shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-11 09:17:52 +03:00
Code Releases Activity
c0ae4919e3
libvirt/tests/virfirewalltest.c

1101 lines
35 KiB
C
Raw Normal View History

Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
/*
* Copyright (C) 2013-2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include "testutils.h"
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 22:43:58 +04:00
#if defined(__linux__)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
# include <gio/gio.h>
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 22:43:58 +04:00
# include "virbuffer.h"
Enforce a standard header file guard symbol name Require that all headers are guarded by a symbol named LIBVIRT_$FILENAME where $FILENAME is the uppercased filename, with all characters outside a-z changed into '_'. Note we do not use a leading __ because that is technically a namespace reserved for the toolchain. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-13 17:53:50 +03:00
# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 22:43:58 +04:00
# include "vircommandpriv.h"
Enforce a standard header file guard symbol name Require that all headers are guarded by a symbol named LIBVIRT_$FILENAME where $FILENAME is the uppercased filename, with all characters outside a-z changed into '_'. Note we do not use a leading __ because that is technically a namespace reserved for the toolchain. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-13 17:53:50 +03:00
# define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 22:43:58 +04:00
# include "virfirewallpriv.h"
util: move all firewalld-specific stuff into its own files In preparation for adding several other firewalld-specific functions, separate the code that's unique to firewalld from the more-generic "firewall" file. Signed-off-by: Laine Stump <laine@laine.org> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-01-09 22:11:32 +03:00
# define LIBVIRT_VIRFIREWALLDPRIV_H_ALLOW
# include "virfirewalldpriv.h"
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 22:43:58 +04:00
# include "virmock.h"
# define VIR_FROM_THIS VIR_FROM_FIREWALL
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
static bool fwDisabled = true;
static virBufferPtr fwBuf;
static bool fwError;
Remove backslash alignment attempts Right-aligning backslashes when defining macros or using complex commands in Makefiles looks cute, but as soon as any changes is required to the code you end up with either distractingly broken alignment or unnecessarily big diffs where most of the changes are just pushing all backslashes a few characters to one side. Generated using $ git grep -El '[[:blank:]][[:blank:]]\\$' | \ grep -E '*\.([chx]|am|mk)$$' | \ while read f; do \ sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \ done Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 15:09:47 +03:00
# define TEST_FILTER_TABLE_LIST \
"Chain INPUT (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain FORWARD (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain OUTPUT (policy ACCEPT)\n" \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
"target prot opt source destination\n"
Remove backslash alignment attempts Right-aligning backslashes when defining macros or using complex commands in Makefiles looks cute, but as soon as any changes is required to the code you end up with either distractingly broken alignment or unnecessarily big diffs where most of the changes are just pushing all backslashes a few characters to one side. Generated using $ git grep -El '[[:blank:]][[:blank:]]\\$' | \ grep -E '*\.([chx]|am|mk)$$' | \ while read f; do \ sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \ done Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 15:09:47 +03:00
# define TEST_NAT_TABLE_LIST \
"Chain PREROUTING (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain INPUT (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain OUTPUT (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain POSTROUTING (policy ACCEPT)\n" \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
"target prot opt source destination\n"
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync,
GVariant *,
GDBusConnection *, connection,
const gchar *, bus_name,
const gchar *, object_path,
const gchar *, interface_name,
const gchar *, method_name,
GVariant *, parameters,
const GVariantType *, reply_type,
GDBusCallFlags, flags,
gint, timeout_msec,
GCancellable *, cancellable,
GError **, error)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
GVariant *reply = NULL;
g_autoptr(GVariant) params = parameters;
tests: fix incorrect free of GVariant in our GLib mock functions GLib implementation of g_dbus_connection_call_sync() calls g_variant_ref_sink() on the passed @parameters to make sure they have proper reference. If the original reference is floating the g_dbus_connection_call_sync() consumes it, but if it's normal reference it will just add another one. Our mock functions were only freeing the @parameters which is incorrect and doesn't reflect how the real implementation works. Reported-by: Cole Robinson <crobinso@redhat.com> Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-10-02 13:11:45 +03:00
if (params)
g_variant_ref_sink(params);
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
VIR_MOCK_REAL_INIT(g_dbus_connection_call_sync);
if (STREQ(bus_name, "org.freedesktop.DBus") &&
STREQ(method_name, "ListNames")) {
GVariantBuilder builder;
g_variant_builder_init(&builder, G_VARIANT_TYPE("(as)"));
g_variant_builder_open(&builder, G_VARIANT_TYPE("as"));
g_variant_builder_add(&builder, "s", "org.foo.bar.wizz");
if (!fwDisabled)
g_variant_builder_add(&builder, "s", VIR_FIREWALL_FIREWALLD_SERVICE);
g_variant_builder_close(&builder);
reply = g_variant_builder_end(&builder);
} else if (STREQ(bus_name, VIR_FIREWALL_FIREWALLD_SERVICE) &&
STREQ(method_name, "passthrough")) {
g_autoptr(GVariantIter) iter = NULL;
VIR_AUTOSTRINGLIST args = NULL;
size_t nargs = 0;
char *type = NULL;
char *item = NULL;
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
bool isAdd = false;
bool doError = false;
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
size_t i;
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
g_variant_get(params, "(&sas)", &type, &iter);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
nargs = g_variant_iter_n_children(iter);
while (g_variant_iter_loop(iter, "s", &item)) {
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
/* Fake failure on the command with this IP addr */
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
if (STREQ(item, "-A")) {
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
isAdd = true;
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
} else if (isAdd && STREQ(item, "192.168.122.255")) {
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
doError = true;
}
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
virfirewalltest: Don't duplicate string when adding it onto stringlist In our wrapper of g_dbus_connection_call_sync() in virfirewalltest a string is duplicated and added onto a virStringList. This leads to a memory leak because virStringListAdd() duplicates the string itself. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2020-10-02 11:37:26 +03:00
virStringListAdd(&args, item);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
}
if (fwBuf) {
if (STREQ(type, "ipv4"))
virBufferAddLit(fwBuf, IPTABLES_PATH);
else if (STREQ(type, "ipv4"))
virBufferAddLit(fwBuf, IP6TABLES_PATH);
else
virBufferAddLit(fwBuf, EBTABLES_PATH);
}
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
for (i = 0; i < nargs; i++) {
if (fwBuf) {
virBufferAddLit(fwBuf, " ");
virBufferEscapeShell(fwBuf, args[i]);
}
}
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
if (fwBuf)
virBufferAddLit(fwBuf, "\n");
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
if (doError) {
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
if (error)
*error = g_dbus_error_new_for_dbus_error("org.firewalld.error",
"something bad happened");
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
} else {
if (nargs == 1 &&
STREQ(type, "ipv4") &&
STREQ(args[0], "-L")) {
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
reply = g_variant_new("(s)", TEST_FILTER_TABLE_LIST);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
} else if (nargs == 3 &&
STREQ(type, "ipv4") &&
STREQ(args[0], "-t") &&
STREQ(args[1], "nat") &&
STREQ(args[2], "-L")) {
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
reply = g_variant_new("(s)", TEST_NAT_TABLE_LIST);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
} else {
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
reply = g_variant_new("(s)", "success");
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
}
}
} else {
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
reply = g_variant_new("()");
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
}
return reply;
}
struct testFirewallData {
virFirewallBackend tryBackend;
virFirewallBackend expectBackend;
bool fwDisabled;
};
static int
testFirewallSingleGroup(const void *opaque)
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
virCommandSetDryRun(&cmdbuf, NULL, NULL);
else
fwBuf = &cmdbuf;
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static int
testFirewallRemoveRule(const void *opaque)
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
virFirewallRulePtr fwrule;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
virCommandSetDryRun(&cmdbuf, NULL, NULL);
else
fwBuf = &cmdbuf;
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source-host");
virFirewallRemoveRule(fw, fwrule);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source-host");
virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
virCommandSetDryRun(&cmdbuf, NULL, NULL);
else
fwBuf = &cmdbuf;
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static void
testFirewallRollbackHook(const char *const*args,
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
const char *const*env G_GNUC_UNUSED,
const char *input G_GNUC_UNUSED,
char **output G_GNUC_UNUSED,
char **error G_GNUC_UNUSED,
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int *status,
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
bool isAdd = false;
while (*args) {
/* Fake failure on the command with this IP addr */
if (STREQ(*args, "-A")) {
isAdd = true;
} else if (isAdd && STREQ(*args, "192.168.122.255")) {
*status = 127;
break;
}
args++;
}
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
true, NULL, NULL,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwError = true;
fwBuf = &cmdbuf;
}
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
