This is an automated email from the ASF dual-hosted git repository. weizhouapache pushed a commit to branch network-namespace in repository https://gitbox.apache.org/repos/asf/cloudstack-extensions.git
commit ad1ffe766638e1b94a2a1dc7945ed0e5250a2727 Author: Wei Zhou <[email protected]> AuthorDate: Sat Jun 27 10:21:44 2026 +0200 NE: add custom action list-firewall-rules --- Network-Namespace/README.md | 1 + Network-Namespace/network-namespace-wrapper.sh | 23 ++++++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/Network-Namespace/README.md b/Network-Namespace/README.md index dbc1182..30e63c5 100644 --- a/Network-Namespace/README.md +++ b/Network-Namespace/README.md @@ -1390,6 +1390,7 @@ Built-in actions: |--------|-------------| | `reboot-device` | Bounces the guest veth pair (`vh-<vlan>-<id>` down → up) | | `dump-config` | Prints namespace IP addresses, iptables rules, and per-network state to stdout | +| `list-firewall-rules` | List iptables rules inside the namespace | | `pbr-create-table` | Create or update a routing-table entry in `/etc/iproute2/rt_tables` | | `pbr-delete-table` | Remove a routing-table entry from `/etc/iproute2/rt_tables` | | `pbr-list-tables` | List non-comment routing-table entries from `/etc/iproute2/rt_tables` | diff --git a/Network-Namespace/network-namespace-wrapper.sh b/Network-Namespace/network-namespace-wrapper.sh index e73a3b9..ad17648 100755 --- a/Network-Namespace/network-namespace-wrapper.sh +++ b/Network-Namespace/network-namespace-wrapper.sh @@ -3073,6 +3073,11 @@ _pbr_list_rules() { fi } +_fw_list_rules() { + [ -z "${NAMESPACE}" ] && die "list-firewall-rules: namespace not resolved" + ip netns exec "${NAMESPACE}" iptables-save 2>/dev/null || true +} + _pbr_emit_custom_action_result() { local action="$1" shift @@ -3103,6 +3108,19 @@ elif action == "pbr-list-routes": elif action == "pbr-list-rules": data = [{"rule": row} for row in rows] print(json.dumps({"status": "success", "printmessage": "true", "message": data})) +elif action == "list-firewall-rules": + tables, cur_table, cur_lines = [], None, [] + for line in raw.splitlines(): + line = line.rstrip() + if line.startswith('*'): + cur_table, cur_lines = line[1:], [] + elif line == 'COMMIT': + if cur_table: + tables.append({"table": cur_table, "rules": "\n".join(cur_lines)}) + cur_table = None + elif cur_table and not line.startswith('#'): + cur_lines.append(line) + print(json.dumps({"status": "success", "printmessage": "true", "message": tables})) else: msg = rows[0] if rows else f"{action}: OK" print(json.dumps({"status": "success", "printmessage": "true", "message": msg})) @@ -3216,13 +3234,16 @@ cmd_custom_action() { pbr-list-rules) _pbr_emit_custom_action_result "pbr-list-rules" _pbr_list_rules ;; + list-firewall-rules) + _pbr_emit_custom_action_result "list-firewall-rules" _fw_list_rules + ;; *) local hook="${STATE_DIR}/hooks/custom-action-${ACTION_NAME}.sh" if [ -x "${hook}" ]; then exec "${hook}" --network-id "${NETWORK_ID}" --action "${ACTION_NAME}" \ --action-params "${ACTION_PARAMS_JSON}" else - die "Unknown action '${ACTION_NAME}'. Built-ins: reboot-device, dump-config, pbr-*" + die "Unknown action '${ACTION_NAME}'. Built-ins: reboot-device, dump-config, list-firewall-rules, pbr-*" fi ;; esac
