /* * Previous versions of libvirt may have created a rule @@ -658,12 +658,12 @@ _iptablesUnlinkRootChainFW(virFirewall *fw, * as well. */ if (!incoming) - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-D", basechain, - MATCH_PHYSDEV_OUT_OLD_FW, ifname, - "-g", chain, - NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-D", basechain, + MATCH_PHYSDEV_OUT_OLD_FW, ifname, + "-g", chain, + NULL); } =20 =20 @@ -735,8 +735,8 @@ iptablesRenameTmpRootChainFW(virFirewall *fw, PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname); PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, layer, - "-E", tmpchain, chain, NULL); + virFirewallAddCmd(fw, layer, + "-E", tmpchain, chain, NULL); } =20 =20 @@ -753,7 +753,7 @@ iptablesRenameTmpRootChainsFW(virFirewall *fw, =20 static int iptablesHandleSrcMacAddr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, nwItemDesc *srcMacAddr, bool directionIn, @@ -774,15 +774,15 @@ iptablesHandleSrcMacAddr(virFirewall *fw, srcMacAddr) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "mac", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "mac", + NULL); if (ENTRY_WANT_NEG_SIGN(srcMacAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--mac-source", - macaddr, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--mac-source", + macaddr, + NULL); } =20 return 0; @@ -791,7 +791,7 @@ iptablesHandleSrcMacAddr(virFirewall *fw, =20 static int iptablesHandleIPHdr(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ipHdrDataDef *ipHdr, bool directionIn, @@ -819,8 +819,8 @@ iptablesHandleIPHdr(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, src); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, src); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) { =20 @@ -829,10 +829,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) { if (printDataType(vars, @@ -840,12 +840,12 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPFrom) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "iprange", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "iprange", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, srcrange); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, srcrange); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) { =20 @@ -854,10 +854,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataSrcIPTo) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s-%s", ipaddr, ipaddralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -868,8 +868,8 @@ iptablesHandleIPHdr(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dst); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dst); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) { if (printDataType(vars, @@ -877,10 +877,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPMask) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) { if (printDataType(vars, @@ -888,12 +888,12 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPFrom) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "iprange", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "iprange", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dstrange); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dstrange); =20 if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) { if (printDataType(vars, @@ -901,10 +901,10 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDstIPTo) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s-%s", ipaddr, ipaddralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -914,14 +914,14 @@ iptablesHandleIPHdr(virFirewall *fw, &ipHdr->dataDSCP) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "dscp", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "dscp", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--dscp", number, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--dscp", number, + NULL); } =20 if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) { @@ -939,7 +939,7 @@ iptablesHandleIPHdr(virFirewall *fw, =20 static int iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, ipHdrDataDef *ipHdr, bool directionIn) @@ -955,17 +955,17 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, &ipHdr->dataIPSet) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-m", "set", - "--match-set", str, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "set", + "--match-set", str, + NULL); =20 if (printDataTypeDirection(vars, str, sizeof(str), &ipHdr->dataIPSetFlags, directionIn) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, str); + virFirewallCmdAddArg(fw, fwrule, str); } =20 if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) { @@ -977,24 +977,24 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, =20 /* place connlimit after potential -m state --state ... since this is the most useful order */ - virFirewallRuleAddArgList(fw, fwrule, - "-m", "connlimit", - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "connlimit", + NULL); if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--connlimit-above", number, - NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--connlimit-above", number, + NULL); } } =20 if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) { /* keep comments behind everything else -- they are packet eval. no-ops */ - virFirewallRuleAddArgList(fw, fwrule, - "-m", "comment", - "--comment", ipHdr->dataComment.u.string, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "comment", + "--comment", ipHdr->dataComment.u.string, + NULL); } =20 return 0; @@ -1003,7 +1003,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw, =20 static int iptablesHandlePortData(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, virNWFilterVarCombIter *vars, portDataDef *portData, bool directionIn) @@ -1024,8 +1024,8 @@ iptablesHandlePortData(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&portData->dataSrcPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, sport); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, sport); =20 if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) { if (printDataType(vars, @@ -1033,10 +1033,10 @@ iptablesHandlePortData(virFirewall *fw, &portData->dataSrcPortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", portstr, portstralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", portstr, portstralt); } else { - virFirewallRuleAddArg(fw, fwrule, portstr); + virFirewallCmdAddArg(fw, fwrule, portstr); } } =20 @@ -1047,8 +1047,8 @@ iptablesHandlePortData(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&portData->dataDstPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, dport); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, dport); =20 if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) { if (printDataType(vars, @@ -1056,10 +1056,10 @@ iptablesHandlePortData(virFirewall *fw, &portData->dataDstPortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", portstr, portstralt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", portstr, portstralt); } else { - virFirewallRuleAddArg(fw, fwrule, portstr); + virFirewallCmdAddArg(fw, fwrule, portstr); } } =20 @@ -1069,18 +1069,18 @@ iptablesHandlePortData(virFirewall *fw, =20 static void iptablesEnforceDirection(virFirewall *fw, - virFirewallRule *fwrule, + virFirewallCmd *fwrule, bool directionIn, virNWFilterRuleDef *rule) { if (rule->tt !