[libvirt] [PATCH 2/2] nwfilter: use shell variable to invoke 'ip(6)tables' command

2011-11-21 Thread Stefan Berger 
Introduce a shell variable 'IBT' to invoke the ip(6)tables command.

Tested with libvirt-tck.

---
 src/nwfilter/nwfilter_ebiptables_driver.c |  313 ++
 1 file changed, 155 insertions(+), 158 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -146,6 +146,10 @@ static const char ebiptables_script_set_
 
 #define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
 virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path);
+#define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \
+virBufferAsprintf(BUFPTR, "IPT=%s\n", iptables_cmd_path);
+#define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \
+virBufferAsprintf(BUFPTR, "IPT=%s\n", ip6tables_cmd_path);
 
 #define VIRT_IN_CHAIN  "libvirt-in"
 #define VIRT_OUT_CHAIN "libvirt-out"
@@ -493,66 +497,60 @@ ebtablesHandleEthHdr(virBufferPtr buf,
 
 / iptables support /
 
-static int iptablesLinkIPTablesBaseChain(const char *iptables_cmd,
- virBufferPtr buf,
+static int iptablesLinkIPTablesBaseChain(virBufferPtr buf,
  const char *udchain,
  const char *syschain,
  unsigned int pos,
  int stopOnError)
 {
 virBufferAsprintf(buf,
-  "res=$(%s -L %s -n --line-number | "
+  "res=$($IPT -L %s -n --line-number | "
   "%s \" %s \")\n"
   "if [ $? -ne 0 ]; then\n"
-  "  %s -I %s %d -j %s\n"
+  "  $IPT -I %s %d -j %s\n"
   "else\n"
   "  r=$(echo $res | %s '{print $1}')\n"
   "  if [ \"${r}\" != \"%d\" ]; then\n"
-  "" CMD_DEF("%s -I %s %d -j %s") CMD_SEPARATOR
+  "" CMD_DEF("$IPT -I %s %d -j %s") CMD_SEPARATOR
   "" CMD_EXEC
   "%s"
   "r=$(( $r + 1 ))\n"
-  "" CMD_DEF("%s -D %s ${r}") CMD_SEPARATOR
+  "" CMD_DEF("$IPT -D %s ${r}") CMD_SEPARATOR
   "" CMD_EXEC
   "%s"
   "  fi\n"
   "fi\n",
 
-  iptables_cmd, syschain,
+  syschain,
   grep_cmd_path, udchain,
 
-  iptables_cmd, syschain, pos, udchain,
+  syschain, pos, udchain,
   gawk_cmd_path,
 
   pos,
 
-  iptables_cmd, syschain, pos, udchain,
+  syschain, pos, udchain,
   CMD_STOPONERR(stopOnError),
 
-  iptables_cmd, syschain,
+  syschain,
   CMD_STOPONERR(stopOnError));
 return 0;
 }
 
 
-static int iptablesCreateBaseChains(const char *iptables_cmd,
-virBufferPtr buf)
+static int iptablesCreateBaseChains(virBufferPtr buf)
 {
-virBufferAsprintf(buf,"%s -N " VIRT_IN_CHAIN  CMD_SEPARATOR
-  "%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR
-  "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
-  "%s -N " HOST_IN_CHAIN  CMD_SEPARATOR,
-  iptables_cmd,
-  iptables_cmd,
-  iptables_cmd,
-  iptables_cmd);
-iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+virBufferAddLit(buf, "$IPT -N " VIRT_IN_CHAIN  CMD_SEPARATOR
+ "$IPT -N " VIRT_OUT_CHAIN CMD_SEPARATOR
+ "$IPT -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR
+ "$IPT -N " HOST_IN_CHAIN  CMD_SEPARATOR);
+iptablesLinkIPTablesBaseChain(buf,
   VIRT_IN_CHAIN , "FORWARD", 1, 1);
-iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+iptablesLinkIPTablesBaseChain(buf,
   VIRT_OUT_CHAIN, "FORWARD", 2, 1);
-iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+iptablesLinkIPTablesBaseChain(buf,
   VIRT_IN_POST_CHAIN, "FORWARD", 3, 1);
-iptablesLinkIPTablesBaseChain(iptables_cmd, buf,
+iptablesLinkIPTablesBaseChain(buf,
   HOST_IN_CHAIN , "INPUT"  , 1, 1);
 
 return 0;
@@ -560,8 +558,7 @@ static int iptablesCreateBaseChains(cons
 
 
 static int
-iptablesCreateTmpRootChain(const char *iptables_cmd,
-   virBufferPtr buf,
+iptablesCreateTmpRootChain(virBu

Re: [libvirt] [PATCH 2/2] nwfilter: use shell variable to invoke 'ip(6)tables' command

2011-11-21 Thread Eric Blake 
On 11/21/2011 06:28 AM, Stefan Berger wrote:
> Introduce a shell variable 'IBT' to invoke the ip(6)tables command.
> 
> Tested with libvirt-tck.
> 
> ---
>  src/nwfilter/nwfilter_ebiptables_driver.c |  313 
> ++
>  1 file changed, 155 insertions(+), 158 deletions(-)
> 

> Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> ===
> --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
> +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
> @@ -146,6 +146,10 @@ static const char ebiptables_script_set_
>  
>  #define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \
>  virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path);

These variable assignments will fail if the absolute path to
ebtables_cmd_path and friends contain any whitespace or shell
metacharacters, but then again, the old code pre-conversion would have
failed in similar manners, so we already had an implicit assumption that
the user isn't calling ./configure with an insane PATH containing a
directory with whitespace at the front as the location for their
preferred commands.  I see nothing wrong with continuing that
assumption, although someday we may want to make configure fail if it
detects a tool name that cannot be safely passed unquoted through shell
(at least, for the three tools mentioned in this .c file where we are
using the shell), as a safety valve in the interim of us ever making the
much bigger change of avoiding shell in the first place.

ACK as-is.

-- 
Eric Blake   ebl...@redhat.com+1-919-301-3266
Libvirt virtualization library http://libvirt.org



signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list