Devel
Threads by month
- ----- 2025 -----
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
March 2010
- 90 participants
- 347 discussions
02 Apr '10
The clock timer XML is being updated in the following ways (based on
further off-list discussion that was missed during the initial
implementation):
1) 'wallclock' is changed to 'track', and the possible values are 'boot'
(corresponds to old 'host'), 'guest', and 'wall'.
2) 'mode' has an additional value 'smpsafe'
3) when tickpolicy='catchup', there can be an optional sub-element of
timer called 'catchup':
<catchup threshold=123 slew=120 limit=10000/>
Those three values are all longs, always optional, and if they are present,
they are positive. Internally, 0 indicates "unspecified".
* docs/schemas/domain.rng: updated RNG definition to account for changes
* src/conf/domain_conf.h: change the C struct and enums to match changes.
* src/conf/domain_conf.c: timer parse and format functions changed to
handle the new selections and new element.
* src/libvirt_private.syms: *TimerWallclock* changes to *TimerTrack*
* src/qemu/qemu_conf.c: again, account for Wallclock --> Track change.
---
docs/schemas/domain.rng | 24 +++++++++++-
src/conf/domain_conf.c | 89 +++++++++++++++++++++++++++++++++++----------
src/conf/domain_conf.h | 26 ++++++++++----
src/libvirt_private.syms | 4 +-
src/qemu/qemu_conf.c | 17 +++++++--
5 files changed, 126 insertions(+), 34 deletions(-)
diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng
index d804301..228665c 100644
--- a/docs/schemas/domain.rng
+++ b/docs/schemas/domain.rng
@@ -344,10 +344,11 @@
</choice>
</attribute>
<optional>
- <attribute name="wallclock">
+ <attribute name="track">
<choice>
- <value>host</value>
+ <value>boot</value>
<value>guest</value>
+ <value>wall</value>
</choice>
</attribute>
</optional>
@@ -362,6 +363,9 @@
</attribute>
</optional>
<optional>
+ <ref name="catchup"/>
+ </optional>
+ <optional>
<attribute name="frequency">
<ref name="unsignedInt"/>
</attribute>
@@ -373,6 +377,7 @@
<value>native</value>
<value>emulate</value>
<value>paravirt</value>
+ <value>smpsafe</value>
</choice>
</attribute>
</optional>
@@ -387,6 +392,21 @@
<empty/>
</element>
</define>
+ <define name="catchup">
+ <element name="catchup">
+ <optional>
+ <attribute name="threshold">
+ <ref name="unsignedInt"/>
+ </attribute>
+ <attribute name="slew">
+ <ref name="unsignedInt"/>
+ </attribute>
+ <attribute name="limit">
+ <ref name="unsignedInt"/>
+ </attribute>
+ </optional>
+ </element>
+ </define>
<!--
A bootloader may be used to extract the OS information instead of
defining the OS parameter in the instance. It points just to the
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 66aa53e..b8acab9 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -252,9 +252,10 @@ VIR_ENUM_IMPL(virDomainTimerName, VIR_DOMAIN_TIMER_NAME_LAST,
"hpet",
"tsc");
-VIR_ENUM_IMPL(virDomainTimerWallclock, VIR_DOMAIN_TIMER_WALLCLOCK_LAST,
- "host",
- "guest");
+VIR_ENUM_IMPL(virDomainTimerTrack, VIR_DOMAIN_TIMER_TRACK_LAST,
+ "boot",
+ "guest",
+ "wall");
VIR_ENUM_IMPL(virDomainTimerTickpolicy, VIR_DOMAIN_TIMER_TICKPOLICY_LAST,
"delay",
@@ -266,7 +267,8 @@ VIR_ENUM_IMPL(virDomainTimerMode, VIR_DOMAIN_TIMER_MODE_LAST,
"auto",
"native",
"emulate",
- "paravirt");
+ "paravirt",
+ "smpsafe");
#define virDomainReportError(code, ...) \
virReportErrorHelper(NULL, VIR_FROM_DOMAIN, code, __FILE__, \
@@ -2555,7 +2557,7 @@ virDomainTimerDefParseXML(const xmlNodePtr node,
char *name = NULL;
char *present = NULL;
char *tickpolicy = NULL;
- char *wallclock = NULL;
+ char *track = NULL;
char *mode = NULL;
virDomainTimerDefPtr def;
@@ -2603,12 +2605,12 @@ virDomainTimerDefParseXML(const xmlNodePtr node,
}
}
- def->wallclock = -1;
- wallclock = virXMLPropString(node, "wallclock");
- if (wallclock != NULL) {
- if ((def->wallclock = virDomainTimerWallclockTypeFromString(wallclock)) < 0) {
+ def->track = -1;
+ track = virXMLPropString(node, "track");
+ if (track != NULL) {
+ if ((def->track = virDomainTimerTrackTypeFromString(track)) < 0) {
virDomainReportError(VIR_ERR_INTERNAL_ERROR,
- _("unknown timer wallclock '%s'"), wallclock);
+ _("unknown timer track '%s'"), track);
goto error;
}
}
@@ -2616,7 +2618,7 @@ virDomainTimerDefParseXML(const xmlNodePtr node,
int ret = virXPathULong("string(./frequency)", ctxt, &def->frequency);
if (ret == -1) {
def->frequency = 0;
- } else if (ret <= 0) {
+ } else if (ret < 0) {
virDomainReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("invalid timer frequency"));
goto error;
@@ -2632,11 +2634,42 @@ virDomainTimerDefParseXML(const xmlNodePtr node,
}
}
+ xmlNodePtr catchup = virXPathNode("./catchup", ctxt);
+ if (catchup != NULL) {
+ ret = virXPathULong("string(./catchup/@threshold)", ctxt,
+ &def->catchup.threshold);
+ if (ret == -1) {
+ def->catchup.threshold = 0;
+ } else if (ret < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("invalid catchup threshold"));
+ goto error;
+ }
+
+ ret = virXPathULong("string(./catchup/@slew)", ctxt, &def->catchup.slew);
+ if (ret == -1) {
+ def->catchup.slew = 0;
+ } else if (ret < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("invalid catchup slew"));
+ goto error;
+ }
+
+ ret = virXPathULong("string(./catchup/@limit)", ctxt, &def->catchup.limit);
+ if (ret == -1) {
+ def->catchup.limit = 0;
+ } else if (ret < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("invalid catchup limit"));
+ goto error;
+ }
+ }
+
cleanup:
VIR_FREE(name);
VIR_FREE(present);
VIR_FREE(tickpolicy);
- VIR_FREE(wallclock);
+ VIR_FREE(track);
VIR_FREE(mode);
ctxt->node = oldnode;
@@ -5456,16 +5489,16 @@ virDomainTimerDefFormat(virBufferPtr buf,
if ((def->name == VIR_DOMAIN_TIMER_NAME_PLATFORM)
|| (def->name == VIR_DOMAIN_TIMER_NAME_RTC)) {
- if (def->wallclock != -1) {
- const char *wallclock
- = virDomainTimerWallclockTypeToString(def->wallclock);
- if (!wallclock) {
+ if (def->track != -1) {
+ const char *track
+ = virDomainTimerTrackTypeToString(def->track);
+ if (!track) {
virDomainReportError(VIR_ERR_INTERNAL_ERROR,
- _("unexpected timer wallclock %d"),
- def->wallclock);
+ _("unexpected timer track %d"),
+ def->track);
return -1;
}
- virBufferVSprintf(buf, " wallclock='%s'", wallclock);
+ virBufferVSprintf(buf, " track='%s'", track);
}
}
@@ -5487,7 +5520,23 @@ virDomainTimerDefFormat(virBufferPtr buf,
}
}
- virBufferAddLit(buf, "/>\n");
+ if ((def->catchup.threshold == 0)
+ && (def->catchup.slew == 0)
+ && (def->catchup.limit == 0)) {
+ virBufferAddLit(buf, "/>\n");
+ } else {
+ virBufferAddLit(buf, ">\n <catchup ");
+ if (def->catchup.threshold > 0) {
+ virBufferVSprintf(buf, " threshold='%lu'", def->catchup.threshold);
+ }
+ if (def->catchup.slew > 0) {
+ virBufferVSprintf(buf, " slew='%lu'", def->catchup.slew);
+ }
+ if (def->catchup.limit > 0) {
+ virBufferVSprintf(buf, " limit='%lu'", def->catchup.limit);
