October 2010 - Devel - Libvirt List Archives

by Eric Blake

My XSL skills are less than stellar, so I'm throwing this out to the list in case someone else can pick it up and come up with a decent patch in less time. Right now, http://libvirt.org/ChangeLog.html is worthless; it is linked from a couple of other pages, such as http://libvirt.org/news.html. A better place to link would be a live git page: http://libvirt.org/git/?p=libvirt.git;a=log I don't know whether it is easier to update news.html.in and sitemap.html.in to point directly to the new link, or if we should keep ChangeLog.xsl but have it revamped to point to the new link. -- Eric Blake eblake(a)redhat.com +1-801-349-2682 Libvirt virtualization library http://libvirt.org

14 years, 1 month

3
4
0 / 0

[libvirt] [PATCH] vbox: Fix compile errors due to the virSocketAddr series

by Matthias Bolte

--- src/vbox/vbox_tmpl.c | 116 +++++++++++++++++++++++++++++++++++++++++++------- 1 files changed, 100 insertions(+), 16 deletions(-) diff --git a/src/vbox/vbox_tmpl.c b/src/vbox/vbox_tmpl.c index 5a859a4..ddbca97 100644 --- a/src/vbox/vbox_tmpl.c +++ b/src/vbox/vbox_tmpl.c @@ -626,6 +626,45 @@ static PRUnichar *PRUnicharFromInt(int n) { #endif /* !(VBOX_API_VERSION == 2002) */ +static PRUnichar * +vboxSocketFormatAddrUtf16(vboxGlobalData *data, virSocketAddrPtr addr) +{ + char *utf8 = NULL; + PRUnichar *utf16 = NULL; + + utf8 = virSocketFormatAddr(addr); + + if (utf8 == NULL) { + return NULL; + } + + VBOX_UTF8_TO_UTF16(utf8, &utf16); + VIR_FREE(utf8); + + return utf16; +} + +static int +vboxSocketParseAddrUtf16(vboxGlobalData *data, const PRUnichar *utf16, + virSocketAddrPtr addr) +{ + int result = -1; + char *utf8 = NULL; + + VBOX_UTF16_TO_UTF8(utf16, &utf8); + + if (virSocketParseAddr(utf8, addr, AF_UNSPEC) < 0) { + goto cleanup; + } + + result = 0; + +cleanup: + VBOX_UTF8_FREE(utf8); + + return result; +} + static virCapsPtr vboxCapsInit(void) { struct utsname utsname; virCapsPtr caps; @@ -7073,8 +7112,8 @@ static virNetworkPtr vboxNetworkDefineCreateXML(virConnectPtr conn, const char * * with contigious address space from start to end */ if ((def->nranges >= 1) && - (def->ranges[0].start) && - (def->ranges[0].end)) { + VIR_SOCKET_HAS_ADDR(&def->ranges[0].start) && + VIR_SOCKET_HAS_ADDR(&def->ranges[0].end)) { IDHCPServer *dhcpServer = NULL; data->vboxObj->vtbl->FindDHCPServerByNetworkName(data->vboxObj, @@ -7094,11 +7133,21 @@ static virNetworkPtr vboxNetworkDefineCreateXML(virConnectPtr conn, const char * PRUnichar *toIPAddressUtf16 = NULL; PRUnichar *trunkTypeUtf16 = NULL; + ipAddressUtf16 = vboxSocketFormatAddrUtf16(data, &def->ipAddress); + networkMaskUtf16 = vboxSocketFormatAddrUtf16(data, &def->netmask); + fromIPAddressUtf16 = vboxSocketFormatAddrUtf16(data, &def->ranges[0].start); + toIPAddressUtf16 = vboxSocketFormatAddrUtf16(data, &def->ranges[0].end); + + if (ipAddressUtf16 == NULL || networkMaskUtf16 == NULL || + fromIPAddressUtf16 == NULL || toIPAddressUtf16 == NULL) { + VBOX_UTF16_FREE(ipAddressUtf16); + VBOX_UTF16_FREE(networkMaskUtf16); + VBOX_UTF16_FREE(fromIPAddressUtf16); + VBOX_UTF16_FREE(toIPAddressUtf16); + VBOX_RELEASE(dhcpServer); + goto cleanup; + } - VBOX_UTF8_TO_UTF16(def->ipAddress, &ipAddressUtf16); - VBOX_UTF8_TO_UTF16(def->netmask, &networkMaskUtf16); - VBOX_UTF8_TO_UTF16(def->ranges[0].start, &fromIPAddressUtf16); - VBOX_UTF8_TO_UTF16(def->ranges[0].end, &toIPAddressUtf16); VBOX_UTF8_TO_UTF16("netflt", &trunkTypeUtf16); dhcpServer->vtbl->SetEnabled(dhcpServer, PR_TRUE); @@ -7125,12 +7174,18 @@ static virNetworkPtr vboxNetworkDefineCreateXML(virConnectPtr conn, const char * } if ((def->nhosts >= 1) && - (def->hosts[0].ip)) { + VIR_SOCKET_HAS_ADDR(&def->hosts[0].ip)) { PRUnichar *ipAddressUtf16 = NULL; PRUnichar *networkMaskUtf16 = NULL; - VBOX_UTF8_TO_UTF16(def->netmask, &networkMaskUtf16); - VBOX_UTF8_TO_UTF16(def->hosts[0].ip, &ipAddressUtf16); + ipAddressUtf16 = vboxSocketFormatAddrUtf16(data, &def->hosts[0].ip); + networkMaskUtf16 = vboxSocketFormatAddrUtf16(data, &def->netmask); + + if (ipAddressUtf16 == NULL || networkMaskUtf16 == NULL) { + VBOX_UTF16_FREE(ipAddressUtf16); + VBOX_UTF16_FREE(networkMaskUtf16); + goto cleanup; + } /* Current drawback is that since EnableStaticIpConfig() sets * IP and enables the interface so even if the dhcpserver is not @@ -7393,6 +7448,7 @@ static char *vboxNetworkDumpXML(virNetworkPtr network, int flags ATTRIBUTE_UNUSE PRUnichar *networkMaskUtf16 = NULL; PRUnichar *fromIPAddressUtf16 = NULL; PRUnichar *toIPAddressUtf16 = NULL; + bool errorOccurred = false; dhcpServer->vtbl->GetIPAddress(dhcpServer, &ipAddressUtf16); dhcpServer->vtbl->GetNetworkMask(dhcpServer, &networkMaskUtf16); @@ -7401,15 +7457,25 @@ static char *vboxNetworkDumpXML(virNetworkPtr network, int flags ATTRIBUTE_UNUSE /* Currently virtualbox supports only one dhcp server per network * with contigious address space from start to end */ - VBOX_UTF16_TO_UTF8(ipAddressUtf16, &def->ipAddress); - VBOX_UTF16_TO_UTF8(networkMaskUtf16, &def->netmask); - VBOX_UTF16_TO_UTF8(fromIPAddressUtf16, &def->ranges[0].start); - VBOX_UTF16_TO_UTF8(toIPAddressUtf16, &def->ranges[0].end); + if (vboxSocketParseAddrUtf16(data, ipAddressUtf16, + &def->ipAddress) < 0 || + vboxSocketParseAddrUtf16(data, networkMaskUtf16, + &def->netmask) < 0 || + vboxSocketParseAddrUtf16(data, fromIPAddressUtf16, + &def->ranges[0].start) < 0 || + vboxSocketParseAddrUtf16(data, toIPAddressUtf16, + &def->ranges[0].end) < 0) { + errorOccurred = true; + } VBOX_UTF16_FREE(ipAddressUtf16); VBOX_UTF16_FREE(networkMaskUtf16); VBOX_UTF16_FREE(fromIPAddressUtf16); VBOX_UTF16_FREE(toIPAddressUtf16); + + if (errorOccurred) { + goto cleanup; + } } else { def->nranges = 0; virReportOOMError(); @@ -7425,15 +7491,24 @@ static char *vboxNetworkDumpXML(virNetworkPtr network, int flags ATTRIBUTE_UNUSE } else { PRUnichar *macAddressUtf16 = NULL; PRUnichar *ipAddressUtf16 = NULL; + bool errorOccurred = false; networkInterface->vtbl->GetHardwareAddress(networkInterface, &macAddressUtf16); networkInterface->vtbl->GetIPAddress(networkInterface, &ipAddressUtf16); VBOX_UTF16_TO_UTF8(macAddressUtf16, &def->hosts[0].mac); - VBOX_UTF16_TO_UTF8(ipAddressUtf16, &def->hosts[0].ip); + + if (vboxSocketParseAddrUtf16(data, ipAddressUtf16, + &def->hosts[0].ip) < 0) { + errorOccurred = true; + } VBOX_UTF16_FREE(macAddressUtf16); VBOX_UTF16_FREE(ipAddressUtf16); + + if (errorOccurred) { + goto cleanup; + } } } else { def->nhosts = 0; @@ -7443,15 +7518,24 @@ static char *vboxNetworkDumpXML(virNetworkPtr network, int flags ATTRIBUTE_UNUSE } else { PRUnichar *networkMaskUtf16 = NULL; PRUnichar *ipAddressUtf16 = NULL; + bool errorOccurred = false; networkInterface->vtbl->GetNetworkMask(networkInterface, &networkMaskUtf16); networkInterface->vtbl->GetIPAddress(networkInterface, &ipAddressUtf16); - VBOX_UTF16_TO_UTF8(networkMaskUtf16, &def->netmask); - VBOX_UTF16_TO_UTF8(ipAddressUtf16, &def->ipAddress); + if (vboxSocketParseAddrUtf16(data, networkMaskUtf16, + &def->netmask) < 0 || + vboxSocketParseAddrUtf16(data, ipAddressUtf16, + &def->ipAddress) < 0) { + errorOccurred = true; + } VBOX_UTF16_FREE(networkMaskUtf16); VBOX_UTF16_FREE(ipAddressUtf16); + + if (errorOccurred) { + goto cleanup; + } } DEBUGIID("Network UUID", vboxnet0IID); -- 1.7.0.4

