From nobody Fri Dec 27 01:24:29 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1732591723609862.6823223591441; Mon, 25 Nov 2024 19:28:43 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id E9FDC14A9; Mon, 25 Nov 2024 22:28:42 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 4856318FF; Mon, 25 Nov 2024 22:25:24 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id 92AA2187C; Mon, 25 Nov 2024 22:25:18 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id B43571947 for ; Mon, 25 Nov 2024 22:25:03 -0500 (EST) Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-197-5NuS0QT3PHmNCmZVb8Y3Mg-1; Mon, 25 Nov 2024 22:25:01 -0500 Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 85097195608A for ; Tue, 26 Nov 2024 03:24:58 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.88.88]) by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 4D896195DF81; Tue, 26 Nov 2024 03:24:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1732591503; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UEaZwsIo6xJi1cURAXtl7mblzJI2uA93KPQ/7f+qgDo=; b=AkYZkUd+UBfiFF66YkuRUN7EqqB8YcARKRtYtY6y3qneuoyoqnuVOobuJUGP15rHrvmHQ7 uul45TZZujPFIkJpYLL+u15KkJpBVqlkIQB//nuOfMoe1E85+YCkOO44dB6yBgYVVqJ4ku yAkZuvOj5uvSd/fbfGwAancDUELHcVo= X-MC-Unique: 5NuS0QT3PHmNCmZVb8Y3Mg-1 X-Mimecast-MFC-AGG-ID: 5NuS0QT3PHmNCmZVb8Y3Mg From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v2 5/6] util: add new "tc" layer for virFirewallCmd objects Date: Mon, 25 Nov 2024 22:24:48 -0500 Message-ID: <20241126032449.912167-6-laine@redhat.com> In-Reply-To: <20241126032449.912167-1-laine@redhat.com> References: <20241126032449.912167-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12 X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: Awdvv86BEmhyCxKsdkv_P5Q6w6UWN1gKESTU85NdJ9U_1732591498 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 4KODTUEL7PYIJF47SYWRT37MB6CQ2XLV X-Message-ID-Hash: 4KODTUEL7PYIJF47SYWRT37MB6CQ2XLV X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: egarver@redhat.com, mprivozn@redhat.com, psutter@redhat.com, abologna@redhat.com X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1732591725164019100 Content-Type: text/plain; charset="utf-8"; x-default="true" If the layer of a virFirewallCmd is "tc", then the "tc" utility will be executed using the arguments that had been added to the virFirewallCmd tc layer doesn't support auto-rollback command creation (any rollback needs to be added manually with virFirewallAddRollbackCmd()), and also tc layer isn't supported by the iptables backend (it would have been straightforward to add, but the iptables backend doesn't need it, and I didn't want to take the chance of causing a regression in that code for no good reason). Signed-off-by: Laine Stump --- src/network/network_nftables.c | 1 + src/util/virfirewall.c | 66 +++++++++++++++++++++------------- src/util/virfirewall.h | 1 + src/util/virfirewalld.c | 1 + 4 files changed, 44 insertions(+), 25 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index f8b5ab665d..b3605bd40e 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -73,6 +73,7 @@ VIR_ENUM_IMPL(nftablesLayer, "", "ip", "ip6", + "", ); =20 =20 diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 811b787ecc..754bc18162 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -47,6 +47,7 @@ VIR_ENUM_IMPL(virFirewallLayer, "ethernet", "ipv4", "ipv6", + "tc", ); =20 typedef struct _virFirewallGroup virFirewallGroup; @@ -57,6 +58,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand, EBTABLES, IPTABLES, IP6TABLES, + TC, ); =20 struct _virFirewallCmd { @@ -591,6 +593,7 @@ virFirewallCmdIptablesApply(virFirewall *firewall, case VIR_FIREWALL_LAYER_IPV6: virCommandAddArg(cmd, "-w"); break; + case VIR_FIREWALL_LAYER_TC: case VIR_FIREWALL_LAYER_LAST: break; } @@ -672,39 +675,52 @@ virFirewallCmdNftablesApply(virFirewall *firewall G_G= NUC_UNUSED, size_t i; int status; =20 - cmd =3D virCommandNew(NFT); + if (fwCmd->layer =3D=3D VIR_FIREWALL_LAYER_TC) { =20 - if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANSACTI= ON_AUTO_ROLLBACK) && - fwCmd->argsLen > 1) { - /* skip any leading options to get to command verb */ - for (i =3D 0; i < fwCmd->argsLen - 1; i++) { - if (fwCmd->args[i][0] !=3D '-') - break; - } + /* for VIR_FIREWALL_LAYER_TC, we run the 'tc' (traffic control) co= mmand with + * the supplied args. + */ + cmd =3D virCommandNew(TC); =20 - if (i + 1 < fwCmd->argsLen && - VIR_NFTABLES_ARG_IS_CREATE(fwCmd->args[i])) { + /* NB: RAW commands don't support auto-rollback command creation */ =20 - cmdIdx =3D i; - objectType =3D fwCmd->args[i + 1]; + } else { =20 - /* we currently only handle auto-rollback for rules, - * chains, and tables, and those all can be "rolled - * back" by a delete command using the handle that is - * returned when "-ae" is added to the add/insert - * command. - */ - if (STREQ_NULLABLE(objectType, "rule") || - STREQ_NULLABLE(objectType, "chain") || - STREQ_NULLABLE(objectType, "table")) { + cmd =3D virCommandNew(NFT); =20 - needRollback =3D true; - /* this option to nft instructs it to add the - * "handle" of the created object to stdout + if ((virFirewallTransactionGetFlags(firewall) & VIR_FIREWALL_TRANS= ACTION_AUTO_ROLLBACK) && + fwCmd->argsLen > 1) { + /* skip any leading options to get to command verb */ + for (i =3D 0; i < fwCmd->argsLen - 1; i++) { + if (fwCmd->args[i][0] !=3D '-') + break; + } + + if (i + 1 < fwCmd->argsLen && + VIR_NFTABLES_ARG_IS_CREATE(fwCmd->args[i])) { + + cmdIdx =3D i; + objectType =3D fwCmd->args[i + 1]; + + /* we currently only handle auto-rollback for rules, + * chains, and tables, and those all can be "rolled + * back" by a delete command using the handle that is + * returned when "-ae" is added to the add/insert + * command. */ - virCommandAddArg(cmd, "-ae"); + if (STREQ_NULLABLE(objectType, "rule") || + STREQ_NULLABLE(objectType, "chain") || + STREQ_NULLABLE(objectType, "table")) { + + needRollback =3D true; + /* this option to nft instructs it to add the + * "handle" of the created object to stdout + */ + virCommandAddArg(cmd, "-ae"); + } } } + } =20 for (i =3D 0; i < fwCmd->argsLen; i++) diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index bce51259d2..d42e60884b 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -39,6 +39,7 @@ typedef enum { VIR_FIREWALL_LAYER_ETHERNET, VIR_FIREWALL_LAYER_IPV4, VIR_FIREWALL_LAYER_IPV6, + VIR_FIREWALL_LAYER_TC, =20 VIR_FIREWALL_LAYER_LAST, } virFirewallLayer; diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c index 0a886780ad..21a9e02061 100644 --- a/src/util/virfirewalld.c +++ b/src/util/virfirewalld.c @@ -43,6 +43,7 @@ VIR_LOG_INIT("util.firewalld"); VIR_ENUM_DECL(virFirewallLayerFirewallD); VIR_ENUM_IMPL(virFirewallLayerFirewallD, VIR_FIREWALL_LAYER_LAST, + "", "eb", "ipv4", "ipv6", --=20 2.47.0