+ }
+ virBufferAddLit(buf, "/>\n </timer>\n");
+ }
return 0;
}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index ed1a4ad..435d546 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -656,11 +656,12 @@ enum virDomainTimerNameType {
VIR_DOMAIN_TIMER_NAME_LAST,
};
-enum virDomainTimerWallclockType {
- VIR_DOMAIN_TIMER_WALLCLOCK_HOST = 0,
- VIR_DOMAIN_TIMER_WALLCLOCK_GUEST,
+enum virDomainTimerTrackType {
+ VIR_DOMAIN_TIMER_TRACK_BOOT = 0,
+ VIR_DOMAIN_TIMER_TRACK_GUEST,
+ VIR_DOMAIN_TIMER_TRACK_WALL,
- VIR_DOMAIN_TIMER_WALLCLOCK_LAST,
+ VIR_DOMAIN_TIMER_TRACK_LAST,
};
enum virDomainTimerTickpolicyType {
@@ -677,10 +678,19 @@ enum virDomainTimerModeType {
VIR_DOMAIN_TIMER_MODE_NATIVE,
VIR_DOMAIN_TIMER_MODE_EMULATE,
VIR_DOMAIN_TIMER_MODE_PARAVIRT,
+ VIR_DOMAIN_TIMER_MODE_SMPSAFE,
VIR_DOMAIN_TIMER_MODE_LAST,
};
+typedef struct _virDomainTimerCatchupDef virDomainTimerCatchupDef;
+typedef virDomainTimerCatchupDef *virDomainTimerCatchupDefPtr;
+struct _virDomainTimerCatchupDef {
+ unsigned long threshold;
+ unsigned long slew;
+ unsigned long limit;
+};
+
typedef struct _virDomainTimerDef virDomainTimerDef;
typedef virDomainTimerDef *virDomainTimerDefPtr;
struct _virDomainTimerDef {
@@ -688,8 +698,10 @@ struct _virDomainTimerDef {
int present; /* unspecified = -1, no = 0, yes = 1 */
int tickpolicy; /* none|catchup|merge|discard */
- /* wallclock is only valid for name='platform|rtc' */
- int wallclock; /* host|guest */
+ virDomainTimerCatchupDef catchup;
+
+ /* track is only valid for name='platform|rtc' */
+ int track; /* host|guest */
/* frequency & mode are only valid for name='tsc' */
unsigned long frequency; /* in Hz, unspecified = 0 */
@@ -1029,7 +1041,7 @@ VIR_ENUM_DECL(virDomainClockOffset)
VIR_ENUM_DECL(virDomainNetdevMacvtap)
VIR_ENUM_DECL(virDomainTimerName)
-VIR_ENUM_DECL(virDomainTimerWallclock)
+VIR_ENUM_DECL(virDomainTimerTrack)
VIR_ENUM_DECL(virDomainTimerTickpolicy)
VIR_ENUM_DECL(virDomainTimerMode)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index cc943f8..08a6b97 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -199,8 +199,8 @@ virDomainClockOffsetTypeFromString;
virDomainDiskErrorPolicyTypeToString;
virDomainTimerNameTypeToString;
virDomainTimerNameTypeFromString;
-virDomainTimerWallclockTypeToString;
-virDomainTimerWallclockTypeFromString;
+virDomainTimerTrackTypeToString;
+virDomainTimerTrackTypeFromString;
virDomainTimerTickpolicyTypeToString;
virDomainTimerTickpolicyTypeFromString;
virDomainTimerModeTypeToString;
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 8f6f7ec..4f279be 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -3183,11 +3183,22 @@ qemuBuildClockArgStr(virDomainClockDefPtr def)
int i;
for (i = 0; i < def->ntimers; i++) {
if (def->timers[i]->name == VIR_DOMAIN_TIMER_NAME_RTC) {
- if (def->timers[i]->wallclock == VIR_DOMAIN_TIMER_WALLCLOCK_HOST) {
- virBufferAddLit(&buf, ",clock=host");
- } else if (def->timers[i]->wallclock == VIR_DOMAIN_TIMER_WALLCLOCK_GUEST) {
+ switch (def->timers[i]->track) {
+ case -1: /* unspecified - use hypervisor default */
+ break;
+ case VIR_DOMAIN_TIMER_TRACK_BOOT:
+ qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unsupported rtc timer track '%s'"),
+ virDomainTimerTrackTypeToString(def->timers[i]->track));
+ goto error;
+ case VIR_DOMAIN_TIMER_TRACK_GUEST:
virBufferAddLit(&buf, ",clock=vm");
+ break;
+ case VIR_DOMAIN_TIMER_TRACK_WALL:
+ virBufferAddLit(&buf, ",clock=host");
+ break;
}
+
switch (def->timers[i]->tickpolicy) {
case -1:
case VIR_DOMAIN_TIMER_TICKPOLICY_DELAY:
--
1.6.6.1
2
2
While writing a couple of test cases for the nwfilter's XML parser I
found some cases where the output ended up not looking as expected. So
the following changes are in the patch below:
- if the protocol ID in the MAC header is an integer, just write it into
the datastructure without trying to find a corresponding string for it
and if none is found failing
- when writing the protocol ID as string, simply write it as integer if
no corresponding string can be found
- same changes for arpOpcode parsing and printing
- same changes for protocol ID in an IP packet
- DSCP value needs to be written into the data structure
- IP protocol version number is redundant at this level, so remove it
- parse the protocol ID found inside an IP packet not only as string but
also as uint8
- arrange the display of the src and destination masks to be shown after
the src and destination ip address respectively in the XML
- the existing libvirt IP address parser accepts for example '25' as an
IP address. I want this to be parsed as a CIDR type netmask. So try to
parse it as an integer first (CIDR netmask) and if that doesn't work as
a dotted IP address style netmask.
- instantiation of rules with MAC masks didn't work because they weren't
printed into a buffer, yet.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
src/conf/nwfilter_conf.c | 128 ++++++++++++++----------------
src/nwfilter/nwfilter_ebiptables_driver.c | 1
2 files changed, 61 insertions(+), 68 deletions(-)
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -403,15 +403,12 @@ checkMacProtocolID(enum attrDatatype dat
virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED)
{
int32_t res = -1;
- const char *str;
if (datatype == DATATYPE_STRING) {
if (intMapGetByString(macProtoMap, (char *)value, 1, &res) == 0)
res = -1;
} else if (datatype == DATATYPE_UINT16) {
- if (intMapGetByInt(macProtoMap,
- (int32_t)*(uint16_t *)value, &str) == 0)
- res = -1;
+ res = (uint32_t)*(uint16_t *)value;
}
if (res != -1) {
@@ -433,9 +430,10 @@ macProtocolIDFormatter(virBufferPtr buf,
nwf->p.ethHdrFilter.dataProtocolID.u.u16,
&str)) {
virBufferVSprintf(buf, "%s", str);
- return 1;
+ } else {
+ virBufferVSprintf(buf, "%d", nwf->p.ethHdrFilter.dataProtocolID.u.u16);
}
- return 0;
+ return 1;
}
@@ -500,15 +498,12 @@ arpOpcodeValidator(enum attrDatatype dat
virNWFilterRuleDefPtr nwf)
{
int32_t res = -1;
- const char *str;
if (datatype == DATATYPE_STRING) {
if (intMapGetByString(arpOpcodeMap, (char *)value, 1, &res) == 0)
res = -1;
} else if (datatype == DATATYPE_UINT16) {
- if (intMapGetByInt(arpOpcodeMap,
- (uint32_t)*(uint16_t *)value, &str) == 0)
- res = -1;
+ res = (uint32_t)*(uint16_t *)value;
}
if (res != -1) {
@@ -530,9 +525,10 @@ arpOpcodeFormatter(virBufferPtr buf,
nwf->p.arpHdrFilter.dataOpcode.u.u16,
&str)) {
virBufferVSprintf(buf, "%s", str);
- return 1;
+ } else {
+ virBufferVSprintf(buf, "%d", nwf->p.arpHdrFilter.dataOpcode.u.u16);
}
- return 0;
+ return 1;
}
@@ -560,16 +556,12 @@ static bool checkIPProtocolID(enum attrD
virNWFilterRuleDefPtr nwf)
{
int32_t res = -1;
- const char *str;
if (datatype == DATATYPE_STRING) {
if (intMapGetByString(ipProtoMap, (char *)value, 1, &res) == 0)
res = -1;
} else if (datatype == DATATYPE_UINT8) {
- // may just accept what user provides and not test...
- if (intMapGetByInt(ipProtoMap,
- (uint32_t)*(uint16_t *)value, &str) == 0)
- res = -1;
+ res = (uint32_t)*(uint16_t *)value;
}
if (res != -1) {
@@ -591,19 +583,24 @@ formatIPProtocolID(virBufferPtr buf,
nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8,
&str)) {
virBufferVSprintf(buf, "%s", str);
- return 1;
+ } else {
+ virBufferVSprintf(buf, "%d",
+ nwf->p.ipHdrFilter.ipHdr.dataProtocolID.u.u8);
}
- return 0;
+ return 1;
}
static bool
dscpValidator(enum attrDatatype datatype ATTRIBUTE_UNUSED, void *val,
- virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED)
+ virNWFilterRuleDefPtr nwf)
{
uint8_t dscp = *(uint16_t *)val;
if (dscp > 63)
return 0;
+
+ nwf->p.ipHdrFilter.ipHdr.dataDSCP.u.u8 = dscp;
+
return 1;
}
@@ -685,11 +682,6 @@ static const virXMLAttr2Struct arpAttrib
static const virXMLAttr2Struct ipAttributes[] = {
COMMON_MAC_PROPS(ipHdrFilter),
{
- .name = "version",
- .datatype = DATATYPE_UINT8,
- .dataIdx = offsetof(virNWFilterRuleDef, p.ipHdrFilter.ipHdr.dataIPVersion),
- },
- {
.name = SRCIPADDR,
.datatype = DATATYPE_IPADDR,
.dataIdx = offsetof(virNWFilterRuleDef, p.ipHdrFilter.ipHdr.dataSrcIPAddr),
@@ -711,7 +703,7 @@ static const virXMLAttr2Struct ipAttribu
},
{
.name = "protocol",
- .datatype = DATATYPE_STRING,
+ .datatype = DATATYPE_STRING | DATATYPE_UINT8,
.dataIdx = offsetof(virNWFilterRuleDef, p.ipHdrFilter.ipHdr.dataProtocolID),
.validator= checkIPProtocolID,
.formatter= formatIPProtocolID,
@@ -756,16 +748,16 @@ static const virXMLAttr2Struct ipv6Attri
.dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.ipHdr.dataSrcIPAddr),
},
{
- .name = DSTIPADDR,
- .datatype = DATATYPE_IPV6ADDR,
- .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.ipHdr.dataDstIPAddr),
- },
- {
.name = SRCIPMASK,
.datatype = DATATYPE_IPV6MASK,
.dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.ipHdr.dataSrcIPMask),
},
{
+ .name = DSTIPADDR,
+ .datatype = DATATYPE_IPV6ADDR,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.ipHdr.dataDstIPAddr),
+ },
+ {
.name = DSTIPMASK,
.datatype = DATATYPE_IPV6MASK,
.dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.ipHdr.dataDstIPMask),
@@ -818,16 +810,16 @@ static const virXMLAttr2Struct ipv6Attri
.dataIdx = offsetof(virNWFilterRuleDef, p.STRUCT.ipHdr.dataSrcIPAddr),\
},\
{\
- .name = DSTIPADDR,\
- .datatype = ADDRTYPE,\
- .dataIdx = offsetof(virNWFilterRuleDef, p.STRUCT.ipHdr.dataDstIPAddr),\
- },\
- {\
.name = SRCIPMASK,\
.datatype = MASKTYPE,\
.dataIdx = offsetof(virNWFilterRuleDef, p.STRUCT.ipHdr.dataSrcIPMask),\
},\
{\
+ .name = DSTIPADDR,\
+ .datatype = ADDRTYPE,\
+ .dataIdx = offsetof(virNWFilterRuleDef, p.STRUCT.ipHdr.dataDstIPAddr),\
+ },\
+ {\
.name = DSTIPMASK,\
.datatype = MASKTYPE,\
.dataIdx = offsetof(virNWFilterRuleDef, p.STRUCT.ipHdr.dataDstIPMask),\
@@ -1276,26 +1268,26 @@ virNWFilterRuleDetailsParse(virConnectPt
case DATATYPE_IPMASK:
storage_ptr = &item->u.u8;
- if (!virNWIPv4AddressParser(prop, &ipaddr)) {
- if (sscanf(prop, "%d", &int_val) == 1) {
- if (int_val >= 0 && int_val <= 32) {
- if (!validator)
- *(uint8_t *)storage_ptr =
- (uint8_t)int_val;
- found = 1;
- data_ptr = &int_val;
- } else
- rc = -1;
+ if (virStrToLong_i(prop, NULL, 10, &int_val) == 0) {
+ if (int_val >= 0 && int_val <= 32) {
+ if (!validator)
+ *(uint8_t *)storage_ptr =
+ (uint8_t)int_val;
+ found = 1;
+ data_ptr = &int_val;
} else
rc = -1;
} else {
- int_val = virSocketGetNumNetmaskBits(
+ if (virNWIPv4AddressParser(prop, &ipaddr)) {
+ int_val = virSocketGetNumNetmaskBits(
&ipaddr.addr);
- if (int_val >= 0)
- *(uint8_t *)storage_ptr = int_val;
- else
+ if (int_val >= 0)
+ *(uint8_t *)storage_ptr = int_val;
+ else
+ rc = -1;
+ found = 1;
+ } else
rc = -1;
- found = 1;
}
break;
@@ -1330,26 +1322,26 @@ virNWFilterRuleDetailsParse(virConnectPt
case DATATYPE_IPV6MASK:
storage_ptr = &item->u.u8;
- if (!virNWIPv6AddressParser(prop, &ipaddr)) {
- if (sscanf(prop, "%d", &int_val) == 1) {
- if (int_val >= 0 && int_val <= 128) {
- if (!validator)
- *(uint8_t *)storage_ptr =
- (uint8_t)int_val;
- found = 1;
- data_ptr = &int_val;
- } else
- rc = -1;
+ if (virStrToLong_i(prop, NULL, 10, &int_val) == 0) {
+ if (int_val >= 0 && int_val <= 128) {
+ if (!validator)
+ *(uint8_t *)storage_ptr =
+ (uint8_t)int_val;
+ found = 1;
+ data_ptr = &int_val;
} else
rc = -1;
} else {
- int_val = virSocketGetNumNetmaskBits(
- &ipaddr.addr);
- if (int_val >= 0)
- *(uint8_t *)storage_ptr = int_val;
- else
- rc = -1;
- found = 1;
+ if (virNWIPv6AddressParser(prop, &ipaddr)) {
+ int_val = virSocketGetNumNetmaskBits(
+ &ipaddr.addr);
+ if (int_val >= 0)
+ *(uint8_t *)storage_ptr = int_val;
+ else
+ rc = -1;
+ found = 1;
+ } else
+ rc = -1;
}
break;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -189,6 +189,7 @@ printDataType(virConnectPtr conn,
break;
case DATATYPE_MACADDR:
+ case DATATYPE_MACMASK:
if (bufsize < VIR_MAC_STRING_BUFLEN) {
virNWFilterReportError(conn, VIR_ERR_INVALID_NWFILTER,
_("Buffer too small for MAC address"));
3
3
This set of patches is a first step towards removing the scanf and atoi
usage in libvirt. I began with the simple cases and post this now to get
some feedback before I start to convert the more difficult cases.
Changes in v2:
- don't test tmp for NULL
- note in commit message if parsing is stricter now
- don't leak in PRUnicharToInt (vbox)
- strip a trailing \n in openvzGetVPSUUID, as it was done before
- don't use strspn to skip whitespaces, virStrToLong* does this already
- fix virStrToLong* return value tests to check for < 0 instead of < 3 or != 1
- add STRSKIP to skip a given prefix of a string
Thanks to Eric Blake and Jim Meyering.
Matthias
2
22
To fix an ESX test case, valid interface names need '/' as valid letter.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
Index: libvirt-acl/src/conf/domain_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/domain_conf.h
+++ libvirt-acl/src/conf/domain_conf.h
@@ -298,7 +298,7 @@ struct _virDomainNetDef {
};
# define VALID_IFNAME_CHARS \
- "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_"
+ "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_/"
enum virDomainChrTargetType {
VIR_DOMAIN_CHR_TARGET_TYPE_NULL = 0,
2
2
domain_conf.c:494: undefined reference to 'virNWFilterHashTableFree'
domain_conf.c:5107: undefined reference to 'virNWFilterFormatParamAttributes'
Add missing source to the proxy and disable XML parsing code in
nwfilter_params.c for a proxy build.
---
proxy/Makefile.am | 2 ++
src/conf/nwfilter_params.c | 2 ++
2 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am
index aef11ca..9ea91d8 100644
--- a/proxy/Makefile.am
+++ b/proxy/Makefile.am
@@ -15,6 +15,7 @@ libexec_PROGRAMS = libvirt_proxy
libvirt_proxy_SOURCES = libvirt_proxy.c \
@top_srcdir@/src/util/buf.c \
+ @top_srcdir@/src/util/hash.c \
@top_srcdir@/src/util/logging.c \
@top_srcdir@/src/util/memory.c \
@top_srcdir@/src/util/network.c \
@@ -26,6 +27,7 @@ libvirt_proxy_SOURCES = libvirt_proxy.c \
@top_srcdir@/src/conf/storage_encryption_conf.c \
@top_srcdir@/src/conf/domain_conf.c \
@top_srcdir@/src/conf/cpu_conf.c \
+ @top_srcdir@/src/conf/nwfilter_params.c \
@top_srcdir@/src/xen/xend_internal.c \
@top_srcdir@/src/xen/xen_hypervisor.c \
@top_srcdir@/src/xen/sexpr.c \
diff --git a/src/conf/nwfilter_params.c b/src/conf/nwfilter_params.c
index 38a51c9..286c5ef 100644
--- a/src/conf/nwfilter_params.c
+++ b/src/conf/nwfilter_params.c
@@ -214,6 +214,7 @@ err_exit:
}
+#ifndef PROXY
virNWFilterHashTablePtr
virNWFilterParseParamAttributes(xmlNodePtr cur)
{
@@ -254,6 +255,7 @@ skip_entry:
}
return table;
}
+#endif
struct formatterParam {
--
1.6.3.3
2
2
31 Mar '10
Commit 7998714d60b997357bfea15d6f2d0f729fc8fb29 replaced '-a' with '&& test'
but this single '-a' needs to stay.
---
configure.ac | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/configure.ac b/configure.ac
index 3c3d7b3..fc87e19 100644
--- a/configure.ac
+++ b/configure.ac
@@ -240,7 +240,7 @@ AC_ARG_WITH([libvirtd],
dnl
dnl specific tests to setup DV devel environments with debug etc ...
dnl
-if [[ "${LOGNAME}" = "veillard" && test "`pwd`" = "/u/veillard/libvirt" ]] ; then
+if [[ "${LOGNAME}" = "veillard" -a "`pwd`" = "/u/veillard/libvirt" ]] ; then
STATIC_BINARIES="-static"
else
STATIC_BINARIES=
--
1.6.3.3
2
4
31 Mar '10
Subject: Support for learning a VM's IP address
This patch implements support for learning a VM's IP address. It uses
the pcap library to listen on the VM's backend network interface (tap)
or the physical ethernet device (macvtap) and tries to capture packets
with source or destination MAC address of the VM and learn from DHCP
Offers, ARP traffic, or first-sent IPv4 packet what the IP address of
the VM's interface is. This then allows to instantiate the network
traffic filtering rules without the user having to provide the IP
parameter somewhere in the filter description or in the interface
description as a parameter. This only supports to detect the parameter
IP, which is for the assumed single IPv4 address of a VM. There is not
support for interfaces that may have multiple IP addresses (IP
aliasing) or IPv6 that may then require more than one valid IP address
to be detected. A VM can have multiple independent interfaces that each
uses a different IP address and in that case it will be attempted to
detect each one of the address independently.
So, when for example an interface description in the domain XML has
looked like this up to now:
<interface type='bridge'>
<source bridge='mybridge'/>
<model type='virtio'/>
<filterref filter='clean-traffic'>
<parameter name='IP' value='10.2.3.4'/>
</filterref>
</interface>
you may omit the IP parameter:
<interface type='bridge'>
<source bridge='mybridge'/>
<model type='virtio'/>
<filterref filter='clean-traffic'/>
</interface>
Internally I am walking the 'tree' of a VM's referenced network filters
and determine with the given variables which variables are missing. Now,
the above IP parameter may be missing and this causes a libvirt-internal
thread to be started that uses the pcap library's API to listen to the
backend interface (in case of macvtap to the physical interface) in an
attempt to determine the missing IP parameter. If the backend interface
disappears the thread terminates assuming the VM was brought down. In
case of a macvtap device a timeout is being used to wait for packets
from the given VM (filtering by VM's interface MAC address). If the VM's
macvtap device disappeared the thread also terminates. In all other
cases it tries to determine the IP address of the VM and will then apply
the rules late on the given interface, which would have happened
immediately if the IP parameter had been explicitly given. In case an
error happens while the firewall rules are applied, the VM's backend
interface is 'down'ed preventing it to communicate. Reasons for failure
for applying the network firewall rules may that an ebtables/iptables
command failes or OOM errors. Essentially the same failure reasons may
occur as when the firewall rules are applied immediately on VM start,
except that due to the late application of the filtering rules the VM
now is already running and cannot be hindered anymore from starting.
Bringing down the whole VM would probably be considered too drastic.
While a VM's IP address is attempted to be determined only limited
updates to network filters are allowed. In particular it is prevented
that filters are modified in such a way that they would introduce new
variables.
A caveat: The algorithm does not know which one is the appropriate IP
address of a VM. If the VM spoofs an IP address in its first ARP traffic
or IPv4 packets its filtering rules will be instantiated for this IP
address, thus 'locking' it to the found IP address. So, it's still
'safer' to explicitly provide the IP address of a VM's interface in the
filter description if it is known beforehand.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
configure.ac | 39 ++
src/Makefile.am | 13
src/conf/nwfilter_conf.c | 7
src/conf/nwfilter_conf.h | 3
src/libvirt_private.syms | 12
src/nwfilter/nwfilter_driver.c | 11
src/nwfilter/nwfilter_ebiptables_driver.c | 100 +++++
src/nwfilter/nwfilter_ebiptables_driver.h | 7
src/nwfilter/nwfilter_gentech_driver.c | 408 +++++++++++++++++++--
src/nwfilter/nwfilter_gentech_driver.h | 14
src/nwfilter/nwfilter_learnipaddr.c | 579 ++++++++++++++++++++++++++++++
src/nwfilter/nwfilter_learnipaddr.h | 61 +++
12 files changed, 1216 insertions(+), 38 deletions(-)
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
===================================================================
--- /dev/null
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h
@@ -0,0 +1,61 @@
+/*
+ * nwfilter_learnipaddr.h: support for learning IP address used by a VM
+ * on an interface
+ *
+ * Copyright (C) 2010 IBM Corp.
+ * Copyright (C) 2010 Stefan Berger
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Author: Stefan Berger <stefanb(a)us.ibm.com>
+ */
+
+#ifndef __NWFILTER_LEARNIPADDR_H
+#define __NWFILTER_LEARNIPADDR_H
+
+typedef struct _virNWFilterIPAddrLearnReq virNWFilterIPAddrLearnReq;
+typedef virNWFilterIPAddrLearnReq *virNWFilterIPAddrLearnReqPtr;
+struct _virNWFilterIPAddrLearnReq {
+ char ifname[IF_NAMESIZE];
+ char linkdev[IF_NAMESIZE];
+ enum virDomainNetType nettype;
+ unsigned char macaddr[VIR_MAC_BUFLEN];
+ char *filtername;
+ virNWFilterHashTablePtr filterparams;
+ virNWFilterDriverStatePtr driver;
+
+ int status;
+ pthread_t thread;
+};
+
+int virNWFilterLearnIPAddress(virConnectPtr conn,
+ const char *ifname,
+ const char *linkdev,
+ enum virDomainNetType nettype,
+ const unsigned char *macaddr,
+ const char *filtername,
+ virNWFilterHashTablePtr filterparams,
+ virNWFilterDriverStatePtr driver);
+
+virNWFilterIPAddrLearnReqPtr virNWFilterLookupLearnReq(const char *ifname);
+
+
+void virNWFilterDelIpAddrForIfname(const char *ifname);
+const char *virNWFilterGetIpAddrForIfname(const char *ifname);
+
+int virNWFilterLearnInit(void);
+void virNWFilterLearnShutdown(void);
+
+#endif /* __NWFILTER_LEARNIPADDR_H */
Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
===================================================================
--- /dev/null
+++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c
@@ -0,0 +1,579 @@
+/*
+ * nwfilter_learnipaddr.c: support for learning IP address used by a VM
+ * on an interface
+ *
+ * Copyright (C) 2010 IBM Corp.
+ * Copyright (C) 2010 Stefan Berger
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Author: Stefan Berger <stefanb(a)us.ibm.com>
+ */
+
+#include <config.h>
+
+#ifdef HAVE_LIBPCAP
+#include <pcap.h>
+#endif
+
+#include <fcntl.h>
+#include <sys/ioctl.h>
+
+#include <arpa/inet.h>
+#include <net/ethernet.h>
+#include <netinet/ip.h>
+#include <netinet/udp.h>
+#include <net/if_arp.h>
+#include <linux/if.h>
+
+#include "internal.h"
+
+#include "buf.h"
+#include "memory.h"
+#include "logging.h"
+#include "datatypes.h"
+#include "virterror_internal.h"
+#include "threads.h"
+#include "conf/nwfilter_params.h"
+#include "conf/domain_conf.h"
+#include "nwfilter_gentech_driver.h"
+#include "nwfilter_ebiptables_driver.h"
+#include "nwfilter_learnipaddr.h"
+
+#define VIR_FROM_THIS VIR_FROM_NWFILTER
+
+
+/* structure of an ARP request/reply message */
+struct f_arphdr {
+ struct arphdr arphdr;
+ uint8_t ar_sha[ETH_ALEN];
+ uint32_t ar_sip;
+ uint8_t ar_tha[ETH_ALEN];
+ uint32_t ar_tip;
+} __attribute__((packed));
+
+
+/* structure representing DHCP message */
+struct dhcp {
+ uint8_t op;
+ uint8_t htype;
+ uint8_t hlen;
+ uint8_t hops;
+ uint32_t xid;
+ uint16_t secs;
+ uint16_t flags;
+ uint32_t ciaddr;
+ uint32_t yiaddr;
+ uint32_t siaddr;
+ uint32_t giaddr;
+ uint32_t chaddr;
+ /* omitted */
+} __attribute__((packed));
+
+
+struct ether_vlan_header
+{
+ uint8_t dhost[ETH_ALEN];
+ uint8_t shost[ETH_ALEN];
+ uint16_t vlan_type;
+ uint16_t vlan_flags;
+ uint16_t ether_type;
+} __attribute__((packed));
+
+
+static virMutex pendingLearnReqLock;
+static virHashTablePtr pendingLearnReq;
+
+static virMutex ipAddressMapLock;
+static virNWFilterHashTablePtr ipAddressMap;
+
+
+static void
+virNWFilterIPAddrLearnReqFree(virNWFilterIPAddrLearnReqPtr req) {
+ if (!req)
+ return;
+
+ VIR_FREE(req->filtername);
+ virNWFilterHashTableFree(req->filterparams);
+
+ VIR_FREE(req);
+}
+
+
+#if HAVE_LIBPCAP
+
+static int
+virNWFilterRegisterLearnReq(virNWFilterIPAddrLearnReqPtr req) {
+ int res = -1;
+ virMutexLock(&pendingLearnReqLock);
+
+ if (!virHashLookup(pendingLearnReq, req->ifname))
+ res = virHashAddEntry(pendingLearnReq, req->ifname, req);
+
+ virMutexUnlock(&pendingLearnReqLock);
+
+ return res;
+}
+
+#endif
+
+
+virNWFilterIPAddrLearnReqPtr
+virNWFilterLookupLearnReq(const char *ifname) {
+ void *res;
+
+ virMutexLock(&pendingLearnReqLock);
+
+ res = virHashLookup(pendingLearnReq, ifname);
+
+ virMutexUnlock(&pendingLearnReqLock);
+
+ return res;
+}
+
+
+static void
+freeLearnReqEntry(void *payload, const char *name ATTRIBUTE_UNUSED) {
+ virNWFilterIPAddrLearnReqFree(payload);
+}
+
+
+#ifdef HAVE_LIBPCAP
+
+static virNWFilterIPAddrLearnReqPtr
+virNWFilterDeregisterLearnReq(const char *ifname) {
+ virNWFilterIPAddrLearnReqPtr res;
+
+ virMutexLock(&pendingLearnReqLock);
+
+ res = virHashLookup(pendingLearnReq, ifname);
+
+ if (res)
+ virHashRemoveEntry(pendingLearnReq, ifname, NULL);
+
+ virMutexUnlock(&pendingLearnReqLock);
+
+ return res;
+}
+
+
+
+static int
+virNWFilterAddIpAddrForIfname(const char *ifname, char *addr) {
+ int ret;
+
+ virMutexLock(&ipAddressMapLock);
+
+ ret = virNWFilterHashTablePut(ipAddressMap, ifname, addr, 1);
+
+ virMutexUnlock(&ipAddressMapLock);
+
+ return ret;
+}
+#endif
+
+
+void
+virNWFilterDelIpAddrForIfname(const char *ifname) {
+
+ virMutexLock(&ipAddressMapLock);
+
+ if (virHashLookup(ipAddressMap->hashTable, ifname))
+ virNWFilterHashTableRemoveEntry(ipAddressMap, ifname);
+
+ virMutexUnlock(&ipAddressMapLock);
+}
+
+
+const char *
+virNWFilterGetIpAddrForIfname(const char *ifname) {
+ const char *res;
+
+ virMutexLock(&ipAddressMapLock);
+
+ res = virHashLookup(ipAddressMap->hashTable, ifname);
+
+ virMutexUnlock(&ipAddressMapLock);
+
+ return res;
+}
+
+
+#ifdef HAVE_LIBPCAP
+
+/**
+ * learnIPAddressThread
+ * arg: pointer to virNWFilterIPAddrLearnReq structure
+ *
+ * Learn the IP address being used on an interface. Use ARP Request and
+ * Reply messages, DHCP offers and the first IP packet being sent from
+ * the VM to detect the IP address it is using. Detects only one IP address
+ * per interface (IP aliasing not supported)
+ */
+static void *
+learnIPAddressThread(void *arg)
+{
+ char errbuf[PCAP_ERRBUF_SIZE] = {0};
+ pcap_t *handle;
+ struct bpf_program fp;
+ struct pcap_pkthdr header;
+ const u_char *packet;
+ struct ether_header *ether_hdr;
+ struct ether_vlan_header *vlan_hdr;
+ virNWFilterIPAddrLearnReqPtr req = arg;
+ uint32_t vmaddr = 0;
+ unsigned int ethHdrSize;
+ char *listen_if = (strlen(req->linkdev) != 0) ? req->linkdev
+ : req->ifname;
+ int to_ms = (strlen(req->linkdev) != 0) ? 1000
+ : 0;
+ char macaddr[VIR_MAC_STRING_BUFLEN];
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ char *filter= NULL;
+ uint16_t etherType;
+
+ req->status = 0;
+
+ handle = pcap_open_live(listen_if, BUFSIZ, 0, to_ms, errbuf);
+
+ if (handle == NULL) {
+ VIR_DEBUG("Couldn't open device %s: %s\n", listen_if, errbuf);
+ req->status = ENODEV;
+ goto done;
+ }
+
+ virFormatMacAddr(req->macaddr, macaddr);
+ virBufferVSprintf(&buf, "ether host %s", macaddr);
+ if (virBufferError(&buf)) {
+ req->status = ENOMEM;
+ goto done;
+ }
+
+ filter = virBufferContentAndReset(&buf);
+
+ if (pcap_compile(handle, &fp, filter, 1, 0) != 0 ||
+ pcap_setfilter(handle, &fp) != 0) {
+ VIR_DEBUG("Couldn't compile or set filter '%s'.\n", filter);
+ req->status = EINVAL;
+ goto done;
+ }
+
+ while (req->status == 0 && vmaddr == 0) {
+ packet = pcap_next(handle, &header);
+
+ if (!packet) {
+ if (to_ms == 0) {
+ /* assuming IF disappeared */
+ req->status = ENODEV;
+ break;
+ }
+ /* listening on linkdev, check whether VM's dev is still there */
+ if (checkIf(req->ifname, req->macaddr)) {
+ req->status = ENODEV;
+ break;
+ }
+ continue;
+ }
+
+ if (header.len >= sizeof(struct ether_header)) {
+ ether_hdr = (struct ether_header*)packet;
+
+ switch (ntohs(ether_hdr->ether_type)) {
+
+ case ETHERTYPE_IP:
+ ethHdrSize = sizeof(struct ether_header);
+ etherType = ntohs(ether_hdr->ether_type);
+ break;
+
+ case ETHERTYPE_VLAN:
+ ethHdrSize = sizeof(struct ether_vlan_header);
+ vlan_hdr = (struct ether_vlan_header *)packet;
+ if (ntohs(vlan_hdr->ether_type) != ETHERTYPE_IP ||
+ header.len < ethHdrSize)
+ continue;
+ etherType = ntohs(vlan_hdr->ether_type);
+ break;
+
+ default:
+ continue;
+ }
+
+ if (memcmp(ether_hdr->ether_shost,
+ req->macaddr,
+ VIR_MAC_BUFLEN) == 0) {
+ // packets from the VM
+
+ if ((header.len >= ethHdrSize +
+ sizeof(struct iphdr))) {
+ struct iphdr *iphdr = (struct iphdr*)(packet +
+ ethHdrSize);
+ vmaddr = iphdr->saddr;
+ // skip eth. bcast and mcast addresses,
+ // and zero address in DHCP Requests
+ if ((ntohl(vmaddr) & 0xc0000000) || vmaddr == 0) {
+ vmaddr = 0;
+ continue;
+ }
+
+ } else if (etherType == ETHERTYPE_ARP &&
+ (header.len >= ethHdrSize +
+ sizeof(struct f_arphdr))) {
+ struct f_arphdr *arphdr = (struct f_arphdr*)(packet +
+ ethHdrSize);
+ switch (ntohs(arphdr->arphdr.ar_op)) {
+ case ARPOP_REPLY:
+ vmaddr = arphdr->ar_sip;
+ break;
+ case ARPOP_REQUEST:
+ vmaddr = arphdr->ar_tip;
+ break;
+ }
+ }
+ } else if (memcmp(ether_hdr->ether_dhost,
+ req->macaddr,
+ VIR_MAC_BUFLEN) == 0) {
+ // packets to the VM
+ if (etherType == ETHERTYPE_IP &&
+ (header.len >= ethHdrSize +
+ sizeof(struct iphdr))) {
+ struct iphdr *iphdr = (struct iphdr*)(packet +
+ ethHdrSize);
+ if ((iphdr->protocol == IPPROTO_UDP) &&
+ (header.len >= ethHdrSize +
+ iphdr->ihl * 4 +
+ sizeof(struct udphdr))) {
+ struct udphdr *udphdr= (struct udphdr *)
+ ((char *)iphdr + iphdr->ihl * 4);
+ if (ntohs(udphdr->source) == 67 &&
+ ntohs(udphdr->dest) == 68 &&
+ header.len >= ethHdrSize +
+ iphdr->ihl * 4 +
+ sizeof(struct udphdr) +
+ sizeof(struct dhcp)) {
+ struct dhcp *dhcp = (struct dhcp *)
+ ((char *)udphdr + sizeof(udphdr));
+ if (dhcp->op == 2 /* DHCP OFFER */) {
+ vmaddr = dhcp->yiaddr;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ done:
+ VIR_FREE(filter);
+
+ if (handle)
+ pcap_close(handle);
+
+ ebtablesRemoveBasicRules(NULL, req->ifname);
+
+ if (req->status == 0) {
+ int ret;
+ char inetaddr[INET_ADDRSTRLEN];
+ inet_ntop(AF_INET, &vmaddr, inetaddr, sizeof(inetaddr));
+
+ virNWFilterAddIpAddrForIfname(req->ifname, strdup(inetaddr));
+
+ ret = virNWFilterInstantiateFilterLate(NULL,
+ req->ifname,
+ req->linkdev,
+ req->nettype,
+ req->macaddr,
+ req->filtername,
+ req->filterparams,
+ req->driver);
+ VIR_DEBUG("Result from applying firewall rules on "
+ "%s with IP addr %s : %d\n", req->ifname, inetaddr, ret);
+ }
+
+ memset(&req->thread, 0x0, sizeof(req->thread));
+
+ VIR_DEBUG("pcap thread terminating for interface %s\n",req->ifname);
+
+ virNWFilterDeregisterLearnReq(req->ifname);
+
+ virNWFilterIPAddrLearnReqFree(req);
+
+ return 0;
+}
+
+
+/**
+ * virNWFilterLearnIPAddress
+ * @conn: pointer to virConnect object
+ * @ifname: the name of the interface
+ * @linkdev : the name of the link device; currently only used in case of a
+ * macvtap device
+ * @nettype : the type of interface
+ * @macaddr : the MAC address of the interface
+ * @filtername : the name of the top-level filter to apply to the interface
+ * once its IP address has been detected
+ * @driver : the network filter driver
+ *
+ * Instruct to learn the IP address being used on a given interface (ifname).
+ * Unless there already is a thread attempting to learn the IP address
+ * being used on the interface, a thread is started that will listen on
+ * the traffic being sent on the interface (or link device) with the
+ * MAC address that is provided. Will then launch the application of the
+ * firewall rules on the interface.
+ */
+int
+virNWFilterLearnIPAddress(virConnectPtr conn,
+ const char *ifname,
+ const char *linkdev,
+ enum virDomainNetType nettype,
+ const unsigned char *macaddr,
+ const char *filtername,
+ virNWFilterHashTablePtr filterparams,
+ virNWFilterDriverStatePtr driver) {
+ int rc;
+ virNWFilterIPAddrLearnReqPtr req = NULL;
+ virNWFilterHashTablePtr ht = NULL;
+
+ if (VIR_ALLOC(req) < 0) {
+ virReportOOMError();
+ goto err_exit;
+ }
+
+ ht = virNWFilterHashTableCreate(0);
+ if (ht == NULL) {
+ virReportOOMError();
+ goto err_exit;
+ }
+
+ if (virNWFilterHashTablePutAll(conn, filterparams, ht))
+ goto err_exit;
+
+ req->filtername = strdup(filtername);
+ if (req->filtername == NULL) {
+ virReportOOMError();
+ goto err_exit;
+ }
+
+ if (virStrcpyStatic(req->ifname, ifname) == NULL) {
+ virNWFilterReportError(conn, VIR_ERR_INTERNAL_ERROR,
+ _("Destination buffer for ifname ('%s') "
+ "not large enough"), ifname);
+ goto err_exit;
+ }
+
+ if (linkdev) {
+ if (virStrcpyStatic(req->linkdev, linkdev) == NULL) {
+ virNWFilterReportError(conn, VIR_ERR_INTERNAL_ERROR,
+ _("Destination buffer for linkdev ('%s') "
+ "not large enough"), linkdev);
+ goto err_exit;
+ }
+ }
+ req->nettype = nettype;
+ memcpy(req->macaddr, macaddr, sizeof(req->macaddr));
+ req->driver = driver;
+ req->filterparams = ht;
+ ht = NULL;
+
+ rc = virNWFilterRegisterLearnReq(req);
+
+ if (rc)
+ goto err_exit;
+
+ if (ebtablesApplyBasicRules(conn,
+ ifname,
+ macaddr)) {
+ goto err_exit;
+ }
+
+ if (pthread_create(&req->thread,
+ NULL,
+ learnIPAddressThread,
+ req) != 0)
+ goto err_exit;
+
+ return 0;
+
+err_exit:
+ ebtablesRemoveBasicRules(conn, ifname);
+ virNWFilterIPAddrLearnReqFree(req);
+ virNWFilterHashTableFree(ht);
+ return 1;
+}
+
+#else
+
+int
+virNWFilterLearnIPAddress(virConnectPtr conn ATTRIBUTE_UNUSED,
+ const char *ifname ATTRIBUTE_UNUSED,
+ const char *linkdev ATTRIBUTE_UNUSED,
+ enum virDomainNetType nettype ATTRIBUTE_UNUSED,
+ const unsigned char *macaddr ATTRIBUTE_UNUSED,
+ const char *filtername ATTRIBUTE_UNUSED,
+ virNWFilterHashTablePtr filterparams ATTRIBUTE_UNUSED,
+ virNWFilterDriverStatePtr driver ATTRIBUTE_UNUSED) {
+ virNWFilterReportError(conn, VIR_ERR_INTERNAL_ERROR,
+ _("IP parameter must be given since libvirt "
+ "was not compiled with IP address learning "
+ "support"));
+ return 1;
+}
+#endif /* HAVE_LIBPCAP */
+
+
+/**
+ * virNWFilterLearnInit
+ * Initialization of this layer
+ */
+int
+virNWFilterLearnInit(void) {
+ pendingLearnReq = virHashCreate(0);
+ if (!pendingLearnReq) {
+ virReportOOMError();
+ return 1;
+ }
+
+ if (virMutexInit(&pendingLearnReqLock)) {
+ virNWFilterLearnShutdown();
+ return 1;
+ }
+
+ ipAddressMap = virNWFilterHashTableCreate(0);
+ if (!ipAddressMap) {
+ virReportOOMError();
+ virNWFilterLearnShutdown();
+ return 1;
+ }
+
+ if (virMutexInit(&ipAddressMapLock)) {
+ virNWFilterLearnShutdown();
+ return 1;
+ }
+
+ return 0;
+}
+
+
+/**
+ * virNWFilterLearnShutdown
+ * Shutdown of this layer
+ */
+void
+virNWFilterLearnShutdown(void) {
+ virHashFree(pendingLearnReq, freeLearnReqEntry);
+ pendingLearnReq = NULL;
+
+ virNWFilterHashTableFree(ipAddressMap);
+ ipAddressMap = NULL;
+}
Index: libvirt-acl/src/Makefile.am
===================================================================
--- libvirt-acl.orig/src/Makefile.am
+++ libvirt-acl/src/Makefile.am
@@ -289,7 +289,8 @@ STORAGE_HELPER_DISK_SOURCES = \
NWFILTER_DRIVER_SOURCES = \
nwfilter/nwfilter_driver.h nwfilter/nwfilter_driver.c \
nwfilter/nwfilter_gentech_driver.c \
- nwfilter/nwfilter_ebiptables_driver.c
+ nwfilter/nwfilter_ebiptables_driver.c \
+ nwfilter/nwfilter_learnipaddr.c
# Security framework and drivers for various models
SECURITY_DRIVER_SOURCES = \
@@ -740,10 +741,11 @@ else
libvirt_la_LIBADD += libvirt_driver_nwfilter.la
noinst_LTLIBRARIES += libvirt_driver_nwfilter.la
endif
-libvirt_driver_nwfilter_la_CFLAGS = \
+libvirt_driver_nwfilter_la_CFLAGS = $(LIBPCAP_CFLAGS) \
-I@top_srcdir@/src/conf
+libvirt_driver_nwfilter_la_LDFLAGS = $(LIBPCAP_LIBS)
if WITH_DRIVER_MODULES
-libvirt_driver_nwfilter_la_LDFLAGS = -module -avoid-version ../gnulib/lib/libgnu.la
+libvirt_driver_nwfilter_la_LDFLAGS += -module -avoid-version ../gnulib/lib/libgnu.la
endif
libvirt_driver_nwfilter_la_SOURCES = $(NWFILTER_DRIVER_SOURCES)
endif
@@ -887,6 +889,7 @@ libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FL
-version-info $(LIBVIRT_VERSION_INFO) \
$(COVERAGE_CFLAGS:-f%=-Wc,-f%) \
$(LIBXML_LIBS) \
+ $(LIBPCAP_LIBS) \
$(DRIVER_MODULE_LIBS) \
$(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS)
libvirt_la_CFLAGS = $(COVERAGE_CFLAGS) -DIN_LIBVIRT
@@ -935,8 +938,8 @@ libvirt_lxc_SOURCES = \
$(NODE_INFO_SOURCES) \
$(ENCRYPTION_CONF_SOURCES) \
$(DOMAIN_CONF_SOURCES) \
- $(NWFILTER_PARAM_CONF_SOURCES) \
- $(CPU_CONF_SOURCES)
+ $(CPU_CONF_SOURCES) \
+ $(NWFILTER_PARAM_CONF_SOURCES)
libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDCFLAGS) $(CAPNG_LIBS) $(YAJL_LIBS)
libvirt_lxc_LDADD = $(LIBXML_LIBS) $(NUMACTL_LIBS) ../gnulib/lib/libgnu.la
libvirt_lxc_CFLAGS = \
Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c
@@ -24,6 +24,9 @@
#include <config.h>
#include <stdint.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <linux/if.h>
#include "internal.h"
@@ -34,12 +37,16 @@
#include "virterror_internal.h"
#include "nwfilter_gentech_driver.h"
#include "nwfilter_ebiptables_driver.h"
+#include "nwfilter_learnipaddr.h"
#define VIR_FROM_THIS VIR_FROM_NWFILTER
#define NWFILTER_STD_VAR_MAC "MAC"
+#define NWFILTER_STD_VAR_IP "IP"
+
+static int _virNWFilterTeardownFilter(const char *ifname);
static virNWFilterTechDriverPtr filter_tech_drivers[] = {
@@ -111,6 +118,8 @@ virNWFilterRuleInstFree(virNWFilterRuleI
* @tables: pointer to hash tabel to add values to
* @macaddr: The string of the MAC address to add to the hash table,
* may be NULL
+ * @ipaddr: The string of the IP address to add to the hash table;
+ * may be NULL
*
* Returns 0 in case of success, 1 in case an error happened with
* error having been reported.
@@ -120,7 +129,8 @@ virNWFilterRuleInstFree(virNWFilterRuleI
static int
virNWFilterVarHashmapAddStdValues(virConnectPtr conn,
virNWFilterHashTablePtr table,
- char *macaddr)
+ char *macaddr,
+ char *ipaddr)
{
if (macaddr) {
if (virHashAddEntry(table->hashTable,
@@ -132,6 +142,16 @@ virNWFilterVarHashmapAddStdValues(virCon
}
}
+ if (ipaddr) {
+ if (virHashAddEntry(table->hashTable,
+ NWFILTER_STD_VAR_IP,
+ ipaddr) < 0) {
+ virNWFilterReportError(conn, VIR_ERR_INTERNAL_ERROR,
+ "%s", _("Could not add variable 'IP' to hashmap"));
+ return 1;
+ }
+ }
+
return 0;
}
@@ -140,23 +160,26 @@ virNWFilterVarHashmapAddStdValues(virCon
* virNWFilterCreateVarHashmap:
* @conn: pointer to virConnect object
* @macaddr: pointer to string containing formatted MAC address of interface
+ * @ipaddr: pointer to string containing formatted IP address used by
+ * VM on this interface; may be NULL
*
* Create a hashmap used for evaluating the firewall rules. Initializes
- * it with the standard variable 'MAC'.
+ * it with the standard variable 'MAC' and 'IP' if provided.
*
* Returns pointer to hashmap, NULL if an error occcurred and error message
* is attached to the virConnect object.
*/
virNWFilterHashTablePtr
virNWFilterCreateVarHashmap(virConnectPtr conn,
- char *macaddr) {
+ char *macaddr,
+ char *ipaddr) {
virNWFilterHashTablePtr table = virNWFilterHashTableCreate(0);
if (!table) {
virReportOOMError();
return NULL;
}
- if (virNWFilterVarHashmapAddStdValues(conn, table, macaddr)) {
+ if (virNWFilterVarHashmapAddStdValues(conn, table, macaddr, ipaddr)) {
virNWFilterHashTableFree(table);
return NULL;
}
@@ -284,9 +307,9 @@ _virNWFilterInstantiateRec(virConnectPtr
virNWFilterHashTablePtr vars,
int *nEntries,
virNWFilterRuleInstPtr **insts,
- enum instCase useNewFilter, int *foundNewFilter)
+ enum instCase useNewFilter, int *foundNewFilter,
+ virNWFilterDriverStatePtr driver)
{
- virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
virNWFilterPoolObjPtr obj;
int rc = 0;
int i;
@@ -365,7 +388,96 @@ _virNWFilterInstantiateRec(virConnectPtr
tmpvars,
nEntries, insts,
useNewFilter,
- foundNewFilter);
+ foundNewFilter,
+ driver);
+
+ virNWFilterHashTableFree(tmpvars);
+
+ virNWFilterPoolObjUnlock(obj);
+ if (rc)
+ break;
+ } else {
+ virNWFilterReportError(conn, VIR_ERR_INTERNAL_ERROR,
+ _("referenced filter '%s' is missing"),
+ inc->filterref);
+ rc = 1;
+ break;
+ }
+ }
+ }
+ return rc;
+}
+
+
+static int
+virNWFilterDetermineMissingVarsRec(virConnectPtr conn,
+ virNWFilterDefPtr filter,
+ virNWFilterHashTablePtr vars,
+ virNWFilterHashTablePtr missing_vars,
+ int useNewFilter,
+ virNWFilterDriverStatePtr driver)
+{
+ virNWFilterPoolObjPtr obj;
+ int rc = 0;
+ int i, j;
+ virNWFilterDefPtr next_filter;
+
+ for (i = 0; i < filter->nentries; i++) {
+ virNWFilterRuleDefPtr rule = filter->filterEntries[i]->rule;
+ virNWFilterIncludeDefPtr inc = filter->filterEntries[i]->include;
+ if (rule) {
+ // check all variables of this rule
+ for (j = 0; j < rule->nvars; j++) {
+ if (!virHashLookup(vars->hashTable, rule->vars[j])) {
+ virNWFilterHashTablePut(missing_vars, rule->vars[j],
+ strdup("1"), 1);
+ }
+ }
+ } else if (inc) {
+ VIR_DEBUG("Following filter %s\n", inc->filterref);
+ obj = virNWFilterPoolObjFindByName(&driver->pools,
+ inc->filterref);
+ if (obj) {
+
+ if (obj->wantRemoved) {
+ virNWFilterReportError(conn, VIR_ERR_NO_NWFILTER,
+ _("Filter '%s' is in use."),
+ inc->filterref);
+ rc = 1;
+ virNWFilterPoolObjUnlock(obj);
+ break;
+ }
+
+ // create a temporary hashmap for depth-first tree traversal
+ virNWFilterHashTablePtr tmpvars =
+ virNWFilterCreateVarsFrom(conn,
+ inc->params,
+ vars);
+ if (!tmpvars) {
+ virReportOOMError();
+ rc = 1;
+ virNWFilterPoolObjUnlock(obj);
+ break;
+ }
+
+ next_filter = obj->def;
+
+ switch (useNewFilter) {
+ case INSTANTIATE_FOLLOW_NEWFILTER:
+ if (obj->newDef) {
+ next_filter = obj->newDef;
+ }
+ break;
+ case INSTANTIATE_ALWAYS:
+ break;
+ }
+
+ rc = virNWFilterDetermineMissingVarsRec(conn,
+ next_filter,
+ tmpvars,
+ missing_vars,
+ useNewFilter,
+ driver);
virNWFilterHashTableFree(tmpvars);
@@ -438,9 +550,12 @@ virNWFilterInstantiate(virConnectPtr con
enum virDomainNetType nettype,
virNWFilterDefPtr filter,
const char *ifname,
+ const char *linkdev,
virNWFilterHashTablePtr vars,
enum instCase useNewFilter, int *foundNewFilter,
- bool teardownOld)
+ bool teardownOld,
+ const unsigned char *macaddr,
+ virNWFilterDriverStatePtr driver)
{
int rc;
int j, nptrs;
@@ -449,6 +564,44 @@ virNWFilterInstantiate(virConnectPtr con
void **ptrs = NULL;
int instantiate = 1;
+ virNWFilterLockFilterUpdates();
+
+ virNWFilterHashTablePtr missing_vars = virNWFilterHashTableCreate(0);
+ if (!missing_vars) {
+ virReportOOMError();
+ rc = 1;
+ goto err_exit;
+ }
+
+ rc = virNWFilterDetermineMissingVarsRec(conn,
+ filter,
+ vars,
+ missing_vars,
+ useNewFilter,
+ driver);
+ if (rc)
+ goto err_exit;
+
+ if (virHashSize(missing_vars->hashTable) == 1) {
+ if (virHashLookup(missing_vars->hashTable,
+ NWFILTER_STD_VAR_IP) != NULL) {
+ if (virNWFilterLookupLearnReq(ifname) == NULL) {
+ rc = virNWFilterLearnIPAddress(conn,
+ ifname,
+ linkdev,
+ nettype, macaddr,
+ filter->name,
+ vars, driver);
+ }
+ goto err_exit;
+ }
+ rc = 1;
+ goto err_exit;
+ } else if (virHashSize(missing_vars->hashTable) > 1) {
+ rc = 1;
+ goto err_exit;
+ }
+
rc = _virNWFilterInstantiateRec(conn,
techdriver,
nettype,
@@ -456,7 +609,8 @@ virNWFilterInstantiate(virConnectPtr con
ifname,
vars,
&nEntries, &insts,
- useNewFilter, foundNewFilter);
+ useNewFilter, foundNewFilter,
+ driver);
if (rc)
goto err_exit;
@@ -487,24 +641,33 @@ virNWFilterInstantiate(virConnectPtr con
err_exit:
+ virNWFilterUnlockFilterUpdates();
+
for (j = 0; j < nEntries; j++)
virNWFilterRuleInstFree(insts[j]);
VIR_FREE(insts);
+ virNWFilterHashTableFree(missing_vars);
+
return rc;
}
static int
-_virNWFilterInstantiateFilter(virConnectPtr conn,
- const virDomainNetDefPtr net,
- bool teardownOld,
- enum instCase useNewFilter)
+__virNWFilterInstantiateFilter(virConnectPtr conn,
+ bool teardownOld,
+ const char *ifname,
+ const char *linkdev,
+ enum virDomainNetType nettype,
+ const unsigned char *macaddr,
+ const char *filtername,
+ virNWFilterHashTablePtr filterparams,
+ enum instCase useNewFilter,
+ virNWFilterDriverStatePtr driver)
{
int rc;
const char *drvname = EBIPTABLES_DRIVER_ID;
- virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
virNWFilterTechDriverPtr techdriver;
virNWFilterPoolObjPtr obj;
virNWFilterHashTablePtr vars, vars1;
@@ -512,6 +675,8 @@ _virNWFilterInstantiateFilter(virConnect
char vmmacaddr[VIR_MAC_STRING_BUFLEN] = {0};
int foundNewFilter = 0;
char *str_macaddr = NULL;
+ const char *ipaddr;