14 years, 1 month

2
2
0 / 0

[libvirt] [PATCH v2] qemu: call drive_unplug in DetachPciDiskDevice

by Ryan Harper

Currently libvirt doesn't confirm whether the guest has responded to the disk removal request. In some cases this can leave the guest with continued access to the device while the mgmt layer believes that it has been removed. With a recent qemu monitor command[1] we can deterministically revoke a guests access to the disk (on the QEMU side) to ensure no futher access is permitted. This patch adds support for the drive_unplug() command and introduces it in the disk removal paths. There is some discussion to be had about how to handle the case where the guest is running in a QEMU without this command (and the fact that we currently don't have a way of detecting what monitor commands are available). Changes since v1: - return > 0 when command isn't present, < 0 on command failure - detect when drive_unplug command isn't present and log error instead of failing entire command Signed-off-by: Ryan Harper <ryanh(a)us.ibm.com> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index abd8e9d..615427a 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -8646,6 +8646,7 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver, virDomainDiskDefPtr detach = NULL; qemuDomainObjPrivatePtr priv = vm->privateData; virCgroupPtr cgroup = NULL; + char drivestr[PATH_MAX]; i = qemudFindDisk(vm->def, dev->data.disk->dst); @@ -8673,13 +8674,36 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver, goto cleanup; } + /* build the actual drive id string as the disk->info.alias doesn't + * contain the QEMU_DRIVE_HOST_PREFIX that is passed to qemu */ + if ((ret = snprintf(drivestr, sizeof(drivestr), "%s%s", + QEMU_DRIVE_HOST_PREFIX, + detach->info.alias)) + < 0 || ret >= sizeof(drivestr)) { + virReportOOMError(); + goto cleanup; + } + qemuDomainObjEnterMonitorWithDriver(driver, vm); if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) { + ret = qemuMonitorDriveUnplug(priv->mon, drivestr); + DEBUG("DriveUnplug ret=%d", ret); + /* ret > 0 indicates unplug isn't supported, issue will be logged */ + if (ret < 0) { + qemuDomainObjExitMonitor(vm); + goto cleanup; + } if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { qemuDomainObjExitMonitor(vm); goto cleanup; } } else { + ret = qemuMonitorDriveUnplug(priv->mon, drivestr); + /* ret > 0 indicates unplug isn't supported, issue will be logged */ + if (ret < 0) { + qemuDomainObjExitMonitor(vm); + goto cleanup; + } if (qemuMonitorRemovePCIDevice(priv->mon, &detach->info.addr.pci) < 0) { qemuDomainObjExitMonitor(vm); @@ -8723,6 +8747,7 @@ static int qemudDomainDetachSCSIDiskDevice(struct qemud_driver *driver, virDomainDiskDefPtr detach = NULL; qemuDomainObjPrivatePtr priv = vm->privateData; virCgroupPtr cgroup = NULL; + char drivestr[PATH_MAX]; i = qemudFindDisk(vm->def, dev->data.disk->dst); @@ -8749,7 +8774,22 @@ static int qemudDomainDetachSCSIDiskDevice(struct qemud_driver *driver, } } + /* build the actual drive id string as the disk->info.alias doesn't + * contain the QEMU_DRIVE_HOST_PREFIX that is passed to qemu */ + if ((ret = snprintf(drivestr, sizeof(drivestr), "%s%s", + QEMU_DRIVE_HOST_PREFIX, + detach->info.alias)) + < 0 || ret >= sizeof(drivestr)) { + virReportOOMError(); + goto cleanup; + } + qemuDomainObjEnterMonitorWithDriver(driver, vm); + /* ret > 0 indicates unplug isn't supported, issue will be logged */ + if (qemuMonitorDriveUnplug(priv->mon, drivestr) < 0) { + qemuDomainObjExitMonitor(vm); + goto cleanup; + } if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { qemuDomainObjExitMonitor(vm); goto cleanup; diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 2366fdb..285381d 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -1781,6 +1781,25 @@ int qemuMonitorGetAllPCIAddresses(qemuMonitorPtr mon, return ret; } +int qemuMonitorDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{ + DEBUG("mon=%p drivestr=%s", mon, drivestr); + int ret; + + if (!mon) { + qemuReportError(VIR_ERR_INVALID_ARG, "%s", + _("monitor must not be NULL")); + return -1; + } + + if (mon->json) + ret = qemuMonitorJSONDriveUnplug(mon, drivestr); + else + ret = qemuMonitorTextDriveUnplug(mon, drivestr); + return ret; +} + int qemuMonitorDelDevice(qemuMonitorPtr mon, const char *devalias) { diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 48f4c20..bfe3641 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -381,6 +381,9 @@ int qemuMonitorDelDevice(qemuMonitorPtr mon, int qemuMonitorAddDrive(qemuMonitorPtr mon, const char *drivestr); +int qemuMonitorDriveUnplug(qemuMonitorPtr mon, + const char *drivestr); + int qemuMonitorSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase); diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index d3ab25f..8e474be 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -2243,6 +2243,40 @@ int qemuMonitorJSONAddDrive(qemuMonitorPtr mon, } +int qemuMonitorJSONDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{ + int ret; + virJSONValuePtr cmd; + virJSONValuePtr reply = NULL; + + DEBUG("JSONDriveUnplug drivestr=%s", drivestr); + cmd = qemuMonitorJSONMakeCommand("drive_unplug", + "s:id", drivestr, + NULL); + if (!cmd) + return -1; + + ret = qemuMonitorJSONCommand(mon, cmd, &reply); + + if (ret == 0) { + /* See if drive_unplug isn't supported */ + if (qemuMonitorJSONHasError(reply, "CommandNotFound")) { + qemuReportError(VIR_ERR_OPERATION_FAILED, "%s", + _("unplugging disk is not supported. " + "This may leak data if disk is reassigned")); + ret = 1; + goto cleanup; + } + ret = qemuMonitorJSONCheckError(cmd, reply); + } + +cleanup: + virJSONValueFree(cmd); + virJSONValueFree(reply); + return ret; +} + int qemuMonitorJSONSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase) diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h index 94806c1..6a8692e 100644 --- a/src/qemu/qemu_monitor_json.h +++ b/src/qemu/qemu_monitor_json.h @@ -188,6 +188,9 @@ int qemuMonitorJSONDelDevice(qemuMonitorPtr mon, int qemuMonitorJSONAddDrive(qemuMonitorPtr mon, const char *drivestr); +int qemuMonitorJSONDriveUnplug(qemuMonitorPtr mon, + const char *drivestr); + int qemuMonitorJSONSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase); diff --git a/src/qemu/qemu_monitor_text.c b/src/qemu/qemu_monitor_text.c index 69971a6..5f7869d 100644 --- a/src/qemu/qemu_monitor_text.c +++ b/src/qemu/qemu_monitor_text.c @@ -2380,6 +2380,53 @@ cleanup: return ret; } +/* Attempts to unplug a drive. Returns 1 if unsupported, 0 if ok, and -1 on + * other failure */ +int qemuMonitorTextDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{ + char *cmd = NULL; + char *reply = NULL; + char *safedev; + int ret = -1; + DEBUG("TextDriveUnplug drivestr=%s", drivestr); + + if (!(safedev = qemuMonitorEscapeArg(drivestr))) { + virReportOOMError(); + goto cleanup; + } + + if (virAsprintf(&cmd, "drive_unplug %s", safedev) < 0) { + virReportOOMError(); + goto cleanup; + } + + if (qemuMonitorCommand(mon, cmd, &reply) < 0) { + qemuReportError(VIR_ERR_OPERATION_FAILED, + _("cannot unplug %s drive"), drivestr); + goto cleanup; + } + + if (strstr(reply, "unknown command:")) { + qemuReportError(VIR_ERR_OPERATION_FAILED, "%s", + _("unplugging disk is not supported. " + "This may leak data if disk is reassigned")); + ret = 1; + goto cleanup; + } else if (STRNEQ(reply, "")) { + qemuReportError(VIR_ERR_OPERATION_FAILED, + _("unplugging %s drive failed: %s"), drivestr, reply); + goto cleanup; + } + + ret = 0; + +cleanup: + VIR_FREE(cmd); + VIR_FREE(reply); + VIR_FREE(safedev); + return ret; +} int qemuMonitorTextSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, diff --git a/src/qemu/qemu_monitor_text.h b/src/qemu/qemu_monitor_text.h index c017509..8355ce8 100644 --- a/src/qemu/qemu_monitor_text.h +++ b/src/qemu/qemu_monitor_text.h @@ -186,6 +186,9 @@ int qemuMonitorTextDelDevice(qemuMonitorPtr mon, int qemuMonitorTextAddDrive(qemuMonitorPtr mon, const char *drivestr); +int qemuMonitorTextDriveUnplug(qemuMonitorPtr mon, + const char *drivestr); + int qemuMonitorTextSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase); -- Ryan Harper Software Engineer; Linux Technology Center IBM Corp., Austin, Tx ryanh(a)us.ibm.com