=3D VIR_NWFILTER_RULE_DIRECTION_INOUT) - virFirewallRuleAddArgList(fw, fwrule, - "-m", "conntrack", - "--ctdir", - (directionIn ? - "Reply" : - "Original"), - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "conntrack", + "--ctdir", + (directionIn ? + "Reply" : + "Original"), + NULL); } =20 =20 @@ -1123,7 +1123,7 @@ _iptablesCreateRuleInstance(virFirewall *fw, bool skipRule =3D false; bool skipMatch =3D false; bool hasICMPType =3D false; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; size_t fwruleargs; =20 PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); @@ -1131,12 +1131,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, switch ((int)rule->prtclType) { case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "tcp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "tcp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1156,16 +1156,16 @@ _iptablesCreateRuleInstance(virFirewall *fw, g_autofree char *mask =3D NULL; g_autofree char *flags =3D NULL; if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, "--tcp-flags"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "--tcp-flags"); =20 if (!(mask =3D virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.d= ataTCPFlags.u.tcpFlags.mask))) return -1; - virFirewallRuleAddArg(fw, fwrule, mask); + virFirewallCmdAddArg(fw, fwrule, mask); =20 if (!(flags =3D virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.= dataTCPFlags.u.tcpFlags.flags))) return -1; - virFirewallRuleAddArg(fw, fwrule, flags); + virFirewallCmdAddArg(fw, fwrule, flags); } =20 if (iptablesHandlePortData(fw, fwrule, @@ -1181,21 +1181,21 @@ _iptablesCreateRuleInstance(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgList(fw, fwrule, - "--tcp-option", number, NULL); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, + "--tcp-option", number, NULL); } =20 break; =20 case VIR_NWFILTER_RULE_PROTOCOL_UDP: case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "udp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "udp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1220,12 +1220,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "udplite", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "udplite", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1245,12 +1245,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ESP: case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "esp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "esp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1270,12 +1270,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "ah", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "ah", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1295,12 +1295,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "sctp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "sctp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1325,18 +1325,18 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + NULL); =20 if (rule->prtclType =3D=3D VIR_NWFILTER_RULE_PROTOCOL_ICMP) - virFirewallRuleAddArgList(fw, fwrule, - "-p", "icmp", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "icmp", NULL); else - virFirewallRuleAddArgList(fw, fwrule, - "-p", "icmpv6", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "icmpv6", NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1358,7 +1358,7 @@ _iptablesCreateRuleInstance(virFirewall *fw, hasICMPType =3D true; =20 if (maySkipICMP) { - virFirewallRemoveRule(fw, fwrule); + virFirewallRemoveCmd(fw, fwrule); return 0; } =20 @@ -1373,8 +1373,8 @@ _iptablesCreateRuleInstance(virFirewall *fw, return -1; =20 if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, parm); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, parm); =20 if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) { if (printDataType(vars, @@ -1382,21 +1382,21 @@ _iptablesCreateRuleInstance(virFirewall *fw, &rule->p.icmpHdrFilter.dataICMPCode) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_IGMP: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "igmp", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "igmp", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1416,12 +1416,12 @@ _iptablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ALL: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: - fwrule =3D virFirewallAddRule(fw, layer, - "-A", chain, - "-p", "all", - NULL); + fwrule =3D virFirewallAddCmd(fw, layer, + "-A", chain, + "-p", "all", + NULL); =20 - fwruleargs =3D virFirewallRuleGetArgCount(fwrule); + fwruleargs =3D virFirewallCmdGetArgCount(fwrule); =20 if (iptablesHandleSrcMacAddr(fw, fwrule, vars, @@ -1447,9 +1447,9 @@ _iptablesCreateRuleInstance(virFirewall *fw, } =20 if ((srcMacSkipped && - fwruleargs =3D=3D virFirewallRuleGetArgCount(fwrule)) || + fwruleargs =3D=3D virFirewallCmdGetArgCount(fwrule)) || skipRule) { - virFirewallRemoveRule(fw, fwrule); + virFirewallRemoveCmd(fw, fwrule); return 0; } =20 @@ -1461,10 +1461,10 @@ _iptablesCreateRuleInstance(virFirewall *fw, } =20 if (match && !skipMatch) { - virFirewallRuleAddArgList(fw, fwrule, - "-m", "conntrack", - "--ctstate", match, - NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-m", "conntrack", + "--ctstate", match, + NULL); } =20 if (defMatch && match !=3D NULL && !skipMatch && !hasICMPType) @@ -1478,8 +1478,8 @@ _iptablesCreateRuleInstance(virFirewall *fw, directionIn) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-j", target, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", target, NULL); =20 return 0; } @@ -1752,7 +1752,7 @@ ebtablesCreateRuleInstance(virFirewall *fw, char chain[MAX_CHAINNAME_LENGTH]; const char *target; bool hasMask =3D false; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; =20 if (STREQ(chainSuffix, virNWFilterChainSuffixTypeToString( @@ -1768,10 +1768,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, field, sizeof(field), \ &rule->p.STRUCT.ITEM) < 0) \ return -1; \ - virFirewallRuleAddArg(fw, fwrule, CLI); \ + virFirewallCmdAddArg(fw, fwrule, CLI); \ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \ - virFirewallRuleAddArg(fw, fwrule, "!"); \ - virFirewallRuleAddArg(fw, fwrule, field); \ + virFirewallCmdAddArg(fw, fwrule, "!"); \ + virFirewallCmdAddArg(fw, fwrule, field); \ } =20 #define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \ @@ -1780,18 +1780,18 @@ ebtablesCreateRuleInstance(virFirewall *fw, field, sizeof(field), \ &rule->p.STRUCT.ITEM) < 0) \ return -1; \ - virFirewallRuleAddArg(fw, fwrule, CLI); \ + virFirewallCmdAddArg(fw, fwrule, CLI); \ if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \ - virFirewallRuleAddArg(fw, fwrule, "!"); \ + virFirewallCmdAddArg(fw, fwrule, "!"); \ if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \ if (printDataType(vars, \ fieldalt, sizeof(fieldalt), \ &rule->p.STRUCT.ITEM_HI) < 0) \ return -1; \ - virFirewallRuleAddArgFormat(fw, fwrule, \ - "%s%s%s", field, SEP, fieldalt= ); \ + virFirewallCmdAddArgFormat(fw, fwrule, \ + "%s%s%s", field, SEP, fieldalt)= ; \ } else { \ - virFirewallRuleAddArg(fw, fwrule, field); \ + virFirewallCmdAddArg(fw, fwrule, field); \ } \ } #define INST_ITEM_RANGE(S, I, I_HI, C) \ @@ -1801,9 +1801,9 @@ ebtablesCreateRuleInstance(virFirewall *fw, =20 switch ((int)rule->prtclType) { case VIR_NWFILTER_RULE_PROTOCOL_MAC: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", - "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", + "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1816,16 +1816,16 @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.ethHdrFilter.dataProtocolID) <= 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArg(fw, fwrule, "-p"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_VLAN: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1833,8 +1833,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-p", "0x8100", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "0x8100", NULL); =20 INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id") INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap") @@ -1852,8 +1852,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, return -1; } =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1861,8 +1861,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-d", NWFILTER_MAC_BGA, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-d", NWFILTER_MAC_BGA, NULL); =20 INST_ITEM(stpHdrFilter, dataType, "--stp-type") INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags") @@ -1888,8 +1888,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, =20 case VIR_NWFILTER_RULE_PROTOCOL_ARP: case VIR_NWFILTER_RULE_PROTOCOL_RARP: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -1897,21 +1897,21 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "-p"); - virFirewallRuleAddArgFormat(fw, fwrule, "0x%x", - (rule->prtclType =3D=3D VIR_NWFILTER_R= ULE_PROTOCOL_ARP) - ? l3_protocols[L3_PROTO_ARP_IDX].attr - : l3_protocols[L3_PROTO_RARP_IDX].attr= ); + virFirewallCmdAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArgFormat(fw, fwrule, "0x%x", + (rule->prtclType =3D=3D VIR_NWFILTER_RU= LE_PROTOCOL_ARP) + ? l3_protocols[L3_PROTO_ARP_IDX].attr + : l3_protocols[L3_PROTO_RARP_IDX].attr); =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) { if (printDataType(vars, number, sizeof(number), &rule->p.arpHdrFilter.dataHWType) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-htype"); + virFirewallCmdAddArg(fw, fwrule, "--arp-htype"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) { @@ -1919,10 +1919,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.arpHdrFilter.dataOpcode) < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-opcode"); + virFirewallCmdAddArg(fw, fwrule, "--arp-opcode"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) { @@ -1930,10 +1930,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, number, sizeof(number), &rule->p.arpHdrFilter.dataProtocolType)= < 0) return -1; - virFirewallRuleAddArg(fw, fwrule, "--arp-ptype"); + virFirewallCmdAddArg(fw, fwrule, "--arp-ptype"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType= )) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) { @@ -1950,12 +1950,12 @@ ebtablesCreateRuleInstance(virFirewall *fw, hasMask =3D true; } =20 - virFirewallRuleAddArg(fw, fwrule, + virFirewallCmdAddArg(fw, fwrule, reverse ? "--arp-ip-dst" : "--arp-ip-src= "); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr= )) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, hasMask ? ipmask = : "32"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask := "32"); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) { @@ -1972,12 +1972,12 @@ ebtablesCreateRuleInstance(virFirewall *fw, hasMask =3D true; } =20 - virFirewallRuleAddArg(fw, fwrule, + virFirewallCmdAddArg(fw, fwrule, reverse ? "--arp-ip-src" : "--arp-ip-dst= "); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr= )) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, hasMask ? ipmask = : "32"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask := "32"); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) { @@ -1986,11 +1986,11 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--arp-mac-dst" : "--arp-mac-s= rc"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--arp-mac-dst" : "--arp-mac-sr= c"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAdd= r)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, macaddr); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) { @@ -1999,24 +1999,24 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.arpHdrFilter.dataARPDstMACAddr) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--arp-mac-src" : "--arp-mac-d= st"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--arp-mac-src" : "--arp-mac-ds= t"); if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAdd= r)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, macaddr); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, macaddr); } =20 if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) && rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) { if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousAR= P)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, "--arp-gratuitous"); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "--arp-gratuitous"); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_IP: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -2024,8 +2024,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-p", "ipv4", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "ipv4", NULL); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) { if (printDataType(vars, @@ -2033,20 +2033,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-destination" : "--ip-sou= rce"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-destination" : "--ip-sour= ce"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAd= dr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask= ) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -2057,20 +2057,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-source" : "--ip-destinat= ion"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-source" : "--ip-destinati= on"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAd= dr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) { if (printDataType(vars, number, sizeof(number), &rule->p.ipHdrFilter.ipHdr.dataDstIPMask= ) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipaddr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipaddr); + virFirewallCmdAddArg(fw, fwrule, ipaddr); } } =20 @@ -2080,10 +2080,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataProtocolID) <= 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "--ip-protocol"); + virFirewallCmdAddArg(fw, fwrule, "--ip-protocol"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtoco= lID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortStart)= ) { @@ -2092,10 +2092,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataSrcPortSta= rt) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-destination-port" : "--i= p-source-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-destination-port" : "--ip= -source-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcP= ortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEn= d)) { if (printDataType(vars, @@ -2103,10 +2103,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataSrcPor= tEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2116,10 +2116,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataDstPortSta= rt) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip-source-port" : "--ip-des= tination-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip-source-port" : "--ip-dest= ination-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstP= ortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEn= d)) { if (printDataType(vars, @@ -2127,10 +2127,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.portData.dataDstPor= tEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2140,16 +2140,16 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipHdrFilter.ipHdr.dataDSCP) < = 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "--ip-tos"); + virFirewallCmdAddArg(fw, fwrule, "--ip-tos"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_IPV6: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); =20 if (ebtablesHandleEthHdr(fw, fwrule, vars, @@ -2157,8 +2157,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, reverse) < 0) return -1; =20 - virFirewallRuleAddArgList(fw, fwrule, - "-p", "ipv6", NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-p", "ipv6", NULL); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) { if (printDataType(vars, @@ -2166,20 +2166,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) = < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-destination" : "--ip6-s= ource"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-destination" : "--ip6-so= urce"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIP= Addr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)= ) { if (printDataType(vars, number, sizeof(number), &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMa= sk) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipv6addr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipv6addr); + virFirewallCmdAddArg(fw, fwrule, ipv6addr); } } =20 @@ -2190,20 +2190,20 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) = < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-source" : "--ip6-destin= ation"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-source" : "--ip6-destina= tion"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIP= Addr)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)= ) { if (printDataType(vars, number, sizeof(number), &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMa= sk) < 0) return -1; - virFirewallRuleAddArgFormat(fw, fwrule, - "%s/%s", ipv6addr, number); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); } else { - virFirewallRuleAddArg(fw, fwrule, ipv6addr); + virFirewallCmdAddArg(fw, fwrule, ipv6addr); } } =20 @@ -2213,10 +2213,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.ipHdr.dataProtocolID)= < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, "--ip6-protocol"); + virFirewallCmdAddArg(fw, fwrule, "--ip6-protocol"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProto= colID)) - virFirewallRuleAddArg(fw, fwrule, "!"); - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); } =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortStar= t)) { @@ -2226,10 +2226,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataSrcPortS= tart) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-destination-port" : "--= ip6-source-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-destination-port" : "--i= p6-source-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSr= cPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPort= End)) { if (printDataType(vars, @@ -2237,10 +2237,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataSrcP= ortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2251,10 +2251,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataDstPortS= tart) < 0) return -1; =20 - virFirewallRuleAddArg(fw, fwrule, - reverse ? "--ip6-source-port" : "--ip6-d= estination-port"); + virFirewallCmdAddArg(fw, fwrule, + reverse ? "--ip6-source-port" : "--ip6-de= stination-port"); if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDs= tPortStart)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPort= End)) { if (printDataType(vars, @@ -2262,10 +2262,10 @@ ebtablesCreateRuleInstance(virFirewall *fw, &rule->p.ipv6HdrFilter.portData.dataDstP= ortEnd) < 0) return -1; =20 - virFirewallRuleAddArgFormat(fw, fwrule, - "%s:%s", number, numberalt); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s:%s", number, numberalt); } else { - virFirewallRuleAddArg(fw, fwrule, number); + virFirewallCmdAddArg(fw, fwrule, number); } } =20 @@ -2277,8 +2277,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; g_autofree char *r =3D NULL; =20 - virFirewallRuleAddArg(fw, fwrule, - "--ip6-icmp-type"); + virFirewallCmdAddArg(fw, fwrule, + "--ip6-icmp-type"); =20 if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) { if (printDataType(vars, @@ -2335,17 +2335,17 @@ ebtablesCreateRuleInstance(virFirewall *fw, virBufferStrcat(&buf, numberalt, NULL); =20 if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeSta= rt)) - virFirewallRuleAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, "!"); =20 r =3D virBufferContentAndReset(&buf); =20 - virFirewallRuleAddArg(fw, fwrule, r); + virFirewallCmdAddArg(fw, fwrule, r); } break; =20 case VIR_NWFILTER_RULE_PROTOCOL_NONE: - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, NULL); break; =20 default: @@ -2370,8 +2370,8 @@ ebtablesCreateRuleInstance(virFirewall *fw, target =3D virNWFilterJumpTargetTypeToString(rule->action); } =20 - virFirewallRuleAddArgList(fw, fwrule, - "-j", target, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", target, NULL); =20 #undef INST_ITEM_RANGE #undef INST_ITEM_MASK @@ -2461,8 +2461,8 @@ ebtablesCreateTmpRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-N", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-N", chain, NULL); } =20 =20 @@ -2476,11 +2476,11 @@ ebtablesLinkTmpRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", - incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN= _OUTGOING, - incoming ? "-i" : "-o", - ifname, "-j", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", + incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_= OUTGOING, + incoming ? "-i" : "-o", + ifname, "-j", chain, NULL); } =20 =20 @@ -2500,12 +2500,12 @@ _ebtablesRemoveRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-F", chain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-X", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-F", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-X", chain, NULL); } =20 =20 @@ -2543,12 +2543,12 @@ _ebtablesUnlinkRootChainFW(virFirewall *fw, =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-D", - incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_C= HAIN_OUTGOING, - incoming ? "-i" : "-o", - ifname, "-j", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-D", + incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CH= AIN_OUTGOING, + incoming ? "-i" : "-o", + ifname, "-j", chain, NULL); } =20 =20 @@ -2577,41 +2577,41 @@ ebtablesCreateTmpSubChainFW(virFirewall *fw, char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; char chainPrefix =3D incoming ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_OUT_TEMP; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; =20 PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); PRINT_CHAIN(chain, chainPrefix, ifname, (filtername) ? filtername : l3_protocols[protoidx].val); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-F", chain, NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - true, NULL, NULL, - "-t", "nat", "-X", chain, NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-N", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-F", chain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + true, NULL, NULL, + "-t", "nat", "-X", chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-N", chain, NULL); =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", rootchain, NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", rootchain, NULL); =20 switch ((int)protoidx) { case L2_PROTO_MAC_IDX: break; case L2_PROTO_STP_IDX: - virFirewallRuleAddArgList(fw, fwrule, - "-d", NWFILTER_MAC_BGA, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-d", NWFILTER_MAC_BGA, NULL); break; default: - virFirewallRuleAddArg(fw, fwrule, "-p"); - virFirewallRuleAddArgFormat(fw, fwrule, - "0x%04x", - l3_protocols[protoidx].attr); + virFirewallCmdAddArg(fw, fwrule, "-p"); + virFirewallCmdAddArgFormat(fw, fwrule, + "0x%04x", + l3_protocols[protoidx].attr); break; } =20 - virFirewallRuleAddArgList(fw, fwrule, - "-j", chain, NULL); + virFirewallCmdAddArgList(fw, fwrule, + "-j", chain, NULL); } =20 =20 @@ -2636,16 +2636,16 @@ ebtablesRemoveSubChainsQuery(virFirewall *fw, if (tmp[0] =3D=3D chainprefixes[j] && tmp[1] =3D=3D '-') { VIR_DEBUG("Processing chain '%s'", tmp); - virFirewallAddRuleFull(fw, layer, - false, ebtablesRemoveSubChainsQuery, - (void *)chainprefixes, - "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-F", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-X", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + false, ebtablesRemoveSubChainsQuery, + (void *)chainprefixes, + "-t", "nat", "-L", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-F", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-X", tmp, NULL); } } } @@ -2664,10 +2664,10 @@ _ebtablesRemoveSubChainsFW(virFirewall *fw, =20 for (i =3D 0; chainprefixes[i] !=3D 0; i++) { PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - false, ebtablesRemoveSubChainsQuery, - (void *)chainprefixes, - "-t", "nat", "-L", rootchain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, ebtablesRemoveSubChainsQuery, + (void *)chainprefixes, + "-t", "nat", "-L", rootchain, NULL); } } =20 @@ -2706,8 +2706,8 @@ ebtablesRenameTmpSubChainFW(virFirewall *fw, PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); } =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-E", tmpchain, chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-E", tmpchain, chain, NULL); } =20 static void @@ -2748,18 +2748,18 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewall = *fw, else newchain[0] =3D CHAINPREFIX_HOST_OUT; VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain); - virFirewallAddRuleFull(fw, layer, - false, ebtablesRenameTmpSubAndRootChainsQue= ry, - NULL, - "-t", "nat", "-L", tmp, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-F", newchain, NULL); - virFirewallAddRuleFull(fw, layer, - true, NULL, NULL, - "-t", "nat", "-X", newchain, NULL); - virFirewallAddRule(fw, layer, - "-t", "nat", "-E", tmp, newchain, NULL); + virFirewallAddCmdFull(fw, layer, + false, ebtablesRenameTmpSubAndRootChainsQuer= y, + NULL, + "-t", "nat", "-L", tmp, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-F", newchain, NULL); + virFirewallAddCmdFull(fw, layer, + true, NULL, NULL, + "-t", "nat", "-X", newchain, NULL); + virFirewallAddCmd(fw, layer, + "-t", "nat", "-E", tmp, newchain, NULL); } =20 return 0; @@ -2779,10 +2779,10 @@ ebtablesRenameTmpSubAndRootChainsFW(virFirewall *fw, }; for (i =3D 0; chains[i] !=3D 0; i++) { PRINT_ROOT_CHAIN(rootchain, chains[i], ifname); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET, - false, ebtablesRenameTmpSubAndRootChainsQue= ry, - NULL, - "-t", "nat", "-L", rootchain, NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, ebtablesRenameTmpSubAndRootChainsQuer= y, + NULL, + "-t", "nat", "-L", rootchain, NULL); } =20 ebtablesRenameTmpRootChainFW(fw, true, ifname); @@ -2835,21 +2835,21 @@ ebtablesApplyBasicRules(const char *ifname, ebtablesCreateTmpRootChainFW(fw, true, ifname); =20 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-s", "!", macaddr_str, - "-j", "DROP", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-p", "IPv4", - "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-p", "ARP", - "-j", "ACCEPT", NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-s", "!", macaddr_str, + "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-p", "IPv4", + "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-p", "ARP", + "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain, + "-j", "DROP", NULL); =20 ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesRenameTmpRootChainFW(fw, true, ifname); @@ -2908,16 +2908,16 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-s", macaddr_str, - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-sport", "68", "--ip-dport", "67", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-s", macaddr_str, + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-sport", "68", "--ip-dport", "67", + "-j", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-j", "DROP", NULL); =20 num_dhcpsrvrs =3D (dhcpsrvrs !=3D NULL) ? virNWFilterVarValueGetCardinality(dhcpsrvrs) @@ -2936,20 +2936,20 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, */ for (ctr =3D 0; ctr < 2; ctr++) { if (dhcpserver) - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-d", (ctr =3D=3D 0) ? macaddr_str : "f= f:ff:ff:ff:ff:ff", - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-src", dhcpserver, - "--ip-sport", "67", "--ip-dport", "68", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-d", (ctr =3D=3D 0) ? macaddr_str : "ff= :ff:ff:ff:ff:ff", + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-src", dhcpserver, + "--ip-sport", "67", "--ip-dport", "68", + "-j", "ACCEPT", NULL); else - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-d", (ctr =3D=3D 0) ? macaddr_str : "f= f:ff:ff:ff:ff:ff", - "-p", "ipv4", "--ip-protocol", "udp", - "--ip-sport", "67", "--ip-dport", "68", - "-j", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-d", (ctr =3D=3D 0) ? macaddr_str : "ff= :ff:ff:ff:ff:ff", + "-p", "ipv4", "--ip-protocol", "udp", + "--ip-sport", "67", "--ip-dport", "68", + "-j", "ACCEPT", NULL); } =20 idx++; @@ -2958,9 +2958,9 @@ ebtablesApplyDHCPOnlyRules(const char *ifname, break; } =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-j", "DROP", NULL); =20 ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesLinkTmpRootChainFW(fw, false, ifname); @@ -3008,13 +3008,13 @@ ebtablesApplyDropAllRules(const char *ifname) PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname); PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_in, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_in, + "-j", "DROP", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-t", "nat", "-A", chain_out, - "-j", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-t", "nat", "-A", chain_out, + "-j", "DROP", NULL); =20 ebtablesLinkTmpRootChainFW(fw, true, ifname); ebtablesLinkTmpRootChainFW(fw, false, ifname); diff --git a/src/util/virebtables.c b/src/util/virebtables.c index a1f5f7cf1e..cabcbb3e81 100644 --- a/src/util/virebtables.c +++ b/src/util/virebtables.c @@ -81,17 +81,17 @@ ebtablesAddForwardPolicyReject(ebtablesContext *ctx) g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "--new-chain", ctx->chain, - NULL); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "--insert", "FORWARD", - "--jump", ctx->chain, NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "--new-chain", ctx->chain, + NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "--insert", "FORWARD", + "--jump", ctx->chain, NULL); =20 virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - "-P", ctx->chain, "DROP", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "-P", ctx->chain, "DROP", + NULL); =20 return virFirewallApply(fw); } @@ -109,13 +109,13 @@ ebtablesForwardAllowIn(ebtablesContext *ctx, g_autoptr(virFirewall) fw =3D virFirewallNew(); =20 virFirewallStartTransaction(fw, 0); - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET, - action =3D=3D ADD ? "--insert" : "--delete", - ctx->chain, - "--in-interface", iface, - "--source", macaddr, - "--jump", "ACCEPT", - NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + action =3D=3D ADD ? "--insert" : "--delete", + ctx->chain, + "--in-interface", iface, + "--source", macaddr, + "--jump", "ACCEPT", + NULL); =20 return virFirewallApply(fw); } diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 30e73f603e..902cb8e445 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -45,7 +45,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand, IP6TABLES, ); =20 -struct _virFirewallRule { +struct _virFirewallCmd { virFirewallLayer layer; =20 virFirewallQueryCallback queryCB; @@ -62,10 +62,10 @@ struct _virFirewallGroup { unsigned int rollbackFlags; =20 size_t naction; - virFirewallRule **action; + virFirewallCmd **action; =20 size_t nrollback; - virFirewallRule **rollback; + virFirewallCmd **rollback; =20 bool addingRollback; }; @@ -79,7 +79,7 @@ struct _virFirewall { size_t currentGroup; }; =20 -static virMutex ruleLock =3D VIR_MUTEX_INITIALIZER; +static virMutex fwCmdLock =3D VIR_MUTEX_INITIALIZER; =20 static virFirewallGroup * virFirewallGroupNew(void) @@ -107,17 +107,17 @@ virFirewall *virFirewallNew(void) =20 =20 static void -virFirewallRuleFree(virFirewallRule *rule) +virFirewallCmdFree(virFirewallCmd *fwCmd) { size_t i; =20 - if (!rule) + if (!fwCmd) return; =20 - for (i =3D 0; i < rule->argsLen; i++) - g_free(rule->args[i]); - g_free(rule->args); - g_free(rule); + for (i =3D 0; i < fwCmd->argsLen; i++) + g_free(fwCmd->args[i]); + g_free(fwCmd->args); + g_free(fwCmd); } =20 =20 @@ -130,11 +130,11 @@ virFirewallGroupFree(virFirewallGroup *group) return; =20 for (i =3D 0; i < group->naction; i++) - virFirewallRuleFree(group->action[i]); + virFirewallCmdFree(group->action[i]); g_free(group->action); =20 for (i =3D 0; i < group->nrollback; i++) - virFirewallRuleFree(group->rollback[i]); + virFirewallCmdFree(group->rollback[i]); g_free(group->rollback); =20 g_free(group); @@ -167,9 +167,9 @@ void virFirewallFree(virFirewall *firewall) return; \ } while (0) =20 -#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule)\ +#define VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd)\ do { \ - if (!firewall || firewall->err || !rule) \ + if (!firewall || firewall->err || !fwCmd) \ return; \ } while (0) =20 @@ -179,22 +179,22 @@ void virFirewallFree(virFirewall *firewall) return NULL; \ } while (0) =20 -#define ADD_ARG(rule, str) \ +#define ADD_ARG(fwCmd, str) \ do { \ - VIR_RESIZE_N(rule->args, rule->argsAlloc, rule->argsLen, 1); \ - rule->args[rule->argsLen++] =3D g_strdup(str); \ + VIR_RESIZE_N(fwCmd->args, fwCmd->argsAlloc, fwCmd->argsLen, 1); \ + fwCmd->args[fwCmd->argsLen++] =3D g_strdup(str); \ } while (0) =20 -static virFirewallRule * -virFirewallAddRuleFullV(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - va_list args) +static virFirewallCmd * +virFirewallAddCmdFullV(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + va_list args) { virFirewallGroup *group; - virFirewallRule *rule; + virFirewallCmd *fwCmd; char *str; =20 VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall); @@ -206,43 +206,43 @@ virFirewallAddRuleFullV(virFirewall *firewall, group =3D firewall->groups[firewall->currentGroup]; =20 =20 - rule =3D g_new0(virFirewallRule, 1); + fwCmd =3D g_new0(virFirewallCmd, 1); =20 - rule->layer =3D layer; - rule->queryCB =3D cb; - rule->queryOpaque =3D opaque; - rule->ignoreErrors =3D ignoreErrors; + fwCmd->layer =3D layer; + fwCmd->queryCB =3D cb; + fwCmd->queryOpaque =3D opaque; + fwCmd->ignoreErrors =3D ignoreErrors; =20 - switch (rule->layer) { + switch (fwCmd->layer) { case VIR_FIREWALL_LAYER_ETHERNET: - ADD_ARG(rule, "--concurrent"); + ADD_ARG(fwCmd, "--concurrent"); break; case VIR_FIREWALL_LAYER_IPV4: - ADD_ARG(rule, "-w"); + ADD_ARG(fwCmd, "-w"); break; case VIR_FIREWALL_LAYER_IPV6: - ADD_ARG(rule, "-w"); + ADD_ARG(fwCmd, "-w"); break; case VIR_FIREWALL_LAYER_LAST: break; } =20 while ((str =3D va_arg(args, char *)) !=3D NULL) - ADD_ARG(rule, str); + ADD_ARG(fwCmd, str); =20 if (group->addingRollback) { - VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule); + VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd); } else { - VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule); + VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd); } =20 =20 - return rule; + return fwCmd; } =20 =20 /** - * virFirewallAddRuleFull: + * virFirewallAddCmdFull: * @firewall: firewall ruleset to add to * @layer: the firewall layer to change * @ignoreErrors: true to ignore failure of the command @@ -253,7 +253,7 @@ virFirewallAddRuleFullV(virFirewall *firewall, * Add any type of rule to the firewall ruleset. Any output * generated by the addition will be fed into the query * callback @cb. This callback is permitted to create new - * rules by invoking the virFirewallAddRule method, but + * rules by invoking the virFirewallAddCmd method, but * is not permitted to start new transactions. * * If @ignoreErrors is set to TRUE, then any failure of @@ -263,31 +263,31 @@ virFirewallAddRuleFullV(virFirewall *firewall, * * Returns the new rule */ -virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - ...) +virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + ...) { - virFirewallRule *rule; + virFirewallCmd *fwCmd; va_list args; va_start(args, opaque); - rule =3D virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, op= aque, args); + fwCmd =3D virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, op= aque, args); va_end(args); - return rule; + return fwCmd; } =20 =20 /** - * virFirewallRemoveRule: + * virFirewallRemoveCmd: * @firewall: firewall ruleset to remove from * @rule: the rule to remove * * Remove a rule from the current transaction */ -void virFirewallRemoveRule(virFirewall *firewall, - virFirewallRule *rule) +void virFirewallRemoveCmd(virFirewall *firewall, + virFirewallCmd *fwCmd) { size_t i; virFirewallGroup *group; @@ -306,21 +306,21 @@ void virFirewallRemoveRule(virFirewall *firewall, =20 if (group->addingRollback) { for (i =3D 0; i < group->nrollback; i++) { - if (group->rollback[i] =3D=3D rule) { + if (group->rollback[i] =3D=3D fwCmd) { VIR_DELETE_ELEMENT(group->rollback, i, group->nrollback); - virFirewallRuleFree(rule); + virFirewallCmdFree(fwCmd); break; } } } else { for (i =3D 0; i < group->naction; i++) { - if (group->action[i] =3D=3D rule) { + if (group->action[i] =3D=3D fwCmd) { VIR_DELETE_ELEMENT(group->action, i, group->naction); - virFirewallRuleFree(rule); + virFirewallCmdFree(fwCmd); return; } } @@ -328,45 +328,45 @@ void virFirewallRemoveRule(virFirewall *firewall, } =20 =20 -void virFirewallRuleAddArg(virFirewall *firewall, - virFirewallRule *rule, - const char *arg) +void virFirewallCmdAddArg(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *arg) { - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 - ADD_ARG(rule, arg); + ADD_ARG(fwCmd, arg); =20 return; } =20 =20 -void virFirewallRuleAddArgFormat(virFirewall *firewall, - virFirewallRule *rule, - const char *fmt, ...) +void virFirewallCmdAddArgFormat(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *fmt, ...) { g_autofree char *arg =3D NULL; va_list list; =20 - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 va_start(list, fmt); arg =3D g_strdup_vprintf(fmt, list); va_end(list); =20 - ADD_ARG(rule, arg); + ADD_ARG(fwCmd, arg); =20 return; } =20 =20 -void virFirewallRuleAddArgSet(virFirewall *firewall, - virFirewallRule *rule, - const char *const *args) +void virFirewallCmdAddArgSet(virFirewall *firewall, + virFirewallCmd *fwCmd, + const char *const *args) { - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 while (*args) { - ADD_ARG(rule, *args); + ADD_ARG(fwCmd, *args); args++; } =20 @@ -374,19 +374,19 @@ void virFirewallRuleAddArgSet(virFirewall *firewall, } =20 =20 -void virFirewallRuleAddArgList(virFirewall *firewall, - virFirewallRule *rule, - ...) +void virFirewallCmdAddArgList(virFirewall *firewall, + virFirewallCmd *fwCmd, + ...) { va_list list; const char *str; =20 - VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule); + VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd); =20 - va_start(list, rule); + va_start(list, fwCmd); =20 while ((str =3D va_arg(list, char *)) !=3D NULL) - ADD_ARG(rule, str); + ADD_ARG(fwCmd, str); =20 va_end(list); =20 @@ -394,11 +394,11 @@ void virFirewallRuleAddArgList(virFirewall *firewall, } =20 =20 -size_t virFirewallRuleGetArgCount(virFirewallRule *rule) +size_t virFirewallCmdGetArgCount(virFirewallCmd *fwCmd) { - if (!rule) + if (!fwCmd) return 0; - return rule->argsLen; + return fwCmd->argsLen; } =20 =20 @@ -462,16 +462,16 @@ void virFirewallStartRollback(virFirewall *firewall, =20 =20 char * -virFirewallRuleToString(const char *cmd, - virFirewallRule *rule) +virFirewallCmdToString(const char *cmd, + virFirewallCmd *fwCmd) { g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; size_t i; =20 virBufferAdd(&buf, cmd, -1); - for (i =3D 0; i < rule->argsLen; i++) { + for (i =3D 0; i < fwCmd->argsLen; i++) { virBufferAddLit(&buf, " "); - virBufferAdd(&buf, rule->args[i], -1); + virBufferAdd(&buf, fwCmd->args[i], -1); } =20 return virBufferContentAndReset(&buf); @@ -479,12 +479,12 @@ virFirewallRuleToString(const char *cmd, =20 =20 static int -virFirewallApplyRuleDirect(virFirewallRule *rule, - bool ignoreErrors, - char **output) +virFirewallApplyCmdDirect(virFirewallCmd *fwCmd, + bool ignoreErrors, + char **output) { size_t i; - const char *bin =3D virFirewallLayerCommandTypeToString(rule->layer); + const char *bin =3D virFirewallLayerCommandTypeToString(fwCmd->layer); g_autoptr(virCommand) cmd =3D NULL; g_autofree char *cmdStr =3D NULL; int status; @@ -493,17 +493,17 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, if (!bin) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Unknown firewall layer %1$d"), - rule->layer); + fwCmd->layer); return -1; } =20 cmd =3D virCommandNewArgList(bin, NULL); =20 - for (i =3D 0; i < rule->argsLen; i++) - virCommandAddArg(cmd, rule->args[i]); + for (i =3D 0; i < fwCmd->argsLen; i++) + virCommandAddArg(cmd, fwCmd->args[i]); =20 cmdStr =3D virCommandToString(cmd, false); - VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr)); + VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr)); =20 virCommandSetOutputBuffer(cmd, output); virCommandSetErrorBuffer(cmd, &error); @@ -516,7 +516,7 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, VIR_DEBUG("Ignoring error running command"); } else { virReportError(VIR_ERR_INTERNAL_ERROR, - _("Failed to apply firewall rules %1$s: %2$s"), + _("Failed to run firewall command %1$s: %2$s"), NULLSTR(cmdStr), NULLSTR(error)); VIR_FREE(*output); return -1; @@ -528,30 +528,30 @@ virFirewallApplyRuleDirect(virFirewallRule *rule, =20 =20 static int -virFirewallApplyRule(virFirewall *firewall, - virFirewallRule *rule, - bool ignoreErrors) +virFirewallApplyCmd(virFirewall *firewall, + virFirewallCmd *fwCmd, + bool ignoreErrors) { g_autofree char *output =3D NULL; g_auto(GStrv) lines =3D NULL; =20 - if (rule->ignoreErrors) - ignoreErrors =3D rule->ignoreErrors; + if (fwCmd->ignoreErrors) + ignoreErrors =3D fwCmd->ignoreErrors; =20 - if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) + if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0) return -1; =20 - if (rule->queryCB && output) { + if (fwCmd->queryCB && output) { if (!(lines =3D g_strsplit(output, "\n", -1))) return -1; =20 - VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output); - if (rule->queryCB(firewall, rule->layer, (const char *const *)line= s, rule->queryOpaque) < 0) + VIR_DEBUG("Invoking query %p with '%s'", fwCmd->queryCB, output); + if (fwCmd->queryCB(firewall, fwCmd->layer, (const char *const *)li= nes, fwCmd->queryOpaque) < 0) return -1; =20 if (firewall->err) { virReportSystemError(firewall->err, "%s", - _("Unable to create rule")); + _("Unable to create firewall command")); return -1; } =20 @@ -573,9 +573,9 @@ virFirewallApplyGroup(virFirewall *firewall, firewall->currentGroup =3D idx; group->addingRollback =3D false; for (i =3D 0; i < group->naction; i++) { - if (virFirewallApplyRule(firewall, - group->action[i], - ignoreErrors) < 0) + if (virFirewallApplyCmd(firewall, + group->action[i], + ignoreErrors) < 0) return -1; } return 0; @@ -592,11 +592,8 @@ virFirewallRollbackGroup(virFirewall *firewall, VIR_INFO("Starting rollback for group %p", group); firewall->currentGroup =3D idx; group->addingRollback =3D true; - for (i =3D 0; i < group->nrollback; i++) { - ignore_value(virFirewallApplyRule(firewall, - group->rollback[i], - true)); - } + for (i =3D 0; i < group->nrollback; i++) + ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], tru= e)); } =20 =20 @@ -604,7 +601,7 @@ int virFirewallApply(virFirewall *firewall) { size_t i, j; - VIR_LOCK_GUARD lock =3D virLockGuardLock(&ruleLock); + VIR_LOCK_GUARD lock =3D virLockGuardLock(&fwCmdLock); =20 if (!firewall || firewall->err) { int err =3D EINVAL; @@ -612,7 +609,7 @@ virFirewallApply(virFirewall *firewall) if (firewall) err =3D firewall->err; =20 - virReportSystemError(err, "%s", _("Unable to create rule")); + virReportSystemError(err, "%s", _("Unable to create firewall comma= nd")); return -1; } =20 diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 187748b2bf..956bf0e2bf 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -24,7 +24,7 @@ =20 typedef struct _virFirewall virFirewall; =20 -typedef struct _virFirewallRule virFirewallRule; +typedef struct _virFirewallCmd virFirewallCmd; =20 typedef enum { VIR_FIREWALL_LAYER_ETHERNET, @@ -39,7 +39,7 @@ virFirewall *virFirewallNew(void); void virFirewallFree(virFirewall *firewall); =20 /** - * virFirewallAddRule: + * virFirewallAddCmd: * @firewall: firewall ruleset to add to * @layer: the firewall layer to change * @...: NULL terminated list of strings for the rule @@ -48,49 +48,49 @@ void virFirewallFree(virFirewall *firewall); * * Returns the new rule */ -#define virFirewallAddRule(firewall, layer, ...) \ - virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_A= RGS__) +#define virFirewallAddCmd(firewall, layer, ...) \ + virFirewallAddCmdFull(firewall, layer, false, NULL, NULL, __VA_AR= GS__) =20 typedef int (*virFirewallQueryCallback)(virFirewall *firewall, virFirewallLayer layer, const char *const *lines, void *opaque); =20 -virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall, - virFirewallLayer layer, - bool ignoreErrors, - virFirewallQueryCallback cb, - void *opaque, - ...) +virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall, + virFirewallLayer layer, + bool ignoreErrors, + virFirewallQueryCallback cb, + void *opaque, + ...) G_GNUC_NULL_TERMINATED; =20 -void virFirewallRemoveRule(virFirewall *firewall, - virFirewallRule *rule); +void virFirewallRemoveCmd(virFirewall *firewall, + virFirewallCmd *rule); =20 -void virFirewallRuleAddArg(virFirewall *firewall, - virFirewallRule *rule, - const char *arg) +void virFirewallCmdAddArg(virFirewall *firewall, + virFirewallCmd *rule, + const char *arg) ATTRIBUTE_NONNULL(3); =20 -void virFirewallRuleAddArgFormat(virFirewall *firewall, - virFirewallRule *rule, - const char *fmt, ...) +void virFirewallCmdAddArgFormat(virFirewall *firewall, + virFirewallCmd *rule, + const char *fmt, ...) ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4); =20 -void virFirewallRuleAddArgSet(virFirewall *firewall, - virFirewallRule *rule, - const char *const *args) +void virFirewallCmdAddArgSet(virFirewall *firewall, + virFirewallCmd *rule, + const char *const *args) ATTRIBUTE_NONNULL(3); =20 -void virFirewallRuleAddArgList(virFirewall *firewall, - virFirewallRule *rule, - ...) +void virFirewallCmdAddArgList(virFirewall *firewall, + virFirewallCmd *rule, + ...) G_GNUC_NULL_TERMINATED; =20 -size_t virFirewallRuleGetArgCount(virFirewallRule *rule); +size_t virFirewallCmdGetArgCount(virFirewallCmd *rule); =20 -char *virFirewallRuleToString(const char *cmd, - virFirewallRule *rule); +char *virFirewallCmdToString(const char *cmd, + virFirewallCmd *rule); =20 typedef enum { /* Ignore all errors when applying rules, so no diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index e676a434c8..45bb67cb21 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -74,15 +74,15 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSE= D) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) return -1; @@ -107,28 +107,28 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUS= ED) const char *expected =3D IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"; - virFirewallRule *fwrule; + virFirewallCmd *fwrule; g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); =20 virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source"); - virFirewallRemoveRule(fw, fwrule); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", NULL); + virFirewallCmdAddArg(fw, fwrule, "--source"); + virFirewallRemoveCmd(fw, fwrule); =20 - fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source"); - virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); - virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL); + fwrule =3D virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", NULL); + virFirewallCmdAddArg(fw, fwrule, "--source"); + virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); + virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) return -1; @@ -161,26 +161,26 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUS= ED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); =20 =20 if (virFirewallApply(fw) < 0) @@ -235,26 +235,26 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC= _UNUSED) =20 virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); =20 =20 if (virFirewallApply(fw) < 0) @@ -288,25 +288,25 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_= UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - true, NULL, NULL, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + true, NULL, NULL, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "OUTPUT", - "--jump", "DROP", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "OUTPUT", + "--jump", "DROP", NULL); =20 =20 if (virFirewallApply(fw) < 0) @@ -338,20 +338,20 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUS= ED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -386,37 +386,37 @@ testFirewallSingleRollback(const void *opaque G_GNUC_= UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -450,41 +450,41 @@ testFirewallManyRollback(const void *opaque G_GNUC_UN= USED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -522,67 +522,67 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "192.168.122.255", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "192.168.122.255", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-D", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-D", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { fprintf(stderr, "Firewall apply unexpectedly worked\n"); @@ -656,10 +656,10 @@ testFirewallQueryCallback(virFirewall *fw, void *opaque G_GNUC_UNUSED) { size_t i; - virFirewallAddRule(fw, layer, - "-A", "INPUT", - "--source", "!192.168.122.129", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, layer, + "-A", "INPUT", + "--source", "!192.168.122.129", + "--jump", "REJECT", NULL); =20 for (i =3D 0; lines[i] !=3D NULL; i++) { if (expectedLineNum >=3D G_N_ELEMENTS(expectedLines)) { @@ -703,46 +703,46 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.1", - "--jump", "ACCEPT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.1", + "--jump", "ACCEPT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.127", - "--jump", "REJECT", NULL); - - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - false, - testFirewallQueryCallback, - NULL, - "-L", NULL); - virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, - false, - testFirewallQueryCallback, - NULL, + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.127", + "--jump", "REJECT", NULL); + + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + false, + testFirewallQueryCallback, + NULL, + "-L", NULL); + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4, + false, + testFirewallQueryCallback, + NULL, "-t", "nat", "-L", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.130", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.130", + "--jump", "REJECT", NULL); =20 =20 virFirewallStartTransaction(fw, 0); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "192.168.122.128", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "192.168.122.128", + "--jump", "REJECT", NULL); =20 - virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, - "-A", "INPUT", - "--source", "!192.168.122.1", - "--jump", "REJECT", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4, + "-A", "INPUT", + "--source", "!192.168.122.1", + "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) return -1; --=20 2.45.0