← Back to branch summary

~serge-hallyn/ubuntu/raring/libvirt/libvirt-hugepages

« back to all changes in this revision

Viewing changes to src/nwfilter/nwfilter_ebiptables_driver.c

  • Committer: Package Import Robot
  • Author(s): Chuck Short
  • Date: 2012-05-13 15:44:12 UTC
  • mfrom: (1.2.13)
  • Revision ID: package-import@ubuntu.com-20120513154412-fgmn5sxqdzgnzlx3
Tags: 0.9.12-0ubuntu1
* New upstream version:
  * Synchronize with debian packaging:
    - debian/control: Update build depends.
    - debian/libvirt-bin.postrm: Cleanup /var/log/libvirt
      on purge.
    - Bump standards verson (no changes).
    - debian/patches/Don-t-fail-if-we-can-t-setup-avahi.patch: Added
  * Dropped patches:
    - debian/patches/Debianize-libvirt-guests.patch
    - debian/patches/rewrite-lxc-controller-eof-handling-yet-again
    - debian/patches/ubuntu/libnl13.patch
    - debian/patches/ubuntu/fix-lxc-startup-error.patch
    - debian/patches/ubuntu/fix-bridge-fd.patch
    - debian/patches/ubuntu/skip-labelling-network-disks.patch
    - debian/patches/ubuntu/xen-xend-shutdown-detection.patch
    - debian/patches/ubuntu/xen-config-no-vfb-for-hvm.patch
    - debian/patches/debian/Disable-daemon-start-test.patch
    - debian/patches/debian/Disable-gnulib-s-test-nonplocking-pipe.sh.patch
    - debian/patches/ubuntu/9006-default-config-test-case.patch
    - debian/patches/fix-block-migration.patch
    - debian/patches/ubuntu/9022-qemu-unescape-HMP-commands-before-converting-them-to.patch
    - debian/patches/ubuntu/9023-qemu-change-rbd-auth_supported-separation-character-.patch
    - debian/patches/ubuntu/9024-qemu-allow-snapshotting-of-sheepdog-and-rbd-disks.patch
    - debian/patches/9025-qemu-change-rbd-auth_supported-separation-character-.patch
    - debian/patches/ubuntu/arm-gcc-workaround.patch
  * Rediffed:
    - debian/patches/Allow-libvirt-group-to-access-the-socket.patch
    - debian/patches/Disable-failing-virnetsockettest.patch
    - debian/patches/dnsmasq-as-priv-user
    - debian/patches/9002-better_default_uri_virsh.patch
  * debian/control: Add libnl-route-3-dev ass a build depends.
  * debian/patches/libnl3-build-fix.patch: Fix build with libnl3.

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/nwfilter/nwfilter_ebiptables_driver.c
230
230
    if ((item->flags & NWFILTER_ENTRY_ITEM_FLAG_HAS_VAR)) {
231
231
        const char *val;
232
232
 
233
 
        val = virNWFilterVarCombIterGetVarValue(vars, item->var);
 
233
        val = virNWFilterVarCombIterGetVarValue(vars, item->varAccess);
234
234
        if (!val) {
235
235
            /* error has been reported */
236
 
            return 1;
 
236
            return -1;
237
237
        }
238
238
 
239
239
        if (!virStrcpy(buf, val, bufsize)) {
 
240
            const char *varName;
 
241
 
 
242
            varName = virNWFilterVarAccessGetVarName(item->varAccess);
240
243
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
241
 
                                   _("Buffer to small to print MAC address "
242
 
                                   "'%s' into"),
243
 
                                   item->var);
244
 
            return 1;
 
244
                                   _("Buffer too small to print variable "
 
245
                                   "'%s' into"), varName);
 
246
            return -1;
245
247
        }
246
248
 
247
249
        *done = 1;
259
261
    int done;
260
262
    char *data;
261
263
 
262
 
    if (printVar(vars, buf, bufsize, item, &done))
263
 
        return 1;
 
264
    if (printVar(vars, buf, bufsize, item, &done) < 0)
 
265
        return -1;
264
266
 
265
267
    if (done)
266
268
        return 0;
269
271
    case DATATYPE_IPADDR:
270
272
        data = virSocketAddrFormat(&item->u.ipaddr);
271
273
        if (!data)
272
 
            return 1;
 
274
            return -1;
273
275
        if (snprintf(buf, bufsize, "%s", data) >= bufsize) {
274
276
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
275
277
                                   _("buffer too small for IP address"));
276
278
            VIR_FREE(data);
277
 
            return 1;
 
279
            return -1;
278
280
        }
279
281
        VIR_FREE(data);
280
282
    break;
282
284
    case DATATYPE_IPV6ADDR:
283
285
        data = virSocketAddrFormat(&item->u.ipaddr);
284
286
        if (!data)
285
 
            return 1;
 
287
            return -1;
286
288
 
287
289
        if (snprintf(buf, bufsize, "%s", data) >= bufsize) {
288
290
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
289
291
                                   _("buffer too small for IPv6 address"));
290
292
            VIR_FREE(data);
291
 
            return 1;
 
293
            return -1;
292
294
        }
293
295
        VIR_FREE(data);
294
296
    break;
298
300
        if (bufsize < VIR_MAC_STRING_BUFLEN) {
299
301
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
300
302
                                   _("Buffer too small for MAC address"));
301
 
            return 1;
 
303
            return -1;
302
304
        }
303
305
 
304
 
        virFormatMacAddr(item->u.macaddr.addr, buf);
 
306
        virMacAddrFormat(item->u.macaddr.addr, buf);
305
307
    break;
306
308
 
307
309
    case DATATYPE_IPV6MASK:
310
312
                     item->u.u8) >= bufsize) {
311
313
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
312
314
                                   _("Buffer too small for uint8 type"));
313
 
            return 1;
 
315
            return -1;
314
316
        }
315
317
    break;
316
318
 
320
322
                     item->u.u32) >= bufsize) {
321
323
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
322
324
                                   _("Buffer too small for uint32 type"));
323
 
            return 1;
 
325
            return -1;
324
326
        }
325
327
    break;
326
328
 
330
332
                     item->u.u16) >= bufsize) {
331
333
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
332
334
                                   _("Buffer too small for uint16 type"));
333
 
            return 1;
 
335
            return -1;
334
336
        }
335
337
    break;
336
338
 
340
342
                     item->u.u8) >= bufsize) {
341
343
            virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
342
344
                                   _("Buffer too small for uint8 type"));
343
 
            return 1;
 
345
            return -1;
344
346
        }
345
347
    break;
346
348
 
347
349
    default:
348
350
        virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
349
351
                               _("Unhandled datatype %x"), item->datatype);
350
 
        return 1;
 
352
        return -1;
351
353
    break;
352
354
    }
353
355
 
417
419
 
418
420
    if (VIR_ALLOC(inst) < 0) {
419
421
        virReportOOMError();
420
 
        return 1;
 
422
        return -1;
421
423
    }
422
424
 
423
425
    inst->commandTemplate = commandTemplate;
442
444
    if (HAS_ENTRY_ITEM(&ethHdr->dataSrcMACAddr)) {
443
445
        if (printDataType(vars,
444
446
                          macaddr, sizeof(macaddr),
445
 
                          &ethHdr->dataSrcMACAddr))
 
447
                          &ethHdr->dataSrcMACAddr) < 0)
446
448
            goto err_exit;
447
449
 