static const char *expectedLines[] = {
"Chain INPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain FORWARD (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain OUTPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain PREROUTING (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain INPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain OUTPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain POSTROUTING (policy ACCEPT)",
"target prot opt source destination",
"",
};
static size_t expectedLineNum;
static bool expectedLineError;
static void
testFirewallQueryHook(const char *const*args,
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
const char *const*env G_GNUC_UNUSED,
const char *input G_GNUC_UNUSED,
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
char **output,
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
char **error G_GNUC_UNUSED,
tests: use g_strdup instead of VIR_STRDUP Replace all occurrences of if (VIR_STRDUP(a, b) < 0) /* effectively dead code */ with: a = g_strdup(b); Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-20 14:49:46 +03:00
int *status G_GNUC_UNUSED,
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
if (STREQ(args[0], IPTABLES_PATH) &&
STREQ(args[1], "-L")) {
tests: use g_strdup instead of VIR_STRDUP Replace all occurrences of if (VIR_STRDUP(a, b) < 0) /* effectively dead code */ with: a = g_strdup(b); Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-20 14:49:46 +03:00
*output = g_strdup(TEST_FILTER_TABLE_LIST);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
} else if (STREQ(args[0], IPTABLES_PATH) &&
STREQ(args[1], "-t") &&
STREQ(args[2], "nat") &&
STREQ(args[3], "-L")) {
tests: use g_strdup instead of VIR_STRDUP Replace all occurrences of if (VIR_STRDUP(a, b) < 0) /* effectively dead code */ with: a = g_strdup(b); Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-20 14:49:46 +03:00
*output = g_strdup(TEST_NAT_TABLE_LIST);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
}
}
static int
testFirewallQueryCallback(virFirewallPtr fw,
util: pass layer into firewall query callback Some of the query callbacks want to know the firewall layer that was being used for triggering the query to avoid duplicating that data. Reviewed-by: Laine Stump <laine@laine.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-04 19:33:28 +03:00
virFirewallLayer layer,
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
const char *const *lines,
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
size_t i;
util: pass layer into firewall query callback Some of the query callbacks want to know the firewall layer that was being used for triggering the query to avoid duplicating that data. Reviewed-by: Laine Stump <laine@laine.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-04 19:33:28 +03:00
virFirewallAddRule(fw, layer,
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
"-A", "INPUT",
"--source-host", "!192.168.122.129",
"--jump", "REJECT", NULL);
for (i = 0; lines[i] != NULL; i++) {
Use G_N_ELEMENTS instead of ARRAY_CARDINALITY Prefer the GLib version of the macro. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-15 14:55:26 +03:00
if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) {
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
expectedLineError = true;
break;
}
if (STRNEQ(expectedLines[expectedLineNum], lines[i])) {
fprintf(stderr, "Mismatch '%s' vs '%s' at %zu, %zu\n",
expectedLines[expectedLineNum], lines[i],
expectedLineNum, i);
expectedLineError = true;
break;
}
expectedLineNum++;
}
return 0;
}
static int
tests: use G_GNUC_UNUSED Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-14 15:45:03 +03:00
testFirewallQuery(const void *opaque G_GNUC_UNUSED)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
{
tests: use g_auto for all virBuffers Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-03 02:35:41 +03:00
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
use g_autoptr() for all usages of virFirewallNew/Free Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2020-07-04 23:35:10 +03:00
g_autoptr(virFirewall) fw = virFirewallNew();
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
IPTABLES_PATH " -L\n"
IPTABLES_PATH " -t nat -L\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
expectedLineNum = 0;
expectedLineError = false;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallQueryHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
"-L", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
"-t", "nat", "-L", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.130",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.128",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (expectedLineError) {
fprintf(stderr, "Got some unexpected query data\n");
goto cleanup;
}
if (STRNEQ_NULLABLE(expected, actual)) {
Fix minor typos in messages and docs Signed-off-by: Yuri Chornoivan <yurchor@ukr.net> Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-04 20:08:14 +03:00
fprintf(stderr, "Unexpected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 18:01:51 +03:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
goto cleanup;
}
ret = 0;
cleanup:
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
return ret;
}
Prevent test failures with ebtables/iptables/ip6tables are missing When running tests in a restricted container (as opposed to a full OS install), we can't assume ebtables/iptbles/ip6tables are going to be installed. We must check this and mark the tests as skipped. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-04-07 17:11:14 +03:00
static bool
hasNetfilterTools(void)
{
return virFileIsExecutable(IPTABLES_PATH) &&
virFileIsExecutable(IP6TABLES_PATH) &&
virFileIsExecutable(EBTABLES_PATH);
}
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
static int
mymain(void)
{
int ret = 0;
Prevent test failures with ebtables/iptables/ip6tables are missing When running tests in a restricted container (as opposed to a full OS install), we can't assume ebtables/iptbles/ip6tables are going to be installed. We must check this and mark the tests as skipped. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-04-07 17:11:14 +03:00
if (!hasNetfilterTools()) {
fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
return EXIT_AM_SKIP;
}
Remove backslash alignment attempts Right-aligning backslashes when defining macros or using complex commands in Makefiles looks cute, but as soon as any changes is required to the code you end up with either distractingly broken alignment or unnecessarily big diffs where most of the changes are just pushing all backslashes a few characters to one side. Generated using $ git grep -El '[[:blank:]][[:blank:]]\\$' | \ grep -E '*\.([chx]|am|mk)$$' | \ while read f; do \ sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \ done Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 15:09:47 +03:00
# define RUN_TEST_DIRECT(name, method) \
do { \
struct testFirewallData data; \
data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
data.fwDisabled = true; \
if (virTestRun(name " auto direct", method, &data) < 0) \
ret = -1; \
data.tryBackend = VIR_FIREWALL_BACKEND_DIRECT; \
data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
data.fwDisabled = true; \
if (virTestRun(name " manual direct", method, &data) < 0) \
ret = -1; \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
} while (0)
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
# define RUN_TEST_FIREWALLD(name, method) \
Remove backslash alignment attempts Right-aligning backslashes when defining macros or using complex commands in Makefiles looks cute, but as soon as any changes is required to the code you end up with either distractingly broken alignment or unnecessarily big diffs where most of the changes are just pushing all backslashes a few characters to one side. Generated using $ git grep -El '[[:blank:]][[:blank:]]\\$' | \ grep -E '*\.([chx]|am|mk)$$' | \ while read f; do \ sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \ done Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 15:09:47 +03:00
do { \
struct testFirewallData data; \
data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
data.fwDisabled = false; \
if (virTestRun(name " auto firewalld", method, &data) < 0) \
ret = -1; \
data.tryBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
data.fwDisabled = false; \
if (virTestRun(name " manual firewalld", method, &data) < 0) \
ret = -1; \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
} while (0)
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
# define RUN_TEST(name, method) \
Remove backslash alignment attempts Right-aligning backslashes when defining macros or using complex commands in Makefiles looks cute, but as soon as any changes is required to the code you end up with either distractingly broken alignment or unnecessarily big diffs where most of the changes are just pushing all backslashes a few characters to one side. Generated using $ git grep -El '[[:blank:]][[:blank:]]\\$' | \ grep -E '*\.([chx]|am|mk)$$' | \ while read f; do \ sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \ done Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 15:09:47 +03:00
RUN_TEST_DIRECT(name, method); \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
RUN_TEST_FIREWALLD(name, method)
tests: Set up two more overrides for root builders There are two more places after commit 3865941b that need to be adapted in order to get rid of some test failures when building as root. Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-12-23 08:10:55 +03:00
virFirewallSetLockOverride(true);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 20:30:40 +04:00
RUN_TEST("single group", testFirewallSingleGroup);
RUN_TEST("remove rule", testFirewallRemoveRule);
RUN_TEST("many groups", testFirewallManyGroups);
RUN_TEST("ignore fail group", testFirewallIgnoreFailGroup);
RUN_TEST("ignore fail rule", testFirewallIgnoreFailRule);
RUN_TEST("no rollback", testFirewallNoRollback);
RUN_TEST("single rollback", testFirewallSingleRollback);
RUN_TEST("many rollback", testFirewallManyRollback);
RUN_TEST("chained rollback", testFirewallChainedRollback);
RUN_TEST("query transaction", testFirewallQuery);
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
src/util/virfirewalld: convert to use GLib DBus Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-09-15 15:00:53 +03:00
VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virgdbus"))
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 22:43:58 +04:00
#else /* ! defined (__linux__) */
int main(void)
{
return EXIT_AM_SKIP;
}
#endif /* ! defined(__linux__) */
Copy Permalink