14 years, 1 month

2
1
0 / 0

[libvirt] [PATCH 0/2] Add support for DTrace probes in libvirtd

by Daniel P. Berrange

This is an update of the earlier DTrace patch. Primarily it is just a rebase, but the second patch adds support for including the socket address in the CLIENT_CONNECT probe event. This is dependant on the big virSocket API series. Support for probing public API functions in libvirt.so is still under investigation.

14 years, 1 month

2
6
0 / 0

[libvirt] [PATCH] support compressed crashdump of guests

by KAMEZAWA Hiroyuki

Now, virsh dump doesn't support compresses dump. This patch adds GZIP and LZOP option to virsh dump and support it at qemu coredump. (AFAIK, LZOP is available on RHEL6.) When I did 4G guest dump, (Raw) 3844669750 (Gzip) 1029846577 (LZOP) 1416263880 (faster than gzip in general) This will be a help for a host where crash-dump is used and several guests works on it. help message is modified as this. NAME dump - dump the core of a domain to a file for analysis SYNOPSIS dump [--live] [--crash] [--gzip] [--lzop] <domain> <file> DESCRIPTION Core dump a domain. OPTIONS --live perform a live core dump if supported --crash crash the domain after core dump --gzip gzip dump(only one compression allowed --lzop lzop dump(only one compression allowed [--domain] <string> domain name, id or uuid [--file] <string> where to dump the core Tested on Fedora-13+x86-64. Note: for better compression, we may have to skip pages filled by zero or freed pages. But it seems it's qemu's works. Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu(a)jp.fujitsu.com> --- include/libvirt/libvirt.h.in | 2 ++ src/qemu/qemu_driver.c | 23 +++++++++++++++++++---- tools/virsh.c | 10 +++++++++- 3 files changed, 30 insertions(+), 5 deletions(-) Index: libvirt-0.8.4/src/qemu/qemu_driver.c =================================================================== --- libvirt-0.8.4.orig/src/qemu/qemu_driver.c +++ libvirt-0.8.4/src/qemu/qemu_driver.c @@ -5710,7 +5710,7 @@ cleanup: static int qemudDomainCoreDump(virDomainPtr dom, const char *path, - int flags ATTRIBUTE_UNUSED) { + int flags) { struct qemud_driver *driver = dom->conn->privateData; virDomainObjPtr vm; int resume = 0, paused = 0; @@ -5720,6 +5720,14 @@ static int qemudDomainCoreDump(virDomain "cat", NULL, }; + const char *zargs[] = { + "gzip", + NULL, + }; + const char *lzargs[] = { + "lzop", + NULL, + }; qemuDomainObjPrivatePtr priv; qemuDriverLock(driver); @@ -5787,9 +5795,16 @@ static int qemudDomainCoreDump(virDomain } qemuDomainObjEnterMonitorWithDriver(driver, vm); - ret = qemuMonitorMigrateToFile(priv->mon, - QEMU_MONITOR_MIGRATE_BACKGROUND, - args, path, 0); + if (flags & VIR_DUMP_GZIP) + ret = qemuMonitorMigrateToFile(priv->mon, + QEMU_MONITOR_MIGRATE_BACKGROUND, zargs, path, 0); + else if (flags & VIR_DUMP_LZOP) + ret = qemuMonitorMigrateToFile(priv->mon, + QEMU_MONITOR_MIGRATE_BACKGROUND, lzargs, path, 0); + else + ret = qemuMonitorMigrateToFile(priv->mon, + QEMU_MONITOR_MIGRATE_BACKGROUND, args, path, 0); + qemuDomainObjExitMonitorWithDriver(driver, vm); if (ret < 0) goto endjob; Index: libvirt-0.8.4/tools/virsh.c =================================================================== --- libvirt-0.8.4.orig/tools/virsh.c +++ libvirt-0.8.4/tools/virsh.c @@ -1751,6 +1751,8 @@ static const vshCmdInfo info_dump[] = { static const vshCmdOptDef opts_dump[] = { {"live", VSH_OT_BOOL, 0, N_("perform a live core dump if supported")}, {"crash", VSH_OT_BOOL, 0, N_("crash the domain after core dump")}, + {"gzip", VSH_OT_BOOL, 0, N_("gzip dump(only one compression allowed")}, + {"lzop", VSH_OT_BOOL, 0, N_("lzop dump(only one compression allowed")}, {"domain", VSH_OT_DATA, VSH_OFLAG_REQ, N_("domain name, id or uuid")}, {"file", VSH_OT_DATA, VSH_OFLAG_REQ, N_("where to dump the core")}, {NULL, 0, 0, NULL} @@ -1778,7 +1780,13 @@ cmdDump(vshControl *ctl, const vshCmd *c flags |= VIR_DUMP_LIVE; if (vshCommandOptBool (cmd, "crash")) flags |= VIR_DUMP_CRASH; - + if (vshCommandOptBool (cmd, "gzip")) + flags |= VIR_DUMP_GZIP; + if (vshCommandOptBool (cmd, "lzop")) + flags |= VIR_DUMP_LZOP; + if ((flags & (VIR_DUMP_GZIP | VIR_DUMP_LZOP)) + == (VIR_DUMP_GZIP | VIR_DUMP_LZOP)) + return FALSE; if (virDomainCoreDump(dom, to, flags) == 0) { vshPrint(ctl, _("Domain %s dumped to %s\n"), name, to); } else { Index: libvirt-0.8.4/include/libvirt/libvirt.h.in =================================================================== --- libvirt-0.8.4.orig/include/libvirt/libvirt.h.in +++ libvirt-0.8.4/include/libvirt/libvirt.h.in @@ -402,6 +402,8 @@ typedef virDomainMemoryStatStruct *virDo typedef enum { VIR_DUMP_CRASH = (1 << 0), /* crash after dump */ VIR_DUMP_LIVE = (1 << 1), /* live dump */ + VIR_DUMP_GZIP = (1 << 2), /* gzip dump file */ + VIR_DUMP_LZOP = (1 << 3), /* lzop dump file */ } virDomainCoreDumpFlags; /* Domain migration flags. */

14 years, 1 month

3
7
0 / 0

Re: [libvirt] [libvirt-tck 3/3] Add test case for daemon hook testing

by Osier

updated, and patch attached. - Osier ----- "Daniel P. Berrange" <berrange(a)redhat.com> wrote: > On Tue, Oct 19, 2010 at 03:41:55AM -0400, Osier wrote: > > attach updated patch for daemon hook testing.. > > > > replaced "cat" with "slurp", corrected typos. > > > From 963158c860d5415117e70b67458745c2b4cf9c13 Mon Sep 17 00:00:00 > 2001 > > From: Osier Yang <jyang(a)redhat.com> > > Date: Tue, 19 Oct 2010 15:32:17 +0800 > > Subject: [libvirt-tck 4/4] Add test case for daemon hook testing > > > > Validate daemon hook is invoked correctly while start, stop, > > restart, reload libvirtd > > --- > > scripts/hooks/051-daemon-hook.t | 153 > +++++++++++++++++++++++++++++++++++++++ > > 1 files changed, 153 insertions(+), 0 deletions(-) > > create mode 100644 scripts/hooks/051-daemon-hook.t > > This still needs to skip execution if the Sys::Virt::TCK > connection object is not lxc:/// or qemu:///system > > Regards, > Daniel > -- > |: Red Hat, Engineering, London -o- > http://people.redhat.com/berrange/ :| > |: http://libvirt.org -o- http://virt-manager.org -o- > http://deltacloud.org :| > |: http://autobuild.org -o- > http://search.cpan.org/~danberr/ :| > |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B > 9505 :|

