Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
libvirt
revert-8b967198.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File revert-8b967198.patch of Package libvirt
commit 8b967198460e2343ebe0ada140a493ac2a584978 Author: Jim Fehlig <jfehlig@suse.com> Date: Thu Apr 25 09:19:53 2019 -0600 Revert "util: create private chains for virtual network firewall rules" This reverts commit 5f1e6a7d48c02e02ee50fc9d9818ac1db076f051. See bsc#1133229 Index: libvirt-5.1.0/src/libvirt_private.syms =================================================================== --- libvirt-5.1.0.orig/src/libvirt_private.syms +++ libvirt-5.1.0/src/libvirt_private.syms @@ -2087,7 +2087,6 @@ iptablesRemoveOutputFixUdpChecksum; iptablesRemoveTcpInput; iptablesRemoveUdpInput; iptablesRemoveUdpOutput; -iptablesSetupPrivateChains; # util/viriscsi.h Index: libvirt-5.1.0/src/network/bridge_driver_linux.c =================================================================== --- libvirt-5.1.0.orig/src/network/bridge_driver_linux.c +++ libvirt-5.1.0/src/network/bridge_driver_linux.c @@ -37,9 +37,6 @@ VIR_LOG_INIT("network.bridge_driver_linu int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED) { - int ret = iptablesSetupPrivateChains(); - if (ret < 0) - return -1; return 0; } Index: libvirt-5.1.0/src/util/viriptables.c =================================================================== --- libvirt-5.1.0.orig/src/util/viriptables.c +++ libvirt-5.1.0/src/util/viriptables.c @@ -37,7 +37,6 @@ #include "virthread.h" #include "virstring.h" #include "virutil.h" -#include "virhash.h" VIR_LOG_INIT("util.iptables"); @@ -49,136 +48,6 @@ enum { }; -typedef struct { - const char *parent; - const char *child; -} iptablesGlobalChain; - -typedef struct { - virFirewallLayer layer; - const char *table; - iptablesGlobalChain *chains; - size_t nchains; - bool *changed; -} iptablesGlobalChainData; - - -static int -iptablesPrivateChainCreate(virFirewallPtr fw, - virFirewallLayer layer, - const char *const *lines, - void *opaque) -{ - iptablesGlobalChainData *data = opaque; - virHashTablePtr chains = NULL; - virHashTablePtr links = NULL; - const char *const *tmp; - int ret = -1; - size_t i; - - if (!(chains = virHashCreate(50, NULL))) - goto cleanup; - if (!(links = virHashCreate(50, NULL))) - goto cleanup; - - tmp = lines; - while (tmp && *tmp) { - if (STRPREFIX(*tmp, "-N ")) { /* eg "-N LIBVIRT_INP" */ - if (virHashUpdateEntry(chains, *tmp + 3, (void *)0x1) < 0) - goto cleanup; - } else if (STRPREFIX(*tmp, "-A ")) { /* eg "-A INPUT -j LIBVIRT_INP" */ - char *sep = strchr(*tmp + 3, ' '); - if (sep) { - *sep = '\0'; - if (STRPREFIX(sep + 1, "-j ")) { - if (virHashUpdateEntry(links, sep + 4, - (char *)*tmp + 3) < 0) - goto cleanup; - } - } - } - tmp++; - } - - for (i = 0; i < data->nchains; i++) { - const char *from; - if (!virHashLookup(chains, data->chains[i].child)) { - virFirewallAddRule(fw, layer, - "--table", data->table, - "--new-chain", data->chains[i].child, NULL); - *data->changed = true; - } - - from = virHashLookup(links, data->chains[i].child); - if (!from || STRNEQ(from, data->chains[i].parent)) - virFirewallAddRule(fw, layer, - "--table", data->table, - "--insert", data->chains[i].parent, - "--jump", data->chains[i].child, NULL); - } - - ret = 0; - cleanup: - virHashFree(chains); - virHashFree(links); - return ret; -} - - -int -iptablesSetupPrivateChains(void) -{ - virFirewallPtr fw = NULL; - int ret = -1; - iptablesGlobalChain filter_chains[] = { - {"INPUT", "LIBVIRT_INP"}, - {"OUTPUT", "LIBVIRT_OUT"}, - {"FORWARD", "LIBVIRT_FWO"}, - {"FORWARD", "LIBVIRT_FWI"}, - {"FORWARD", "LIBVIRT_FWX"}, - }; - iptablesGlobalChain natmangle_chains[] = { - {"POSTROUTING", "LIBVIRT_PRT"}, - }; - bool changed = false; - iptablesGlobalChainData data[] = { - { VIR_FIREWALL_LAYER_IPV4, "filter", - filter_chains, ARRAY_CARDINALITY(filter_chains), &changed }, - { VIR_FIREWALL_LAYER_IPV4, "nat", - natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed }, - { VIR_FIREWALL_LAYER_IPV4, "mangle", - natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed }, - { VIR_FIREWALL_LAYER_IPV6, "filter", - filter_chains, ARRAY_CARDINALITY(filter_chains), &changed }, - { VIR_FIREWALL_LAYER_IPV6, "nat", - natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed }, - { VIR_FIREWALL_LAYER_IPV6, "mangle", - natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed }, - }; - size_t i; - - fw = virFirewallNew(); - - virFirewallStartTransaction(fw, 0); - - for (i = 0; i < ARRAY_CARDINALITY(data); i++) - virFirewallAddRuleFull(fw, data[i].layer, - false, iptablesPrivateChainCreate, - &(data[i]), "--table", data[i].table, - "--list-rules", NULL); - - if (virFirewallApply(fw) < 0) - goto cleanup; - - ret = changed ? 1 : 0; - - cleanup: - - virFirewallFree(fw); - return ret; -} - - static void iptablesInput(virFirewallPtr fw, virFirewallLayer layer, Index: libvirt-5.1.0/src/util/viriptables.h =================================================================== --- libvirt-5.1.0.orig/src/util/viriptables.h +++ libvirt-5.1.0/src/util/viriptables.h @@ -24,8 +24,6 @@ # include "virsocketaddr.h" # include "virfirewall.h" -int iptablesSetupPrivateChains (void); - void iptablesAddTcpInput (virFirewallPtr fw, virFirewallLayer layer, const char *iface,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor