On 04/08/2014 05:38 PM, Daniel P. Berrange wrote: > The network and nwfilter drivers both have a need to update > firewall rules. The currently share no code for interacting > with iptables / firewalld. The nwfilter driver is fairly > tied to the concept of creating shell scripts to execute > which makes it very hard to port to talk to firewalld via > DBus APIs. > > This patch introduces a virFirewallPtr object which is able > to represent a complete sequence of rule changes, with the > ability to have multiple transactional checkpoints with > rollbacks. By formally separating the definition of the rules > to be applied from the mechanism used to apply them, it is > also possible to write a firewall engine that uses firewalld > DBus APIs natively instead of via the slow firewalld-cmd. > > Signed-off-by: Daniel P. Berrange <[email protected]> > ---
> +
> +static int
> +virFirewallOnceInit(void)
> +{
> + return virFirewallValidateBackend(currentBackend);
> +}
> +
> +VIR_ONCE_GLOBAL_INIT(virFirewall)
> +
> +static int
> +virFirewallValidateBackend(virFirewallBackend backend)
> +{
> + VIR_DEBUG("Validating backend %d", backend);
> +#if WITH_DBUS
> + if (backend == VIR_FIREWALL_BACKEND_AUTOMATIC ||
> + backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
> + int rv = virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
> + VIR_DEBUG("Firewalled is registered ? %d", rv);
s/Firewalled/Firewalld/
> + if (rv < 0) {
> + if (rv == -2) {
> + if (backend == VIR_FIREWALL_BACKEND_FIREWALLD) {
> + virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
> + _("firewalld firewall backend requested,
> but service is not running"));
> +#define VIR_FIREWALL_RETURN_IF_ERROR(firewall) \
> + if (!firewall || firewall->err) \
> + return;
> +
> +#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, ruel)\
s/ruel/rule
> + if (!firewall || firewall->err || !rule) \
> + return;
> +
> @@ -998,6 +999,12 @@ virfiletest_SOURCES = \
> virfiletest.c testutils.h testutils.c
> virfiletest_LDADD = $(LDADDS)
>
> +virfirewalltest_SOURCES = \
> + virfirewalltest.c testutils.h testutils.c
> +virfirewalltest_LDADD = $(LDADDS)
> +virfirewalltest_CFLAGS = $(AM_CFLAGS) $(DBUS_CFLAGS)
> +virfirewalltest_LDFLAGS = $(DRIVER_MODULE_LDFLAGS)
This breaks the test when built --without-driver-modules. As of commit
844a5c1, omitting the LDFLAGS line should be fine.
> +
> jsontest_SOURCES = \
> jsontest.c testutils.h testutils.c
> jsontest_LDADD = $(LDADDS)
Jan
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/libvir-list