448
450
        virBufferAsprintf(buf,
454
456
        if (HAS_ENTRY_ITEM(&ethHdr->dataSrcMACMask)) {
455
457
            if (printDataType(vars,
456
458
                              macaddr, sizeof(macaddr),
457
 
                              &ethHdr->dataSrcMACMask))
 
459
                              &ethHdr->dataSrcMACMask) < 0)
458
460
                goto err_exit;
459
461
 
460
462
            virBufferAsprintf(buf,
466
468
    if (HAS_ENTRY_ITEM(&ethHdr->dataDstMACAddr)) {
467
469
        if (printDataType(vars,
468
470
                          macaddr, sizeof(macaddr),
469
 
                          &ethHdr->dataDstMACAddr))
 
471
                          &ethHdr->dataDstMACAddr) < 0)
470
472
            goto err_exit;
471
473
 
472
474
        virBufferAsprintf(buf,
478
480
        if (HAS_ENTRY_ITEM(&ethHdr->dataDstMACMask)) {
479
481
            if (printDataType(vars,
480
482
                              macaddr, sizeof(macaddr),
481
 
                              &ethHdr->dataDstMACMask))
 
483
                              &ethHdr->dataDstMACMask) < 0)
482
484
                goto err_exit;
483
485
 
484
486
            virBufferAsprintf(buf,
492
494
 err_exit:
493
495
    virBufferFreeAndReset(buf);
494
496
 
495
 
    return 1;
 
497
    return -1;
496
498
}
497
499
 
498
500
 
895
897
 
896
898
        if (printDataType(vars,
897
899
                          macaddr, sizeof(macaddr),
898
 
                          srcMacAddr))
 
900
                          srcMacAddr) < 0)
899
901
            goto err_exit;
900
902
 
901
903
        virBufferAsprintf(buf,
909
911
err_exit:
910
912
    virBufferFreeAndReset(buf);
911
913
 
912
 
    return 1;
 
914
    return -1;
913
915
}
914
916
 
915
917
 
940
942
 
941
943
        if (printDataType(vars,
942
944
                          ipaddr, sizeof(ipaddr),
943
 
                          &ipHdr->dataSrcIPAddr))
 
945
                          &ipHdr->dataSrcIPAddr) < 0)
944
946
            goto err_exit;
945
947
 
946
948
        virBufferAsprintf(buf,
953
955
 
954
956
            if (printDataType(vars,
955
957
                              number, sizeof(number),
956
 
                              &ipHdr->dataSrcIPMask))
 
958
                              &ipHdr->dataSrcIPMask) < 0)
957
959
                goto err_exit;
958
960
 
959
961
            virBufferAsprintf(buf,
964
966
 
965
967
        if (printDataType(vars,
966
968
                          ipaddr, sizeof(ipaddr),
967
 
                          &ipHdr->dataSrcIPFrom))
 
969
                          &ipHdr->dataSrcIPFrom) < 0)
968
970
            goto err_exit;
969
971
 
970
972
        virBufferAsprintf(buf,
977
979
 
978
980
            if (printDataType(vars,
979
981
                              ipaddr, sizeof(ipaddr),
980
 
                              &ipHdr->dataSrcIPTo))
 
982
                              &ipHdr->dataSrcIPTo) < 0)
981
983
                goto err_exit;
982
984
 
983
985
            virBufferAsprintf(buf,
990
992
 
991
993
        if (printDataType(vars,
992
994
                          ipaddr, sizeof(ipaddr),
993
 
                          &ipHdr->dataDstIPAddr))
 
995
                          &ipHdr->dataDstIPAddr) < 0)
994
996
           goto err_exit;
995
997
 
996
998
        virBufferAsprintf(buf,
1003
1005
 
1004
1006
            if (printDataType(vars,
1005
1007
                              number, sizeof(number),
1006
 
                              &ipHdr->dataDstIPMask))
 
1008
                              &ipHdr->dataDstIPMask) < 0)
1007
1009
                goto err_exit;
1008
1010
 
1009
1011
            virBufferAsprintf(buf,
1015
1017
 
1016
1018
        if (printDataType(vars,
1017
1019
                          ipaddr, sizeof(ipaddr),
1018
 
                          &ipHdr->dataDstIPFrom))
 
1020
                          &ipHdr->dataDstIPFrom) < 0)
1019
1021
            goto err_exit;
1020
1022
 
1021
1023
        virBufferAsprintf(buf,
1028
1030
 
1029
1031
            if (printDataType(vars,
1030
1032
                              ipaddr, sizeof(ipaddr),
1031
 
                              &ipHdr->dataDstIPTo))
 
1033
                              &ipHdr->dataDstIPTo) < 0)
1032
1034
                goto err_exit;
1033
1035
 
1034
1036
            virBufferAsprintf(buf,
1041
1043
 
1042
1044
        if (printDataType(vars,
1043
1045
                          number, sizeof(number),
1044
 
                          &ipHdr->dataDSCP))
 
1046
                          &ipHdr->dataDSCP) < 0)
1045
1047
           goto err_exit;
1046
1048
 
1047
1049
        virBufferAsprintf(buf,
1057
1059
        } else {
1058
1060
            if (printDataType(vars,
1059
1061
                              number, sizeof(number),
1060
 
                              &ipHdr->dataConnlimitAbove))
 
1062
                              &ipHdr->dataConnlimitAbove) < 0)
1061
1063
               goto err_exit;
1062
1064
 
1063
1065
            /* place connlimit after potential -m state --state ...
1085
1087
    virBufferFreeAndReset(buf);
1086
1088
    virBufferFreeAndReset(afterStateMatch);
1087
1089
 
1088
 
    return 1;
 
1090
    return -1;
1089
1091
}
1090
1092
 
1091
1093
 
1106
1108
    if (HAS_ENTRY_ITEM(&portData->dataSrcPortStart)) {
1107
1109
        if (printDataType(vars,
1108
1110
                          portstr, sizeof(portstr),
1109
 
                          &portData->dataSrcPortStart))
 
1111
                          &portData->dataSrcPortStart) < 0)
1110
1112
            goto err_exit;
1111
1113
 
1112
1114
        virBufferAsprintf(buf,
1118
1120
        if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) {
1119
1121
            if (printDataType(vars,
1120
1122
                              portstr, sizeof(portstr),
1121
 
                              &portData->dataSrcPortEnd))
 
1123
                              &portData->dataSrcPortEnd) < 0)
1122
1124
                goto err_exit;
1123
1125
 
1124
1126
             virBufferAsprintf(buf,
1130
1132
    if (HAS_ENTRY_ITEM(&portData->dataDstPortStart)) {
1131
1133
        if (printDataType(vars,
1132
1134
                          portstr, sizeof(portstr),
1133
 
                          &portData->dataDstPortStart))
 
1135
                          &portData->dataDstPortStart) < 0)
1134
1136
            goto err_exit;
1135
1137
 
1136
1138
        virBufferAsprintf(buf,
1142
1144
        if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) {
1143
1145
            if (printDataType(vars,
1144
1146
                              portstr, sizeof(portstr),
1145
 
                              &portData->dataDstPortEnd))
 
1147
                              &portData->dataDstPortEnd) < 0)
1146
1148
                goto err_exit;
1147
1149
 
1148
1150
             virBufferAsprintf(buf,
1154
1156
    return 0;
1155
1157
 
1156
1158
err_exit:
1157
 
    return 1;
 
1159
    return -1;
1158
1160
}
1159
1161
 
1160
1162
 
1244
1246
                                     vars,
1245
1247
                                     &rule->p.tcpHdrFilter.dataSrcMACAddr,
1246
1248
                                     directionIn,
1247
 
                                     &srcMacSkipped))
 
1249
                                     &srcMacSkipped) < 0)
1248
1250
            goto err_exit;
1249
1251
 
1250
1252
        if (iptablesHandleIpHdr(&buf,
1253
1255
                                &rule->p.tcpHdrFilter.ipHdr,
1254
1256
                                directionIn,
1255
1257
                                &skipRule, &skipMatch,
1256
 
                                &prefix))
 
1258
                                &prefix) < 0)
1257
1259
            goto err_exit;
1258
1260
 
1259
1261
        if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPFlags)) {
1268
1270
        if (iptablesHandlePortData(&buf,
1269
1271
                                   vars,
1270
1272
                                   &rule->p.tcpHdrFilter.portData,
1271
 
                                   directionIn))
 
1273
                                   directionIn) < 0)
1272
1274
            goto err_exit;
1273
1275
 
1274
1276
        if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPOption)) {
1275
1277
            if (printDataType(vars,
1276
1278
                              number, sizeof(number),
1277
 
                              &rule->p.tcpHdrFilter.dataTCPOption))
 
1279
                              &rule->p.tcpHdrFilter.dataTCPOption) < 0)
1278
1280
                goto err_exit;
1279
1281
 
1280
1282
            virBufferAsprintf(&buf,
1299
1301
                                     vars,
1300
1302
                                     &rule->p.udpHdrFilter.dataSrcMACAddr,
1301
1303
                                     directionIn,
1302
 
                                     &srcMacSkipped))
 
1304
                                     &srcMacSkipped) < 0)
1303
1305
            goto err_exit;
1304
1306
 
1305
1307
        if (iptablesHandleIpHdr(&buf,
1308
1310
                                &rule->p.udpHdrFilter.ipHdr,
1309
1311
                                directionIn,
1310
1312
                                &skipRule, &skipMatch,
1311
 
                                &prefix))
 
1313
                                &prefix) < 0)
1312
1314
            goto err_exit;
1313
1315
 
1314
1316
        if (iptablesHandlePortData(&buf,
1315
1317
                                   vars,
1316
1318
                                   &rule->p.udpHdrFilter.portData,
1317
 
                                   directionIn))
 
1319
                                   directionIn) < 0)
1318
1320
            goto err_exit;
1319
1321
    break;
1320
1322
 
1332
1334
                                     vars,
1333
1335
                                     &rule->p.udpliteHdrFilter.dataSrcMACAddr,
1334
1336
                                     directionIn,
1335
 
                                     &srcMacSkipped))
 
1337
                                     &srcMacSkipped) < 0)
1336
1338
            goto err_exit;
1337
1339
 
1338
1340
        if (iptablesHandleIpHdr(&buf,
1341
1343
                                &rule->p.udpliteHdrFilter.ipHdr,
1342
1344
                                directionIn,
1343
1345
                                &skipRule, &skipMatch,
1344
 
                                &prefix))
 
1346
                                &prefix) < 0)
1345
1347
            goto err_exit;
1346
1348
 
1347
1349
    break;
1360
1362
                                     vars,
1361
1363
                                     &rule->p.espHdrFilter.dataSrcMACAddr,
1362
1364
                                     directionIn,
1363
 
                                     &srcMacSkipped))
 
1365
                                     &srcMacSkipped) < 0)
1364
1366
            goto err_exit;
1365
1367
 
1366
1368
        if (iptablesHandleIpHdr(&buf,
1369
1371
                                &rule->p.espHdrFilter.ipHdr,
1370
1372
                                directionIn,
1371
1373
                                &skipRule, &skipMatch,
1372
 
                                &prefix))
 
1374
                                &prefix) < 0)
1373
1375
            goto err_exit;
1374
1376
 
1375
1377
    break;
1388
1390
                                     vars,
1389
1391
                                     &rule->p.ahHdrFilter.dataSrcMACAddr,
1390
1392
                                     directionIn,
1391
 
                                     &srcMacSkipped))
 
1393
                                     &srcMacSkipped) < 0)
1392
1394
            goto err_exit;
1393
1395
 
1394
1396
        if (iptablesHandleIpHdr(&buf,
1397
1399
                                &rule->p.ahHdrFilter.ipHdr,
1398
1400
                                directionIn,
1399
1401
                                &skipRule, &skipMatch,
1400
 
                                &prefix))
 
1402
                                &prefix) < 0)
1401
1403
            goto err_exit;
1402
1404
 
1403
1405
    break;
1416
1418
                                     vars,
1417
1419
                                     &rule->p.sctpHdrFilter.dataSrcMACAddr,
1418
1420
                                     directionIn,
1419
 
                                     &srcMacSkipped))
 
1421
                                     &srcMacSkipped) < 0)
1420
1422
            goto err_exit;
1421
1423
 
1422
1424
        if (iptablesHandleIpHdr(&buf,
1425
1427
                                &rule->p.sctpHdrFilter.ipHdr,
1426
1428
                                directionIn,
1427
1429
                                &skipRule, &skipMatch,
1428
 
                                &prefix))
 
1430
                                &prefix) < 0)
1429
1431
            goto err_exit;
1430
1432
 
1431
1433
        if (iptablesHandlePortData(&buf,
1432
1434
                                   vars,
1433
1435
                                   &rule->p.sctpHdrFilter.portData,
1434
 
                                   directionIn))
 
1436
                                   directionIn) < 0)
1435
1437
            goto err_exit;
1436
1438
    break;
1437
1439
 
1452
1454
                                     vars,
1453
1455
                                     &rule->p.icmpHdrFilter.dataSrcMACAddr,
1454
1456
                                     directionIn,
1455
 
                                     &srcMacSkipped))
 
1457
                                     &srcMacSkipped) < 0)
1456
1458
            goto err_exit;
1457
1459
 
1458
1460
        if (iptablesHandleIpHdr(&buf,
1461
1463
                                &rule->p.icmpHdrFilter.ipHdr,
1462
1464
                                directionIn,
1463
1465
                                &skipRule, &skipMatch,
1464
 
                                &prefix))
 
1466
                                &prefix) < 0)
1465
1467
            goto err_exit;
1466
1468
 
1467
1469
        if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) {
1479
1481
 
1480
1482
            if (printDataType(vars,
1481
1483
                              number, sizeof(number),
1482
 
                              &rule->p.icmpHdrFilter.dataICMPType))
 
1484
                              &rule->p.icmpHdrFilter.dataICMPType) < 0)
1483
1485
                goto err_exit;
1484
1486
 
1485
1487
            virBufferAsprintf(&buf,
1491
1493
            if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) {
1492
1494
                if (printDataType(vars,
1493
1495
                                  number, sizeof(number),
1494
 
                                  &rule->p.icmpHdrFilter.dataICMPCode))
 
1496
                                  &rule->p.icmpHdrFilter.dataICMPCode) < 0)
1495
1497
                    goto err_exit;
1496
1498
 
1497
1499
                 virBufferAsprintf(&buf,
1514
1516
                                     vars,
1515
1517
                                     &rule->p.igmpHdrFilter.dataSrcMACAddr,
1516
1518
                                     directionIn,
1517
 
                                     &srcMacSkipped))
 
1519
                                     &srcMacSkipped) < 0)
1518
1520
            goto err_exit;
1519
1521
 
