[pve-devel] [PATCH] implement $ruleset->{iptables}->{filter}

Alexandre Derumier aderumier at odiso.com
Mon Jul 7 07:54:42 CEST 2014


Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm |   36 ++++++++++++++++++++++++------------
 src/pve-firewall    |    4 ++--
 test/fwtester.pl    |    6 +++---
 3 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 27cf1e6..9265d5a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1516,36 +1516,48 @@ sub ruleset_generate_rule_insert {
 }
 
 sub ruleset_create_chain {
-    my ($ruleset, $chain) = @_;
+    my ($ruleset, $chain, $cmd, $table) = @_;
+
+   $cmd = 'iptables' if !$cmd;
+   $table = 'filter' if !$table;
 
     die "Invalid chain name '$chain' (28 char max)\n" if length($chain) > 28;
     die "chain name may not contain collons\n" if $chain =~ m/:/; # because of log format
 
-    die "chain '$chain' already exists\n" if $ruleset->{$chain};
+    die "chain '$chain' already exists\n" if $ruleset->{$cmd}->{$table}->{$chain};
 
-    $ruleset->{$chain} = [];
+    $ruleset->{$cmd}->{$table}->{$chain} = [];
 }
 
 sub ruleset_chain_exist {
-    my ($ruleset, $chain) = @_;
+    my ($ruleset, $chain, $cmd, $table) = @_;
+
+   $cmd = 'iptables' if !$cmd;
+   $table = 'filter' if !$table;
 
-    return $ruleset->{$chain} ? 1 : undef;
+    return $ruleset->{$cmd}->{$table}->{$chain} ? 1 : undef;
 }
 
 sub ruleset_addrule {
-   my ($ruleset, $chain, $rule) = @_;
+   my ($ruleset, $chain, $rule, $cmd, $table) = @_;
 
-   die "no such chain '$chain'\n" if !$ruleset->{$chain};
+   $cmd = 'iptables' if !$cmd;
+   $table = 'filter' if !$table;
 
-   push @{$ruleset->{$chain}}, "-A $chain $rule";
+   die "no such chain '$chain'\n" if !$ruleset->{$cmd}->{$table}->{$chain};
+
+   push @{$ruleset->{$cmd}->{$table}->{$chain}}, "-A $chain $rule";
 }
 
 sub ruleset_insertrule {
-   my ($ruleset, $chain, $rule) = @_;
+   my ($ruleset, $chain, $rule, $cmd, $table) = @_;
+
+   $cmd = 'iptables' if !$cmd;
+   $table = 'filter' if !$table;
 
-   die "no such chain '$chain'\n" if !$ruleset->{$chain};
+   die "no such chain '$chain'\n" if !$ruleset->{$cmd}->{$table}->{$chain};
 
-   unshift @{$ruleset->{$chain}}, "-A $chain $rule";
+   unshift @{$ruleset->{$cmd}->{$table}->{$chain}}, "-A $chain $rule";
 }
 
 sub get_log_rule_base {
@@ -3237,7 +3249,7 @@ sub update {
 
 	my ($ruleset, $ipset_ruleset) = compile($cluster_conf, $hostfw_conf);
 
-	apply_ruleset($ruleset, $hostfw_conf, $ipset_ruleset);
+	apply_ruleset($ruleset->{iptables}->{filter}, $hostfw_conf, $ipset_ruleset);
     };
 
     run_locked($code);
diff --git a/src/pve-firewall b/src/pve-firewall
index befee44..9d9f091 100755
--- a/src/pve-firewall
+++ b/src/pve-firewall
@@ -348,7 +348,7 @@ __PACKAGE__->register_method ({
 
 		$verbose = 0; # do not show iptables details
 		my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
-		my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
+		my ($test, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset->{iptables}->{filter}, $verbose);
 	      
 		$res->{changes} = ($ipset_changes || $ruleset_changes) ? 1 : 0;
 	    }
@@ -383,7 +383,7 @@ __PACKAGE__->register_method ({
 	    my ($ruleset, $ipset_ruleset) = PVE::Firewall::compile($cluster_conf, undef, undef, $verbose);
 
 	    my (undef, undef, $ipset_changes) = PVE::Firewall::get_ipset_cmdlist($ipset_ruleset, $verbose);
-	    my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset, $verbose);
+	    my (undef, $ruleset_changes) = PVE::Firewall::get_ruleset_cmdlist($ruleset->{iptables}->{filter}, $verbose);
 
 	    if ($ipset_changes || $ruleset_changes) {
 		print "detected changes\n";
diff --git a/test/fwtester.pl b/test/fwtester.pl
index 8b66b3c..5965c02 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -63,7 +63,7 @@ sub run_tests {
 			next if $zone eq $test->{from};
 			$test->{to} = $zone;
 			PVE::FirewallSimulator::add_trace("Set Zone: to => '$zone'\n"); 
-			PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, 
+			PVE::FirewallSimulator::simulate_firewall($ruleset->{iptables}->{filter}, $ipset_ruleset, 
 								  $host_ip, $vmdata, $test);
 		    }
 		} elsif (!defined($test->{from})) {
@@ -71,11 +71,11 @@ sub run_tests {
 			next if $zone eq $test->{to};
 			$test->{from} = $zone;
 			PVE::FirewallSimulator::add_trace("Set Zone: from => '$zone'\n"); 
-			PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, 
+			PVE::FirewallSimulator::simulate_firewall($ruleset->{iptables}->{filter}, $ipset_ruleset, 
 								  $host_ip, $vmdata, $test);
 		    }
 		} else {
-		    PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, 
+		    PVE::FirewallSimulator::simulate_firewall($ruleset->{iptables}->{filter}, $ipset_ruleset, 
 							      $host_ip, $vmdata, $test);
 		}
 	    };
-- 
1.7.10.4



More information about the pve-devel mailing list