14 years, 1 month

2
1
0 / 0

[libvirt] [PATCH] qemu: call drive_unplug in DetachPciDiskDevice

by Ryan Harper

Currently libvirt doesn't confirm whether the guest has responded to the disk removal request. In some cases this can leave the guest with continued access to the device while the mgmt layer believes that it has been removed. With a recent qemu monitor command[1] we can deterministically revoke a guests access to the disk (on the QEMU side) to ensure no futher access is permitted. This patch adds support for the drive_unplug() command and introduces it in the disk removal paths. There is some discussion to be had about how to handle the case where the guest is running in a QEMU without this command (and the fact that we currently don't have a way of detecting what monitor commands are available). My current implementation assumes that if you don't have a QEMU with this capability that we should fail the device removal. This is a strong statement around hotplug that isn't consistent with previous releases so I'm open to other approachs, but given the potential data leakage problem hot-remove can lead to without drive_unplug, I think it's the right thing to do. Signed-off-by: Ryan Harper <ryanh(a)us.ibm.com> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index abd8e9d..c7f4746 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -8646,6 +8646,7 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver, virDomainDiskDefPtr detach = NULL; qemuDomainObjPrivatePtr priv = vm->privateData; virCgroupPtr cgroup = NULL; + char drivestr[PATH_MAX]; i = qemudFindDisk(vm->def, dev->data.disk->dst); @@ -8673,13 +8674,34 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver, goto cleanup; } + /* build the actual drive id string as the disk->info.alias doesn't + * contain the QEMU_DRIVE_HOST_PREFIX that is passed to qemu */ + if ((ret = snprintf(drivestr, sizeof(drivestr), "%s%s", + QEMU_DRIVE_HOST_PREFIX, + detach->info.alias)) + < 0 || ret >= sizeof(drivestr)) { + virReportOOMError(); + goto cleanup; + } + qemuDomainObjEnterMonitorWithDriver(driver, vm); if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) { + ret = qemuMonitorDriveUnplug(priv->mon, drivestr); + DEBUG("DriveUnplug ret=%d", ret); + if (ret != 0) { + qemuDomainObjExitMonitor(vm); + goto cleanup; + } if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { qemuDomainObjExitMonitor(vm); goto cleanup; } } else { + ret = qemuMonitorDriveUnplug(priv->mon, drivestr); + if (ret != 0) { + qemuDomainObjExitMonitor(vm); + goto cleanup; + } if (qemuMonitorRemovePCIDevice(priv->mon, &detach->info.addr.pci) < 0) { qemuDomainObjExitMonitor(vm); @@ -8723,6 +8745,7 @@ static int qemudDomainDetachSCSIDiskDevice(struct qemud_driver *driver, virDomainDiskDefPtr detach = NULL; qemuDomainObjPrivatePtr priv = vm->privateData; virCgroupPtr cgroup = NULL; + char drivestr[PATH_MAX]; i = qemudFindDisk(vm->def, dev->data.disk->dst); @@ -8749,7 +8772,21 @@ static int qemudDomainDetachSCSIDiskDevice(struct qemud_driver *driver, } } + /* build the actual drive id string as the disk->info.alias doesn't + * contain the QEMU_DRIVE_HOST_PREFIX that is passed to qemu */ + if ((ret = snprintf(drivestr, sizeof(drivestr), "%s%s", + QEMU_DRIVE_HOST_PREFIX, + detach->info.alias)) + < 0 || ret >= sizeof(drivestr)) { + virReportOOMError(); + goto cleanup; + } + qemuDomainObjEnterMonitorWithDriver(driver, vm); + if (qemuMonitorDriveUnplug(priv->mon, drivestr) < 0) { + qemuDomainObjExitMonitor(vm); + goto cleanup; + } if (qemuMonitorDelDevice(priv->mon, detach->info.alias) < 0) { qemuDomainObjExitMonitor(vm); goto cleanup; diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c index 2366fdb..285381d 100644 --- a/src/qemu/qemu_monitor.c +++ b/src/qemu/qemu_monitor.c @@ -1781,6 +1781,25 @@ int qemuMonitorGetAllPCIAddresses(qemuMonitorPtr mon, return ret; } +int qemuMonitorDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{ + DEBUG("mon=%p drivestr=%s", mon, drivestr); + int ret; + + if (!mon) { + qemuReportError(VIR_ERR_INVALID_ARG, "%s", + _("monitor must not be NULL")); + return -1; + } + + if (mon->json) + ret = qemuMonitorJSONDriveUnplug(mon, drivestr); + else + ret = qemuMonitorTextDriveUnplug(mon, drivestr); + return ret; +} + int qemuMonitorDelDevice(qemuMonitorPtr mon, const char *devalias) { diff --git a/src/qemu/qemu_monitor.h b/src/qemu/qemu_monitor.h index 48f4c20..bfe3641 100644 --- a/src/qemu/qemu_monitor.h +++ b/src/qemu/qemu_monitor.h @@ -381,6 +381,9 @@ int qemuMonitorDelDevice(qemuMonitorPtr mon, int qemuMonitorAddDrive(qemuMonitorPtr mon, const char *drivestr); +int qemuMonitorDriveUnplug(qemuMonitorPtr mon, + const char *drivestr); + int qemuMonitorSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase); diff --git a/src/qemu/qemu_monitor_json.c b/src/qemu/qemu_monitor_json.c index d3ab25f..e99adac 100644 --- a/src/qemu/qemu_monitor_json.c +++ b/src/qemu/qemu_monitor_json.c @@ -2243,6 +2243,30 @@ int qemuMonitorJSONAddDrive(qemuMonitorPtr mon, } +int qemuMonitorJSONDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{ + int ret; + virJSONValuePtr cmd; + virJSONValuePtr reply = NULL; + + DEBUG("JSONDriveUnplug drivestr=%s", drivestr); + cmd = qemuMonitorJSONMakeCommand("drive_unplug", + "s:id", drivestr, + NULL); + if (!cmd) + return -1; + + ret = qemuMonitorJSONCommand(mon, cmd, &reply); + + if (ret == 0) + ret = qemuMonitorJSONCheckError(cmd, reply); + + virJSONValueFree(cmd); + virJSONValueFree(reply); + return ret; +} + int qemuMonitorJSONSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase) diff --git a/src/qemu/qemu_monitor_json.h b/src/qemu/qemu_monitor_json.h index 94806c1..6a8692e 100644 --- a/src/qemu/qemu_monitor_json.h +++ b/src/qemu/qemu_monitor_json.h @@ -188,6 +188,9 @@ int qemuMonitorJSONDelDevice(qemuMonitorPtr mon, int qemuMonitorJSONAddDrive(qemuMonitorPtr mon, const char *drivestr); +int qemuMonitorJSONDriveUnplug(qemuMonitorPtr mon, + const char *drivestr); + int qemuMonitorJSONSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase); diff --git a/src/qemu/qemu_monitor_text.c b/src/qemu/qemu_monitor_text.c index 69971a6..ded3078 100644 --- a/src/qemu/qemu_monitor_text.c +++ b/src/qemu/qemu_monitor_text.c @@ -2380,6 +2380,45 @@ cleanup: return ret; } +int qemuMonitorTextDriveUnplug(qemuMonitorPtr mon, + const char *drivestr) +{ + char *cmd = NULL; + char *reply = NULL; + char *safedev; + int ret = -1; + DEBUG("TextDriveUnplug drivestr=%s", drivestr); + + if (!(safedev = qemuMonitorEscapeArg(drivestr))) { + virReportOOMError(); + goto cleanup; + } + + if (virAsprintf(&cmd, "drive_unplug %s", safedev) < 0) { + virReportOOMError(); + goto cleanup; + } + + if (qemuMonitorCommand(mon, cmd, &reply) < 0) { + qemuReportError(VIR_ERR_OPERATION_FAILED, + _("cannot unplug %s drive"), drivestr); + goto cleanup; + } + + if (STRNEQ(reply, "")) { + qemuReportError(VIR_ERR_OPERATION_FAILED, + _("unplugging %s drive failed: %s"), drivestr, reply); + goto cleanup; + } + + ret = 0; + +cleanup: + VIR_FREE(cmd); + VIR_FREE(reply); + VIR_FREE(safedev); + return ret; +} int qemuMonitorTextSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, diff --git a/src/qemu/qemu_monitor_text.h b/src/qemu/qemu_monitor_text.h index c017509..8355ce8 100644 --- a/src/qemu/qemu_monitor_text.h +++ b/src/qemu/qemu_monitor_text.h @@ -186,6 +186,9 @@ int qemuMonitorTextDelDevice(qemuMonitorPtr mon, int qemuMonitorTextAddDrive(qemuMonitorPtr mon, const char *drivestr); +int qemuMonitorTextDriveUnplug(qemuMonitorPtr mon, + const char *drivestr); + int qemuMonitorTextSetDrivePassphrase(qemuMonitorPtr mon, const char *alias, const char *passphrase); -- Ryan Harper Software Engineer; Linux Technology Center IBM Corp., Austin, Tx ryanh(a)us.ibm.com

14 years, 1 month

3
13
0 / 0

[libvirt] [PATCH] [RESEND] [TCK] nwfilter: Adapt to changes how filters are instantiated

by Stefan Berger

I am resending the patch with 'evolution' and hope no patch-mangling occurs. At least it looks ok before sending (also sending patch as an attachment) Recent changes to how filters are being instantiated require follow-up changes to the test suite. The following changes are related to - usage of 'ctdir' - changes to the host's incoming filter chain Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall | 10 +++++----- scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall | 2 +- scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall | 4 ++-- scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall | 2 +- scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall | 2 +- scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall | 2 +- scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall | 4 ++-- scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall | 4 ++-- scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 6 +++--- scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall | 6 +++--- 24 files changed, 63 insertions(+), 63 deletions(-) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall @@ -1,21 +1,21 @@ #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED -RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED -ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21 -ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED -RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED -ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 -ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall @@ -1,21 +1,21 @@ #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN all ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED -RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN all ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED -ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21 -ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21 +RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN all ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED -RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED -ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 -ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall @@ -11,15 +11,15 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22/* udp rule */ udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22/* udp rule */ udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY #iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " @@ -31,24 +31,24 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED -RETURN udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED -RETURN sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ state ESTABLISHED -RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED +RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL +RETURN udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED ctdir ORIGINAL +RETURN sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ state ESTABLISHED ctdir ORIGINAL +RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED -ACCEPT udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED -ACCEPT sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ state NEW,ESTABLISHED -ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 /* tcp/ipv6 rule */ tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY +ACCEPT udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state NEW,ESTABLISHED ctdir REPLY +ACCEPT sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ state NEW,ESTABLISHED ctdir REPLY +ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 -ACCEPT udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ -ACCEPT sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ -ACCEPT ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ +RETURN tcp ::/0 a:b:c::/128 /* tcp/ipv6 rule */ tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL +RETURN udp ::/0 ::/0 /* `ls`;${COLUMNS};$(ls);"test";&'3 spaces' */ state ESTABLISHED ctdir ORIGINAL +RETURN sctp ::/0 ::/0 /* comment with lone ', `, ", `, \\, $x, and two spaces */ state ESTABLISHED ctdir ORIGINAL +RETURN ah ::/0 ::/0 /* tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp} */ state ESTABLISHED ctdir ORIGINAL #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/example-1.fwall @@ -1,22 +1,22 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED -RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED -RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED ctdir ORIGINAL +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL DROP all -- 0.0.0.0/0 0.0.0.0/0 #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED -ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED -ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW,ESTABLISHED ctdir REPLY +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY DROP all -- 0.0.0.0/0 0.0.0.0/0 #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 -ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 -ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +RETURN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spt:22 state ESTABLISHED ctdir ORIGINAL +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL DROP all -- 0.0.0.0/0 0.0.0.0/0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall @@ -11,7 +11,7 @@ DROP icmp -- 0.0.0.0/0 #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall @@ -11,7 +11,7 @@ DROP icmp -- 0.0.0.0/0 #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall @@ -1,17 +1,17 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY DROP all -- 0.0.0.0/0 0.0.0.0/0 #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL DROP all -- 0.0.0.0/0 0.0.0.0/0 #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY DROP all -- 0.0.0.0/0 0.0.0.0/0 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall @@ -2,17 +2,17 @@ Chain FI-vnet0 (1 references) target prot opt source destination RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED -RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state NEW,ESTABLISHED -ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 -ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall @@ -2,17 +2,17 @@ Chain FI-vnet0 (1 references) target prot opt source destination RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED -RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED -ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 -ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED -RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED -ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 -ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall @@ -1,21 +1,21 @@ #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED -RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED -ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED -ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 -ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED -RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED -ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED -ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 -ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 -ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall @@ -1,21 +1,21 @@ #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED -RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED +RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED -ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED -ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED +ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY +ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 -ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall @@ -1,21 +1,21 @@ #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED -RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED -ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED -ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 -ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED -RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED -ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED -ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED ctdir REPLY +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 -ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED ctdir ORIGINAL +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall @@ -3,17 +3,17 @@ Chain FI-vnet0 (1 references) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 -RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 -ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall @@ -1,21 +1,21 @@ #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED -RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED -ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21 -ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED -RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED -ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 -ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall @@ -1,21 +1,21 @@ #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED -RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED -ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21 -ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #ip6tables -L INPUT -n --line-numbers | grep libvirt 1 libvirt-host-in all ::/0 ::/0 #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall @@ -1,21 +1,21 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED -RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED -RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED -ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED -ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 -ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 -ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL #iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep vnet0 | tr -s " " Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall @@ -11,15 +11,15 @@ #iptables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY #iptables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED ctdir ORIGINAL #iptables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED ctdir REPLY #iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " @@ -31,15 +31,15 @@ FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got #ip6tables -L FI-vnet0 -n Chain FI-vnet0 (1 references) target prot opt source destination -RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL #ip6tables -L FO-vnet0 -n Chain FO-vnet0 (1 references) target prot opt source destination -ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED ctdir REPLY #ip6tables -L HI-vnet0 -n Chain HI-vnet0 (1 references) target prot opt source destination -ACCEPT tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED ctdir ORIGINAL #ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 #ip6tables -L libvirt-in -n | grep vnet0 | tr -s " "

14 years, 1 month

2
2
0 / 0

[libvirt] [PATCH] [TCK] Install nwfilter test files and script

by Stefan Berger

The install of the TCK test suite did not install the test script and data. This patch fixes this. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> diff --git a/Build.PL b/Build.PL index fc44af2..2a4de43 100644 --- a/Build.PL +++ b/Build.PL @@ -29,7 +29,7 @@ sub process_pkgdata_files { my $name = $File::Find::name; if (-d) { $tck_dirs{$name} = []; - } elsif (-f && /\.t$/) { + } elsif (-f && (/\.t$/ || /\.sh$/ || /\.fwall$/ || /\.xml$/)) { push @{$tck_dirs{$dir}}, $name; } };

14 years, 1 month

3
2
0 / 0

[libvirt] memory leaks...

by Stefan Berger

I am wondering if someone could interpret the valgind output for memory leak check that I see when I look for memory leaks... When a thread for creating a VM was spawned I see this output for example: ==15488== LEAK SUMMARY: ==15488== definitely lost: 9,133 bytes in 12 blocks ==15488== indirectly lost: 10,248 bytes in 5 blocks ==15488== possibly lost: 319,199 bytes in 2,887 blocks ==15488== still reachable: 4,635,633 bytes in 30,308 blocks ==15488== suppressed: 0 bytes in 0 blocks ==15488== Reachable blocks (those to which a pointer was found) are not shown. ==15488== To see them, rerun with: --leak-check=full --show-reachable=yes The traces above it show some 'wild' paths into libraries. We may either not be using the libraries correctly or they have leaks themselves ... When terminating the valgrind process by sending a -SIGTERM to it I then get this: ==15488== LEAK SUMMARY: ==15488== definitely lost: 0 bytes in 0 blocks ==15488== indirectly lost: 0 bytes in 0 blocks ==15488== possibly lost: 2,701 bytes in 25 blocks ==15488== still reachable: 543,655 bytes in 7,928 blocks ==15488== suppressed: 0 bytes in 0 blocks ==15488== Reachable blocks (those to which a pointer was found) are not shown. ==15488== To see them, rerun with: --leak-check=full --show-reachable=yes So in the end is there no leak with 'defintely and indirectly' lost being '0'? Actually other tests are not as favorable in the end: ==17333== LEAK SUMMARY: ==17333== definitely lost: 32 bytes in 1 blocks ==17333== indirectly lost: 1,449,440 bytes in 2,020 blocks ==17333== possibly lost: 1,007,275 bytes in 9,780 blocks ==17333== still reachable: 543,827 bytes in 7,933 blocks ==17333== suppressed: 0 bytes in 0 blocks ==17333== Reachable blocks (those to which a pointer was found) are not shown. ==17333== To see them, rerun with: --leak-check=full --show-reachable=yes Stefan

14 years, 1 month

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel October 2010