1520
1522
        if (iptablesHandleIpHdr(&buf,
1523
1525
                                &rule->p.igmpHdrFilter.ipHdr,
1524
1526
                                directionIn,
1525
1527
                                &skipRule, &skipMatch,
1526
 
                                &prefix))
 
1528
                                &prefix) < 0)
1527
1529
            goto err_exit;
1528
1530
 
1529
1531
    break;
1542
1544
                                     vars,
1543
1545
                                     &rule->p.allHdrFilter.dataSrcMACAddr,
1544
1546
                                     directionIn,
1545
 
                                     &srcMacSkipped))
 
1547
                                     &srcMacSkipped) < 0)
1546
1548
            goto err_exit;
1547
1549
 
1548
1550
        if (iptablesHandleIpHdr(&buf,
1551
1553
                                &rule->p.allHdrFilter.ipHdr,
1552
1554
                                directionIn,
1553
1555
                                &skipRule, &skipMatch,
1554
 
                                &prefix))
 
1556
                                &prefix) < 0)
1555
1557
            goto err_exit;
1556
1558
 
1557
1559
    break;
1664
1666
    if (virBufferError(&buf)) {
1665
1667
        virBufferFreeAndReset(&buf);
1666
1668
        virReportOOMError();
1667
 
        return 1;
 
1669
        return -1;
1668
1670
    }
1669
1671
    *bufptr = virBufferContentAndReset(&buf);
1670
1672
    return 0;
1704
1706
    }
1705
1707
 
1706
1708
    if (create && (rule->flags & IPTABLES_STATE_FLAGS)) {
1707
 
        if (printStateMatchFlags(rule->flags, &matchState))
1708
 
            return 1;
 
1709
        if (printStateMatchFlags(rule->flags, &matchState) < 0)
 
1710
            return -1;
1709
1711
    }
1710
1712
 
1711
1713
    chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
1723
1725
                                         maySkipICMP);
1724
1726
 
1725
1727
        VIR_FREE(matchState);
1726
 
        if (rc)
 
1728
        if (rc < 0)
1727
1729
            return rc;
1728
1730
    }
1729
1731
 
1736
1738
    }
1737
1739
 
1738
1740
    if (create && (rule->flags & IPTABLES_STATE_FLAGS)) {
1739
 
        if (printStateMatchFlags(rule->flags, &matchState))
1740
 
            return 1;
 
1741
        if (printStateMatchFlags(rule->flags, &matchState) < 0)
 
1742
            return -1;
1741
1743
    }
1742
1744
 
1743
1745
    chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
1756
1758
 
1757
1759
        VIR_FREE(matchState);
1758
1760
 
1759
 
        if (rc)
 
1761
        if (rc < 0)
1760
1762
            return rc;
1761
1763
    }
1762
1764
 
1769
1771
            create = false;
1770
1772
    } else {
1771
1773
        if ((rule->flags & IPTABLES_STATE_FLAGS)) {
1772
 
            if (printStateMatchFlags(rule->flags, &matchState))
1773
 
                return 1;
 
1774
            if (printStateMatchFlags(rule->flags, &matchState) < 0)
 
1775
                return -1;
1774
1776
        }
1775
1777
    }
1776
1778
 
1852
1854
                                     "RETURN",
1853
1855
                                     isIPv6,
1854
1856
                                     maySkipICMP);
1855
 
    if (rc)
 
1857
    if (rc < 0)
1856
1858
        return rc;
1857
1859
 
1858
1860
 
1874
1876
                                     "ACCEPT",
1875
1877
                                     isIPv6,
1876
1878
                                     maySkipICMP);
1877
 
    if (rc)
 
1879
    if (rc < 0)
1878
1880
        return rc;
1879
1881
 
1880
1882
    maySkipICMP = directionIn;
1963
1965
        if (ebtablesHandleEthHdr(&buf,
1964
1966
                                 vars,
1965
1967
                                 &rule->p.ethHdrFilter.ethHdr,
1966
 
                                 reverse))
 
1968
                                 reverse) < 0)
1967
1969
            goto err_exit;
1968
1970
 
1969
1971
        if (HAS_ENTRY_ITEM(&rule->p.ethHdrFilter.dataProtocolID)) {
1970
1972
            if (printDataTypeAsHex(vars,
1971
1973
                                   number, sizeof(number),
1972
 
                                   &rule->p.ethHdrFilter.dataProtocolID))
 
1974
                                   &rule->p.ethHdrFilter.dataProtocolID) < 0)
1973
1975
                goto err_exit;
1974
1976
            virBufferAsprintf(&buf,
1975
1977
                          " -p %s %s",
1988
1990
        if (ebtablesHandleEthHdr(&buf,
1989
1991
                                 vars,
1990
1992
                                 &rule->p.vlanHdrFilter.ethHdr,
1991
 
                                 reverse))
 
1993
                                 reverse) < 0)
1992
1994
            goto err_exit;
1993
1995
 
1994
1996
        virBufferAddLit(&buf,
1998
2000
        if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
1999
2001
            if (printDataType(vars, \
2000
2002
                              field, sizeof(field), \
2001
 
                              &rule->p.STRUCT.ITEM)) \
 
2003
                              &rule->p.STRUCT.ITEM) < 0) \
2002
2004
                goto err_exit; \
2003
2005
            virBufferAsprintf(&buf, \
2004
2006
                          " " CLI " %s %s", \
2010
2012
        if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM)) { \
2011
2013
            if (printDataType(vars, \
2012
2014
                              field, sizeof(field), \
2013
 
                              &rule->p.STRUCT.ITEM)) \
 
2015
                              &rule->p.STRUCT.ITEM) < 0) \
2014
2016
                goto err_exit; \
2015
2017
            virBufferAsprintf(&buf, \
2016
2018
                          " " CLI " %s %s", \
2019
2021
            if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \
2020
2022
                if (printDataType(vars, \
2021
2023
                                  field, sizeof(field), \
2022
 
                                  &rule->p.STRUCT.ITEM_HI)) \
 
2024
                                  &rule->p.STRUCT.ITEM_HI) < 0) \
2023
2025
                    goto err_exit; \
2024
2026
                virBufferAsprintf(&buf, SEP "%s", field); \
2025
2027
            } \
2055
2057
        if (ebtablesHandleEthHdr(&buf,
2056
2058
                                 vars,
2057
2059
                                 &rule->p.stpHdrFilter.ethHdr,
2058
 
                                 reverse))
 
2060
                                 reverse) < 0)
2059
2061
            goto err_exit;
2060
2062
 
2061
2063
        virBufferAddLit(&buf, " -d " NWFILTER_MAC_BGA);
2092
2094
        if (ebtablesHandleEthHdr(&buf,
2093
2095
                                 vars,
2094
2096
                                 &rule->p.arpHdrFilter.ethHdr,
2095
 
                                 reverse))
 
2097
                                 reverse) < 0)
2096
2098
            goto err_exit;
2097
2099
 
2098
2100
        virBufferAsprintf(&buf, " -p 0x%x",
2103
2105
        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) {
2104
2106
             if (printDataType(vars,
2105
2107
                               number, sizeof(number),
2106
 
                               &rule->p.arpHdrFilter.dataHWType))
 
2108
                               &rule->p.arpHdrFilter.dataHWType) < 0)
2107
2109
                goto err_exit;
2108
2110
           virBufferAsprintf(&buf,
2109
2111
                          " --arp-htype %s %s",
2114
2116
        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) {
2115
2117
            if (printDataType(vars,
2116
2118
                              number, sizeof(number),
2117
 
                              &rule->p.arpHdrFilter.dataOpcode))
 
2119
                              &rule->p.arpHdrFilter.dataOpcode) < 0)
2118
2120
                goto err_exit;
2119
2121
            virBufferAsprintf(&buf,
2120
2122
                          " --arp-opcode %s %s",
2125
2127
        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) {
2126
2128
            if (printDataTypeAsHex(vars,
2127
2129
                                   number, sizeof(number),
2128
 
                                   &rule->p.arpHdrFilter.dataProtocolType))
 
2130
                                   &rule->p.arpHdrFilter.dataProtocolType) < 0)
2129
2131
                goto err_exit;
2130
2132
            virBufferAsprintf(&buf,
2131
2133
                          " --arp-ptype %s %s",
2136
2138
        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) {
2137
2139
            if (printDataType(vars,
2138
2140
                              ipaddr, sizeof(ipaddr),
2139
 
                              &rule->p.arpHdrFilter.dataARPSrcIPAddr))
 
2141
                              &rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0)
2140
2142
                goto err_exit;
2141
2143
 
2142
2144
            virBufferAsprintf(&buf,
2149
2151
        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
2150
2152
            if (printDataType(vars,
2151
2153
                              ipaddr, sizeof(ipaddr),
2152
 
                              &rule->p.arpHdrFilter.dataARPDstIPAddr))
 
2154
                              &rule->p.arpHdrFilter.dataARPDstIPAddr) < 0)
2153
2155
                goto err_exit;
2154
2156
 
2155
2157
            virBufferAsprintf(&buf,
2162
2164
        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {
2163
2165
            if (printDataType(vars,
2164
2166
                              macaddr, sizeof(macaddr),
2165
 
                              &rule->p.arpHdrFilter.dataARPSrcMACAddr))
 
2167
                              &rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0)
2166
2168
                goto err_exit;
2167
2169
 
2168
2170
            virBufferAsprintf(&buf,
2175
2177
        if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) {
2176
2178
            if (printDataType(vars,
2177
2179
                              macaddr, sizeof(macaddr),
2178
 
                              &rule->p.arpHdrFilter.dataARPDstMACAddr))
 
2180
                              &rule->p.arpHdrFilter.dataARPDstMACAddr) < 0)
2179
2181
                goto err_exit;
2180
2182
 
2181
2183
            virBufferAsprintf(&buf,
2201
2203
        if (ebtablesHandleEthHdr(&buf,
2202
2204
                                 vars,
2203
2205
                                 &rule->p.ipHdrFilter.ethHdr,
2204
 
                                 reverse))
 
2206
                                 reverse) < 0)
2205
2207
            goto err_exit;
2206
2208
 
2207
2209
        virBufferAddLit(&buf,
2210
2212
        if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) {
2211
2213
            if (printDataType(vars,
2212
2214
                              ipaddr, sizeof(ipaddr),
2213
 
                              &rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr))
 
2215
                              &rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < 0)
2214
2216
                goto err_exit;
2215
2217
 
2216
2218
            virBufferAsprintf(&buf,
2222
2224
            if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) {
2223
2225
                if (printDataType(vars,
2224
2226
                                  number, sizeof(number),
2225
 
                                  &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask))
 
2227
                                  &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)
 
2228
                    < 0)
2226
2229
                    goto err_exit;
2227
2230
                virBufferAsprintf(&buf,
2228
2231
                             "/%s",
2234
2237
 
2235
2238
            if (printDataType(vars,
2236
2239
                              ipaddr, sizeof(ipaddr),
2237
 
                              &rule->p.ipHdrFilter.ipHdr.dataDstIPAddr))
 
2240
                              &rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < 0)
2238
2241
                goto err_exit;
2239
2242
 
2240
2243
            virBufferAsprintf(&buf,
2246
2249
            if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) {
2247
2250
                if (printDataType(vars,
2248
2251
                                  number, sizeof(number),
2249
 
                                  &rule->p.ipHdrFilter.ipHdr.dataDstIPMask))
 
2252
                                  &rule->p.ipHdrFilter.ipHdr.dataDstIPMask)
 
2253
                    < 0)
2250
2254
                    goto err_exit;
2251
2255
                virBufferAsprintf(&buf,
2252
2256
                                  "/%s",
2257
2261
        if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataProtocolID)) {
2258
2262
            if (printDataType(vars,
2259
2263
                              number, sizeof(number),
2260
 
                              &rule->p.ipHdrFilter.ipHdr.dataProtocolID))
 
2264
                              &rule->p.ipHdrFilter.ipHdr.dataProtocolID) < 0)
2261
2265
                goto err_exit;
2262
2266
 
2263
2267
            virBufferAsprintf(&buf,
2270
2274
 
2271
2275
            if (printDataType(vars,
2272
2276
                              number, sizeof(number),
2273
 
                              &rule->p.ipHdrFilter.portData.dataSrcPortStart))
 
2277
                              &rule->p.ipHdrFilter.portData.dataSrcPortStart)
 
2278
                < 0)
2274
2279
                goto err_exit;
2275
2280
 
2276
2281
            virBufferAsprintf(&buf,
2282
2287
            if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEnd)) {
2283
2288
                if (printDataType(vars,
2284
2289
                                  number, sizeof(number),
2285
 
                                  &rule->p.ipHdrFilter.portData.dataSrcPortEnd))
 
2290
                                  &rule->p.ipHdrFilter.portData.dataSrcPortEnd)
 
2291
                    < 0)
2286
2292
                    goto err_exit;
2287
2293
 
2288
2294
                virBufferAsprintf(&buf,
2295
2301
 
2296
2302
            if (printDataType(vars,
2297
2303
                              number, sizeof(number),
2298
 
                              &rule->p.ipHdrFilter.portData.dataDstPortStart))
 
2304
                              &rule->p.ipHdrFilter.portData.dataDstPortStart)
 
2305
                < 0)
2299
2306
                goto err_exit;
2300
2307
 
2301
2308
            virBufferAsprintf(&buf,
2307
2314
            if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEnd)) {
2308
2315
                if (printDataType(vars,
2309
2316
                                number, sizeof(number),
2310
 
                                &rule->p.ipHdrFilter.portData.dataDstPortEnd))
 
2317
                                &rule->p.ipHdrFilter.portData.dataDstPortEnd)
 
2318
                    < 0)
2311
2319
                    goto err_exit;
2312
2320
 
2313
2321
                virBufferAsprintf(&buf,
2319
2327
        if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDSCP)) {
2320
2328
            if (printDataTypeAsHex(vars,
2321
2329
                                   number, sizeof(number),
2322
 
                                   &rule->p.ipHdrFilter.ipHdr.dataDSCP))
 
2330
                                   &rule->p.ipHdrFilter.ipHdr.dataDSCP) < 0)
2323
2331
                goto err_exit;
2324
2332
 
2325
2333
            virBufferAsprintf(&buf,
2337
2345
        if (ebtablesHandleEthHdr(&buf,
2338
2346
                                 vars,
2339
2347
                                 &rule->p.ipv6HdrFilter.ethHdr,
2340
 
                                 reverse))
 
2348
                                 reverse) < 0)
2341
2349
            goto err_exit;
2342
2350
 
