From 477f1de37ff7c911048d8d5e7f7de32f12d30b5d Mon Sep 17 00:00:00 2001
Message-Id: <477f1de37ff7c911048d8d5e7f7de32f12d30b5d@dist-git>
From: Laine Stump <laine@laine.org>
Date: Fri, 1 Feb 2019 20:29:29 -0500
Subject: [PATCH] util: new virFirewallD APIs + docs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
virFirewallDGetBackend() reports whether firewalld is currently using
an iptables or an nftables backend.
virFirewallDGetVersion() learns the version of the firewalld running
on this system and returns it as 1000000*major + 1000*minor + micro.
virFirewallDGetZones() gets a list of all currently active firewalld
zones.
virFirewallDInterfaceSetZone() sets the firewalld zone of the given
interface.
virFirewallDZoneExists() can be used to learn whether or not a
particular zone is present and active in firewalld.
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 3bba4825c291e51a8cd4d497d6e919ac2ee96ff0)
Conflicts: src/util/virfirewalld.c - had to remove VIR_AUTO_PTR(), which doesn't
exist in libvirt 4.5.0, and replace with appropriately placed VIR_FREE()
https://bugzilla.redhat.com/1650320
Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
src/libvirt_private.syms | 5 +
src/util/virfirewalld.c | 223 +++++++++++++++++++++++++++++++++++++++
src/util/virfirewalld.h | 15 ++-
3 files changed, 242 insertions(+), 1 deletion(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 57948d8049..624151056a 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1905,7 +1905,12 @@ virFirewallStartTransaction;
# util/virfirewalld.h
virFirewallDApplyRule;
+virFirewallDGetBackend;
+virFirewallDGetVersion;
+virFirewallDGetZones;
+virFirewallDInterfaceSetZone;
virFirewallDIsRegistered;
+virFirewallDZoneExists;
# util/virfirmware.h
diff --git a/src/util/virfirewalld.c b/src/util/virfirewalld.c
index f27ec9c124..8dd6ac2b8a 100644
--- a/src/util/virfirewalld.c
+++ b/src/util/virfirewalld.c
@@ -22,6 +22,7 @@
#include <stdarg.h>
+#include "viralloc.h"
#include "virfirewall.h"
#include "virfirewalld.h"
#define LIBVIRT_VIRFIREWALLDPRIV_H_ALLOW
@@ -46,6 +47,14 @@ VIR_ENUM_IMPL(virFirewallLayerFirewallD, VIR_FIREWALL_LAYER_LAST,
);
+VIR_ENUM_DECL(virFirewallDBackend);
+VIR_ENUM_IMPL(virFirewallDBackend, VIR_FIREWALLD_BACKEND_LAST,
+ "",
+ "iptables",
+ "nftables",
+ );
+
+
/**
* virFirewallDIsRegistered:
*
@@ -57,6 +66,197 @@ virFirewallDIsRegistered(void)
return virDBusIsServiceRegistered(VIR_FIREWALL_FIREWALLD_SERVICE);
}
+/**
+ * virFirewallDGetVersion:
+ * @version: pointer to location to save version in the form of:
+ * 1000000 * major + 1000 * minor + micro
+ *
+ * queries the firewalld version property from dbus, and converts it
+ * from a string into a number.
+ *
+ * Returns 0 if version was successfully retrieved, or -1 on error
+ */
+int
+virFirewallDGetVersion(unsigned long *version)
+{
+ int ret = -1;
+ DBusConnection *sysbus = virDBusGetSystemBus();
+ DBusMessage *reply = NULL;
+ char * versionStr = NULL;
+
+ if (!sysbus)
+ return -1;
+
+ if (virDBusCallMethod(sysbus,
+ &reply,
+ NULL,
+ VIR_FIREWALL_FIREWALLD_SERVICE,
+ "/org/fedoraproject/FirewallD1",
+ "org.freedesktop.DBus.Properties",
+ "Get",
+ "ss",
+ "org.fedoraproject.FirewallD1",
+ "version") < 0)
+ goto cleanup;
+
+ if (virDBusMessageRead(reply, "v", "s", &versionStr) < 0)
+ goto cleanup;
+
+ if (virParseVersionString(versionStr, version, false) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to parse firewalld version '%s'"),
+ versionStr);
+ goto cleanup;
+ }
+
+ VIR_DEBUG("FirewallD version: %s - %lu", versionStr, *version);
+
+ ret = 0;
+ cleanup:
+ VIR_FREE(versionStr);
+ virDBusMessageUnref(reply);
+ return ret;
+}
+
+/**
+ * virFirewallDGetBackend:
+ *
+ * Returns virVirewallDBackendType value representing which packet
+ * filtering backend is currently in use by firewalld, or -1 on error.
+ */
+int
+virFirewallDGetBackend(void)
+{
+ DBusConnection *sysbus = virDBusGetSystemBus();
+ DBusMessage *reply = NULL;
+ virError error;
+ char * backendStr = NULL;
+ int backend = -1;
+
+ if (!sysbus)
+ return -1;
+
+ memset(&error, 0, sizeof(error));
+
+ if (virDBusCallMethod(sysbus,
+ &reply,
+ &error,
+ VIR_FIREWALL_FIREWALLD_SERVICE,
+ "/org/fedoraproject/FirewallD1/config",
+ "org.freedesktop.DBus.Properties",
+ "Get",
+ "ss",
+ "org.fedoraproject.FirewallD1.config",
+ "FirewallBackend") < 0)
+ goto cleanup;
+
+ if (error.level == VIR_ERR_ERROR) {
+ /* we don't want to log any error in the case that
+ * FirewallBackend isn't implemented in this firewalld, since
+ * that just means that it is an old version, and only has an
+ * iptables backend.
+ */
+ VIR_DEBUG("Failed to get FirewallBackend setting, assuming 'iptables'");
+ backend = VIR_FIREWALLD_BACKEND_IPTABLES;
+ goto cleanup;
+ }
+
+ if (virDBusMessageRead(reply, "v", "s", &backendStr) < 0)
+ goto cleanup;
+
+ VIR_DEBUG("FirewallD backend: %s", backendStr);
+
+ if ((backend = virFirewallDBackendTypeFromString(backendStr)) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unrecognized firewalld backend type: %s"),
+ backendStr);
+ goto cleanup;
+ }
+
+ cleanup:
+ VIR_FREE(backendStr);
+ virResetError(&error);
+ virDBusMessageUnref(reply);
+ return backend;
+}
+
+
+/**
+ * virFirewallDGetZones:
+ * @zones: array of char *, each entry is a null-terminated zone name
+ * @nzones: number of entries in @zones
+ *
+ * Get the number of currently active firewalld zones, and their names
+ * in an array of null-terminated strings. The memory pointed to by
+ * @zones will belong to the caller, and must be freed.
+ *
+ * Returns 0 on success, -1 (and failure logged) on error
+ */
+int
+virFirewallDGetZones(char ***zones, size_t *nzones)
+{
+ DBusConnection *sysbus = virDBusGetSystemBus();
+ DBusMessage *reply = NULL;
+ int ret = -1;
+
+ *nzones = 0;
+ *zones = NULL;
+
+ if (!sysbus)
+ return -1;
+
+ if (virDBusCallMethod(sysbus,
+ &reply,
+ NULL,
+ VIR_FIREWALL_FIREWALLD_SERVICE,
+ "/org/fedoraproject/FirewallD1",
+ "org.fedoraproject.FirewallD1.zone",
+ "getZones",
+ NULL) < 0)
+ goto cleanup;
+
+ if (virDBusMessageRead(reply, "a&s", nzones, zones) < 0)
+ goto cleanup;
+
+ ret = 0;
+ cleanup:
+ virDBusMessageUnref(reply);
+ return ret;
+}
+
+
+/**
+ * virFirewallDZoneExists:
+ * @match: name of zone to look for
+ *
+ * Returns true if the requested zone exists, or false if it doesn't exist
+ */
+bool
+virFirewallDZoneExists(const char *match)
+{
+ size_t nzones = 0, i;
+ char **zones = NULL;
+ bool result = false;
+
+ return true;
+
+ if (virFirewallDGetZones(&zones, &nzones) < 0)
+ goto cleanup;
+
+ for (i = 0; i < nzones; i++) {
+ if (STREQ_NULLABLE(zones[i], match))
+ result = true;
+ }
+
+ cleanup:
+ VIR_DEBUG("Requested zone '%s' %s exist",
+ match, result ? "does" : "doesn't");
+ for (i = 0; i < nzones; i++)
+ VIR_FREE(zones[i]);
+ VIR_FREE(zones);
+ return result;
+}
+
/**
* virFirewallDApplyRule:
@@ -149,3 +349,26 @@ virFirewallDApplyRule(virFirewallLayer layer,
virDBusMessageUnref(reply);
return ret;
}
+
+
+int
+virFirewallDInterfaceSetZone(const char *iface,
+ const char *zone)
+{
+ DBusConnection *sysbus = virDBusGetSystemBus();
+ DBusMessage *reply = NULL;
+
+ if (!sysbus)
+ return -1;
+
+ return virDBusCallMethod(sysbus,
+ &reply,
+ NULL,
+ VIR_FIREWALL_FIREWALLD_SERVICE,
+ "/org/fedoraproject/FirewallD1",
+ "org.fedoraproject.FirewallD1.zone",
+ "changeZoneOfInterface",
+ "ss",
+ zone,
+ iface);
+}
diff --git a/src/util/virfirewalld.h b/src/util/virfirewalld.h
index 83fe1149cc..f05f5f2f08 100644
--- a/src/util/virfirewalld.h
+++ b/src/util/virfirewalld.h
@@ -23,11 +23,24 @@
# define VIR_FIREWALL_FIREWALLD_SERVICE "org.fedoraproject.FirewallD1"
-int virFirewallDIsRegistered(void);
+typedef enum {
+ VIR_FIREWALLD_BACKEND_NONE,
+ VIR_FIREWALLD_BACKEND_IPTABLES,
+ VIR_FIREWALLD_BACKEND_NFTABLES,
+ VIR_FIREWALLD_BACKEND_LAST,
+} virFirewallDBackendType;
+int virFirewallDGetVersion(unsigned long *version);
+int virFirewallDGetBackend(void);
+int virFirewallDIsRegistered(void);
+int virFirewallDGetZones(char ***zones, size_t *nzones);
+bool virFirewallDZoneExists(const char *match);
int virFirewallDApplyRule(virFirewallLayer layer,
char **args, size_t argsLen,
bool ignoreErrors,
char **output);
+int virFirewallDInterfaceSetZone(const char *iface,
+ const char *zone);
+
#endif /* LIBVIRT_VIRFIREWALLD_H */
--
2.20.1