2343
2351
        virBufferAddLit(&buf,
2346
2354
        if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) {
2347
2355
            if (printDataType(vars,
2348
2356
                              ipv6addr, sizeof(ipv6addr),
2349
 
                              &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr))
 
2357
                              &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) < 0)
2350
2358
                goto err_exit;
2351
2359
 
2352
2360
            virBufferAsprintf(&buf,
2358
2366
            if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)) {
2359
2367
                if (printDataType(vars,
2360
2368
                                  number, sizeof(number),
2361
 
                                  &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask))
 
2369
                                  &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)
 
2370
                    < 0)
2362
2371
                    goto err_exit;
2363
2372
                virBufferAsprintf(&buf,
2364
2373
                             "/%s",
2370
2379
 
2371
2380
            if (printDataType(vars,
2372
2381
                              ipv6addr, sizeof(ipv6addr),
2373
 
                              &rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr))
 
2382
                              &rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) < 0)
2374
2383
                goto err_exit;
2375
2384
 
2376
2385
            virBufferAsprintf(&buf,
2382
2391
            if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)) {
2383
2392
                if (printDataType(vars,
2384
2393
                                  number, sizeof(number),
2385
 
                                  &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask))
 
2394
                                  &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)
 
2395
                    < 0)
2386
2396
                    goto err_exit;
2387
2397
                virBufferAsprintf(&buf,
2388
2398
                                  "/%s",
2393
2403
        if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID)) {
2394
2404
            if (printDataType(vars,
2395
2405
                              number, sizeof(number),
2396
 
                              &rule->p.ipv6HdrFilter.ipHdr.dataProtocolID))
 
2406
                              &rule->p.ipv6HdrFilter.ipHdr.dataProtocolID) < 0)
2397
2407
                goto err_exit;
2398
2408
 
2399
2409
            virBufferAsprintf(&buf,
2406
2416
 
2407
2417
            if (printDataType(vars,
2408
2418
                              number, sizeof(number),
2409
 
                              &rule->p.ipv6HdrFilter.portData.dataSrcPortStart))
 
2419
                              &rule->p.ipv6HdrFilter.portData.dataSrcPortStart)
 
2420
                < 0)
2410
2421
                goto err_exit;
2411
2422
 
2412
2423
            virBufferAsprintf(&buf,
2418
2429
            if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)) {
2419
2430
                if (printDataType(vars,
2420
2431
                                  number, sizeof(number),
2421
 
                                  &rule->p.ipv6HdrFilter.portData.dataSrcPortEnd))
 
2432
                                  &rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)
 
2433
                    < 0)
2422
2434
                    goto err_exit;
2423
2435
 
2424
2436
                virBufferAsprintf(&buf,
2431
2443
 
2432
2444
            if (printDataType(vars,
2433
2445
                              number, sizeof(number),
2434
 
                              &rule->p.ipv6HdrFilter.portData.dataDstPortStart))
 
2446
                              &rule->p.ipv6HdrFilter.portData.dataDstPortStart)
 
2447
                < 0)
2435
2448
                goto err_exit;
2436
2449
 
2437
2450
            virBufferAsprintf(&buf,
2443
2456
            if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPortEnd)) {
2444
2457
                if (printDataType(vars,
2445
2458
                                  number, sizeof(number),
2446
 
                                  &rule->p.ipv6HdrFilter.portData.dataDstPortEnd))
 
2459
                                  &rule->p.ipv6HdrFilter.portData.dataDstPortEnd)
 
2460
                    < 0)
2447
2461
                    goto err_exit;
2448
2462
 
2449
2463
                virBufferAsprintf(&buf,
2510
2524
 * Convert a single rule into its representation for later instantiation
2511
2525
 *
2512
2526
 * Returns 0 in case of success with the result stored in the data structure
2513
 
 * pointed to by res, != 0 otherwise.
 
2527
 * pointed to by res, -1 otherwise
2514
2528
 */
2515
2529
static int
2516
2530
ebiptablesCreateRuleInstance(enum virDomainNetType nettype ATTRIBUTE_UNUSED,
2542
2556
                                            vars,
2543
2557
                                            res,
2544
2558
                                            rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT);
2545
 
            if (rc)
 
2559
            if (rc < 0)
2546
2560
                return rc;
2547
2561
        }
2548
2562
 
2596
2610
    case VIR_NWFILTER_RULE_PROTOCOL_LAST:
2597
2611
        virNWFilterReportError(VIR_ERR_OPERATION_FAILED,
2598
2612
                               "%s", _("illegal protocol type"));
2599
 
        rc = 1;
 
2613
        rc = -1;
2600
2614
    break;
2601
2615
    }
2602
2616
 
2619
2633
     * iterate over all combinations of the variables' values and instantiate
2620
2634
     * the filtering rule with each combination.
2621
2635
     */
2622
 
    vciter = virNWFilterVarCombIterCreate(vars, rule->vars, rule->nvars);
 
2636
    vciter = virNWFilterVarCombIterCreate(vars,
 
2637
                                          rule->varAccess, rule->nVarAccess);
2623
2638
    if (!vciter)
2624
 
        return 1;
 
2639
        return -1;
2625
2640
 
2626
2641
    do {
2627
2642
        rc = ebiptablesCreateRuleInstance(nettype,
2630
2645
                                          ifname,
2631
2646
                                          vciter,
2632
2647
                                          res);
2633
 
        if (rc)
 
2648
        if (rc < 0)
2634
2649
            break;
2635
2650
        vciter = virNWFilterVarCombIterNext(vciter);
2636
2651
    } while (vciter != NULL);
2873
2888
        protostr = strdup("");
2874
2889
        break;
2875
2890
    case L2_PROTO_STP_IDX:
2876
 
        virAsprintf(&protostr, "-d " NWFILTER_MAC_BGA " ");
 
2891
        ignore_value(virAsprintf(&protostr, "-d " NWFILTER_MAC_BGA " "));
2877
2892
        break;
2878
2893
    default:
2879
 
        virAsprintf(&protostr, "-p 0x%04x ", l3_protocols[protoidx].attr);
 
2894
        ignore_value(virAsprintf(&protostr, "-p 0x%04x ",
 
2895
                     l3_protocols[protoidx].attr));
2880
2896
        break;
2881
2897
    }
2882
2898
 
3082
3098
 */
3083
3099
static int
3084
3100
ebiptablesCanApplyBasicRules(void) {
3085
 
    return (ebtables_cmd_path != NULL);
 
3101
    return ebtables_cmd_path != NULL;
3086
3102
}
3087
3103
 
3088
3104
/**
3092
3108
 * @macaddr: MAC address the VM is using in packets sent through the
3093
3109
 *    interface
3094
3110
 *
3095
 
 * Returns 0 on success, 1 on failure with the rules removed
 
3111
 * Returns 0 on success, -1 on failure with the rules removed
3096
3112
 *
3097
3113
 * Apply basic filtering rules on the given interface
3098
3114
 * - filtering for MAC address spoofing
3111
3127
        virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
3112
3128
                               _("cannot create rules since ebtables tool is "
3113
3129
                                 "missing."));
3114
 
        return 1;
 
3130
        return -1;
3115
3131
    }
3116
3132
 
3117
 
    virFormatMacAddr(macaddr, macaddr_str);
 
3133
    virMacAddrFormat(macaddr, macaddr_str);
3118
3134
 
3119
3135
    ebiptablesAllTeardown(ifname);
3120
3136
 
3170
3186
                           "%s",
3171
3187
                           _("Some rules could not be created."));
3172
3188
 
3173
 
    return 1;
 
3189
    return -1;
3174
3190
}
3175
3191
 
3176
3192
 
3180
3196
 * @ifname: name of the backend-interface to which to apply the rules
3181
3197
 * @macaddr: MAC address the VM is using in packets sent through the
3182
3198
 *    interface
3183
 
 * @dhcpserver: The DHCP server from which the VM may receive traffic
 
3199
 * @dhcpsrvrs: The DHCP server(s) from which the VM may receive traffic
3184
3200
 *    from; may be NULL
3185
3201
 * @leaveTemporary: Whether to leave the table names with their temporary
3186
3202
 *    names (true) or also perform the renaming to their final names as
3187
3203
 *    part of this call (false)
3188
3204
 *
3189
 
 * Returns 0 on success, 1 on failure with the rules removed
 
3205
 * Returns 0 on success, -1 on failure with the rules removed
3190
3206
 *
3191
3207
 * Apply filtering rules so that the VM can only send and receive
3192
3208
 * DHCP traffic and nothing else.
3194
3210
static int
3195
3211
ebtablesApplyDHCPOnlyRules(const char *ifname,
3196
3212
                           const unsigned char *macaddr,
3197
 
                           const char *dhcpserver,
 
3213
                           virNWFilterVarValuePtr dhcpsrvrs,
3198
3214
                           bool leaveTemporary)
3199
3215
{
3200
3216
    virBuffer buf = VIR_BUFFER_INITIALIZER;
3201
3217
    char chain_in [MAX_CHAINNAME_LENGTH],
3202
3218
         chain_out[MAX_CHAINNAME_LENGTH];
3203
3219
    char macaddr_str[VIR_MAC_STRING_BUFLEN];
3204
 
    char *srcIPParam = NULL;
 
3220
    unsigned int idx = 0;
 
3221
    unsigned int num_dhcpsrvrs;
3205
3222
 
3206
3223
    if (!ebtables_cmd_path) {
3207
3224
        virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
3208
3225
                               _("cannot create rules since ebtables tool is "
3209
3226
                                 "missing."));
3210
 
        return 1;
3211
 
    }
3212
 
 
3213
 
    if (dhcpserver) {
3214
 
        virBufferAsprintf(&buf, " --ip-src %s", dhcpserver);
3215
 
        if (virBufferError(&buf))
3216
 
            return 1;
3217
 
        srcIPParam = virBufferContentAndReset(&buf);
3218
 
    }
3219
 
 
3220
 
    virFormatMacAddr(macaddr, macaddr_str);
 
3227
        return -1;
 
3228
    }
 
3229
 
 
3230
    virMacAddrFormat(macaddr, macaddr_str);
3221
3231
 
3222
3232
    ebiptablesAllTeardown(ifname);
3223
3233
 
3231
3241
 
3232
3242
    virBufferAsprintf(&buf,
3233
3243
                      CMD_DEF("$EBT -t nat -A %s"
3234
 
                              " -s %s -d Broadcast "
 
3244
                              " -s %s"
3235
3245
                              " -p ipv4 --ip-protocol udp"
3236
 
                              " --ip-src 0.0.0.0 --ip-dst 255.255.255.255"
3237
3246
                              " --ip-sport 68 --ip-dport 67"
3238
3247
                              " -j ACCEPT") CMD_SEPARATOR
3239
3248
                      CMD_EXEC
3251
3260
                      chain_in,
3252
3261
                      CMD_STOPONERR(1));
3253
3262
 
3254
 
    virBufferAsprintf(&buf,
3255
 
                      CMD_DEF("$EBT -t nat -A %s"
3256
 
                              " -d %s"
3257
 
                              " -p ipv4 --ip-protocol udp"
3258
 
                              " %s"
3259
 
                              " --ip-sport 67 --ip-dport 68"
3260
 
                              " -j ACCEPT") CMD_SEPARATOR
3261
 
                      CMD_EXEC
3262
 
                      "%s",
3263
 
 
3264
 
                      chain_out,
3265
 
                      macaddr_str,
3266
 
                      srcIPParam != NULL ? srcIPParam : "",
3267
 
                      CMD_STOPONERR(1));
 
3263
    num_dhcpsrvrs = (dhcpsrvrs != NULL)
 
3264
                    ? virNWFilterVarValueGetCardinality(dhcpsrvrs)
 
3265
                    : 0;
 
3266
 
 
3267
    while (true) {
 
3268
        char *srcIPParam = NULL;
 
3269
 
 
3270
        if (idx < num_dhcpsrvrs) {
 
3271
            const char *dhcpserver;
 
3272
 
 
3273
            dhcpserver = virNWFilterVarValueGetNthValue(dhcpsrvrs, idx);
 
3274
 
 
3275
            if (virAsprintf(&srcIPParam, "--ip-src %s", dhcpserver) < 0) {
 
3276
                virReportOOMError();
 
3277
                goto tear_down_tmpebchains;
 
3278
            }
 
3279
        }
 
3280
 
 
3281
        virBufferAsprintf(&buf,
 
3282
                          CMD_DEF("$EBT -t nat -A %s"
 
3283
                                  " -d %s"
 
3284
                                  " -p ipv4 --ip-protocol udp"
 
3285
                                  " %s"
 
3286
                                  " --ip-sport 67 --ip-dport 68"
 
3287
                                  " -j ACCEPT") CMD_SEPARATOR
 
3288
                          CMD_EXEC
 
3289
                          "%s",
 
3290
 
 
3291
                          chain_out,
 
3292
                          macaddr_str,
 
3293
                          srcIPParam != NULL ? srcIPParam : "",
 
3294
                          CMD_STOPONERR(1));
 
3295
 
 
3296
        VIR_FREE(srcIPParam);
 
3297
 
 
3298
        if (idx == num_dhcpsrvrs)
 
3299
            break;
 
3300
 
 
3301
        idx++;
 
3302
    }
3268
3303
 
3269
3304
    virBufferAsprintf(&buf,
3270
3305
                      CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR
3285
3320
    if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
3286
3321
        goto tear_down_tmpebchains;
3287
3322
 
3288
 
    VIR_FREE(srcIPParam);
3289
 
 
3290
3323
    return 0;
3291
3324
 
3292
3325
tear_down_tmpebchains:
3296
3329
                           "%s",
3297
3330
                           _("Some rules could not be created."));
3298
3331
 
3299
 
    VIR_FREE(srcIPParam);
3300
 
 
3301
 
    return 1;
 
3332
    return -1;
3302
3333
}
3303
3334
 
3304
3335
 
3307
3338
 *
3308
3339
 * @ifname: name of the backend-interface to which to apply the rules
3309
3340
 *
3310
 
 * Returns 0 on success, 1 on failure with the rules removed
 
3341
 * Returns 0 on success, -1 on failure with the rules removed
3311
3342
 *
3312
3343
 * Apply filtering rules so that the VM cannot receive or send traffic.
3313
3344
 */
3322
3353
        virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
3323
3354
                               _("cannot create rules since ebtables tool is "
3324
3355
                                 "missing."));
3325
 
        return 1;
 
3356
        return -1;
3326
3357
    }
3327
3358
 
3328
3359
    ebiptablesAllTeardown(ifname);
3368
3399
                           "%s",
3369
3400
                           _("Some rules could not be created."));
3370
3401
 
3371
 
    return 1;
 
3402
    return -1;
3372
3403
}
3373
3404
 
3374
3405
 
3429
3460
    }
3430
3461
normal:
3431
3462
    /* priorities are limited to range [-1000, 1000] */
3432
 
    return (insta->priority - instb->priority);
 
3463
    return insta->priority - instb->priority;
3433
3464
}
3434
3465
 
3435
3466
static int
3559
3590
    int nEbtChains = 0;
3560
3591
    char *errmsg = NULL;
3561
3592
 
 
3593
    if (inst == NULL)
 
3594
        nruleInstances = 0;
 
3595
 
3562
3596
    if (!chains_in_set || !chains_out_set) {
3563
3597
        virReportOOMError();
3564
3598
        goto exit_free_sets;
3575
3609
            const char *name = inst[i]->neededProtocolChain;
3576
3610
            if (inst[i]->chainprefix == CHAINPREFIX_HOST_IN_TEMP) {
3577
3611
                if (virHashUpdateEntry(chains_in_set, name,
3578
 
                                       &inst[i]->chainPriority)) {
 
3612
                                       &inst[i]->chainPriority) < 0) {
3579
3613
                    virReportOOMError();
3580
3614
                    goto exit_free_sets;
3581
3615
                }
3582
3616
            } else {
3583
3617
                if (virHashUpdateEntry(chains_out_set, name,
3584
 
                                       &inst[i]->chainPriority)) {
 
3618
                                       &inst[i]->chainPriority) < 0) {
3585
3619
                    virReportOOMError();
3586
3620
                    goto exit_free_sets;
3587
3621
                }
3605
3639
    NWFILTER_SET_EBTABLES_SHELLVAR(&buf);
3606
3640
 
3607
3641
    /* create needed chains */
3608
 
    if (ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1,
3609
 
                                          &ebtChains, &nEbtChains) ||
3610
 
        ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_out_set, 0,
3611
 
                                          &ebtChains, &nEbtChains)) {
 
3642
    if ((virHashSize(chains_in_set) > 0 &&
 
3643
         ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1,
 
3644
                                           &ebtChains, &nEbtChains) < 0) ||
 
3645
        (virHashSize(chains_out_set) > 0 &&
 
3646
         ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_out_set, 0,
 
3647
                                           &ebtChains, &nEbtChains) < 0)) {
3612
3648
        goto tear_down_tmpebchains;
3613
3649
    }
3614
3650
 
3809
3845
 
3810
3846
    VIR_FREE(errmsg);
3811
3847
 
3812
 
    return 1;
 
3848
    return -1;
3813
3849
}
3814
3850
 
3815
3851
 
3905
3941
 *
3906
3942
 * Remove all rules one after the other
3907
3943
 *
3908
 
 * Return 0 on success, 1 if execution of one or more cleanup
 
3944
 * Return 0 on success, -1 if execution of one or more cleanup
3909
3945
 * commands failed.
3910
3946
 */
3911
3947
static int
3927
3963
                              'D', -1,
3928
3964
                              0);
3929
3965
 
3930
 
    if (ebiptablesExecCLI(&buf, &cli_status, NULL))
 
3966
    if (ebiptablesExecCLI(&buf, &cli_status, NULL) < 0)
3931
3967
        goto err_exit;
3932
3968
 
3933
3969
    if (cli_status) {
3934
3970
        virNWFilterReportError(VIR_ERR_BUILD_FIREWALL,
3935
3971
                               "%s",
3936
3972
                               _("error while executing CLI commands"));
3937
 
        rc = 1;
 
3973
        rc = -1;
3938
3974
    }
3939
3975
 
3940
3976
err_exit:
4018
4054
ebiptablesDriverInit(bool privileged)
4019
4055
{
4020
4056
    virBuffer buf = VIR_BUFFER_INITIALIZER;
 
4057
    char *errmsg = NULL;
4021
4058
 
4022
4059
    if (!privileged)
4023
4060
        return 0;
4024
4061
 
4025
 
    if (virMutexInit(&execCLIMutex))
4026
 
        return EINVAL;
 
4062
    if (virMutexInit(&execCLIMutex) < 0)
 
4063
        return -EINVAL;
4027
4064
 
4028
4065
    gawk_cmd_path = virFindFileInPath("awk");
4029
4066
    grep_cmd_path = virFindFileInPath("grep");
4038
4075
                          "%s",
4039
4076
                          CMD_STOPONERR(1));
4040
4077
 
4041
 
        if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
4042
 
             VIR_FREE(ebtables_cmd_path);
 
4078
        if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) {
 
4079
            VIR_FREE(ebtables_cmd_path);
 
4080
            VIR_ERROR(_("Testing of ebtables command failed: %s"),
 
4081
                      errmsg);
 
4082
        }
 
4083
    } else {
 
4084
        VIR_WARN("Could not find 'ebtables' executable");
4043
4085
    }
4044
4086
 
4045
4087
    iptables_cmd_path = virFindFileInPath("iptables");
4052
4094
                          "%s",
4053
4095
                          CMD_STOPONERR(1));
4054
4096
 
4055
 
        if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
4056
 
             VIR_FREE(iptables_cmd_path);
 
4097
        if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) {
 
4098
            VIR_FREE(iptables_cmd_path);
 
4099
            VIR_ERROR(_("Testing of iptables command failed: %s"),
 
4100
                      errmsg);
 
4101
        }
 
4102
    } else {
 
4103
        VIR_WARN("Could not find 'iptables' executable");
4057
4104
    }
4058
4105
 
4059
4106
    ip6tables_cmd_path = virFindFileInPath("ip6tables");
4066
4113
                          "%s",
4067
4114
                          CMD_STOPONERR(1));
4068
4115
 
4069
 
        if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)
4070
 
             VIR_FREE(ip6tables_cmd_path);
 
4116
        if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) {
 
4117
            VIR_FREE(ip6tables_cmd_path);
 
4118
            VIR_ERROR(_("Testing of ip6tables command failed: %s"),
 
4119
                      errmsg);
 
4120
        }
 
4121
    } else {
 
4122
        VIR_WARN("Could not find 'ip6tables' executable");
4071
4123
    }
4072
4124
 
4073
4125
    /* ip(6)tables support needs gawk & grep, ebtables doesn't */
4074
4126
    if ((iptables_cmd_path != NULL || ip6tables_cmd_path != NULL) &&
4075
4127
        (!grep_cmd_path || !gawk_cmd_path)) {
4076
 
        virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
4077
 
                               _("essential tools to support ip(6)tables "
4078
 
                                 "firewalls could not be located"));
 
4128
        VIR_ERROR(_("essential tools to support ip(6)tables "
 
4129
                  "firewalls could not be located"));
4079
4130
        VIR_FREE(iptables_cmd_path);
4080
4131
        VIR_FREE(ip6tables_cmd_path);
4081
4132
    }
4082
4133
 
 
4134
    VIR_FREE(errmsg);
4083
4135
 
4084
4136
    if (!ebtables_cmd_path && !iptables_cmd_path && !ip6tables_cmd_path) {
4085
 
        virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, "%s",
4086
 
                               _("firewall tools were not found or "
4087
 
                                 "cannot be used"));
 
4137
        VIR_ERROR(_("firewall tools were not found or cannot be used"));
4088
4138
        ebiptablesDriverShutdown();
4089
 
        return ENOTSUP;
 
4139
        return -ENOTSUP;
4090
4140
    }
4091
4141
 
4092
4142
    ebiptables_driver.flags = TECHDRV_FLAG_INITIALIZED;