+ char *str_ipaddr = NULL;
techdriver = virNWFilterTechDriverForName(drvname);
@@ -523,25 +688,25 @@ _virNWFilterInstantiateFilter(virConnect
return 1;
}
- VIR_DEBUG("filter name: %s\n", net->filter);
+ VIR_DEBUG("filter name: %s\n", filtername);
- obj = virNWFilterPoolObjFindByName(&driver->pools, net->filter);
+ obj = virNWFilterPoolObjFindByName(&driver->pools, filtername);
if (!obj) {
virNWFilterReportError(conn, VIR_ERR_NO_NWFILTER,
_("Could not find filter '%s'"),
- net->filter);
+ filtername);
return 1;
}
if (obj->wantRemoved) {
virNWFilterReportError(conn, VIR_ERR_NO_NWFILTER,
_("Filter '%s' is in use."),
- net->filter);
+ filtername);
rc = 1;
goto err_exit;
}
- virFormatMacAddr(net->mac, vmmacaddr);
+ virFormatMacAddr(macaddr, vmmacaddr);
str_macaddr = strdup(vmmacaddr);
if (!str_macaddr) {
virReportOOMError();
@@ -549,18 +714,29 @@ _virNWFilterInstantiateFilter(virConnect
goto err_exit;
}
+ ipaddr = virNWFilterGetIpAddrForIfname(ifname);
+ if (ipaddr) {
+ str_ipaddr = strdup(ipaddr);
+ if (!str_ipaddr) {
+ virReportOOMError();
+ rc = 1;
+ goto err_exit;
+ }
+ }
+
vars1 = virNWFilterCreateVarHashmap(conn,
- str_macaddr);
+ str_macaddr, str_ipaddr);
if (!vars1) {
rc = 1;
goto err_exit;
}
str_macaddr = NULL;
+ str_ipaddr = NULL;
vars = virNWFilterCreateVarsFrom(conn,
vars1,
- net->filterparams);
+ filterparams);
if (!vars) {
rc = 1;
goto err_exit_vars1;
@@ -582,12 +758,15 @@ _virNWFilterInstantiateFilter(virConnect
rc = virNWFilterInstantiate(conn,
techdriver,
- net->type,
+ nettype,
filter,
- net->ifname,
+ ifname,
+ linkdev,
vars,
useNewFilter, &foundNewFilter,
- teardownOld);
+ teardownOld,
+ macaddr,
+ driver);
virNWFilterHashTableFree(vars);
@@ -595,15 +774,180 @@ err_exit_vars1:
virNWFilterHashTableFree(vars1);
err_exit:
-
virNWFilterPoolObjUnlock(obj);
+ VIR_FREE(str_ipaddr);
VIR_FREE(str_macaddr);
return rc;
}
+static int
+_virNWFilterInstantiateFilter(virConnectPtr conn,
+ const virDomainNetDefPtr net,
+ bool teardownOld,
+ enum instCase useNewFilter)
+{
+ const char *linkdev = (net->type == VIR_DOMAIN_NET_TYPE_DIRECT)
+ ? net->data.direct.linkdev
+ : NULL;
+ return __virNWFilterInstantiateFilter(conn,
+ teardownOld,
+ net->ifname,
+ linkdev,
+ net->type,
+ net->mac,
+ net->filter,
+ net->filterparams,
+ useNewFilter,
+ conn->nwfilterPrivateData);
+}
+
+
+// FIXME: move chgIfFlags, ifUp, checkIf into common file & share w/ macvtap.c
+
+/*
+ * chgIfFlags: Change flags on an interface
+ * @ifname : name of the interface
+ * @flagclear : the flags to clear
+ * @flagset : the flags to set
+ *
+ * The new flags of the interface will be calculated as
+ * flagmask = (~0 ^ flagclear)
+ * newflags = (curflags & flagmask) | flagset;
+ *
+ * Returns 0 on success, errno on failure.
+ */
+static int chgIfFlags(const char *ifname, short flagclear, short flagset) {
+ struct ifreq ifr;
+ int rc = 0;
+ int flags;
+ short flagmask = (~0 ^ flagclear);
+ int fd = socket(PF_PACKET, SOCK_DGRAM, 0);
+
+ if (fd < 0)
+ return errno;
+
+ if (virStrncpy(ifr.ifr_name,
+ ifname, strlen(ifname), sizeof(ifr.ifr_name)) == NULL) {
+ rc = ENODEV;
+ goto err_exit;
+ }
+
+ if (ioctl(fd, SIOCGIFFLAGS, &ifr) < 0) {
+ rc = errno;
+ goto err_exit;
+ }
+
+ flags = (ifr.ifr_flags & flagmask) | flagset;
+
+ if (ifr.ifr_flags != flags) {
+ ifr.ifr_flags = flags;
+
+ if (ioctl(fd, SIOCSIFFLAGS, &ifr) < 0)
+ rc = errno;
+ }
+
+err_exit:
+ close(fd);
+ return rc;
+}
+
+/*
+ * ifUp
+ * @name: name of the interface
+ * @up: 1 for up, 0 for down
+ *
+ * Function to control if an interface is activated (up, 1) or not (down, 0)
+ *
+ * Returns 0 in case of success or an errno code in case of failure.
+ */
+static int
+ifUp(const char *name, int up)
+{
+ return chgIfFlags(name,
+ (up) ? 0 : IFF_UP,
+ (up) ? IFF_UP : 0);
+}
+
+
+/**
+ * checkIf
+ *
+ * @ifname: Name of the interface
+ * @macaddr: expected MAC address of the interface
+ *
+ * FIXME: the interface's index is another good parameter to check
+ *
+ * Determine whether a given interface is still available. If so,
+ * it must have the given MAC address.
+ *
+ * Returns an error code ENODEV in case the interface does not exist
+ * anymore or its MAC address is different, 0 otherwise.
+ */
+int
+checkIf(const char *ifname, const unsigned char *macaddr)
+{
+ struct ifreq ifr;
+ int fd = socket(PF_PACKET, SOCK_DGRAM, 0);
+ int rc = 0;
+
+ if (fd < 0)
+ return errno;
+
+ if (virStrncpy(ifr.ifr_name,
+ ifname, strlen(ifname), sizeof(ifr.ifr_name)) == NULL) {
+ rc = ENODEV;
+ goto err_exit;
+ }
+
+ if (ioctl(fd, SIOCGIFHWADDR, &ifr) < 0) {
+ rc = errno;
+ goto err_exit;
+ }
+
+ if (memcmp(&ifr.ifr_hwaddr.sa_data, macaddr, 6) != 0)
+ rc = ENODEV;
+
+ err_exit:
+ close(fd);
+ return rc;
+}
+
+
+int
+virNWFilterInstantiateFilterLate(virConnectPtr conn,
+ const char *ifname,
+ const char *linkdev,
+ enum virDomainNetType nettype,
+ const unsigned char *macaddr,
+ const char *filtername,
+ virNWFilterHashTablePtr filterparams,
+ virNWFilterDriverStatePtr driver)
+{
+ int rc;
+ rc = __virNWFilterInstantiateFilter(conn,
+ 1,
+ ifname,
+ linkdev,
+ nettype,
+ macaddr,
+ filtername,
+ filterparams,
+ INSTANTIATE_ALWAYS,
+ driver);
+ if (rc) {
+ //something went wrong... 'DOWN' the interface
+ if (ifUp(ifname ,0)) {
+ // assuming interface disappeared...
+ _virNWFilterTeardownFilter(ifname);
+ }
+ }
+ return rc;
+}
+
+
int
virNWFilterInstantiateFilter(virConnectPtr conn,
const virDomainNetDefPtr net)
@@ -660,8 +1004,8 @@ virNWFilterTearOldFilter(virConnectPtr c
}
-int
-virNWFilterTeardownFilter(const virDomainNetDefPtr net)
+static int
+_virNWFilterTeardownFilter(const char *ifname)
{
const char *drvname = EBIPTABLES_DRIVER_ID;
virNWFilterTechDriverPtr techdriver;
@@ -676,13 +1020,21 @@ virNWFilterTeardownFilter(const virDomai
#endif
return 1;
}
+ techdriver->allTeardown(ifname);
- techdriver->allTeardown(net->ifname);
+ virNWFilterDelIpAddrForIfname(ifname);
return 0;
}
+int
+virNWFilterTeardownFilter(const virDomainNetDefPtr net)
+{
+ return _virNWFilterTeardownFilter(net->ifname);
+}
+
+
void
virNWFilterDomainFWUpdateCB(void *payload,
const char *name ATTRIBUTE_UNUSED,
Index: libvirt-acl/src/nwfilter/nwfilter_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_driver.c
@@ -37,6 +37,8 @@
#include "nwfilter_gentech_driver.h"
+#include "nwfilter_learnipaddr.h"
+
#define VIR_FROM_THIS VIR_FROM_NWFILTER
#define nwfilterLog(msg...) fprintf(stderr, msg)
@@ -65,9 +67,12 @@ static int
nwfilterDriverStartup(int privileged) {
char *base = NULL;
- if (virNWFilterConfLayerInit(virNWFilterDomainFWUpdateCB) < 0)
+ if (virNWFilterLearnInit() < 0)
return -1;
+ if (virNWFilterConfLayerInit(virNWFilterDomainFWUpdateCB) < 0)
+ goto conf_init_err;
+
if (VIR_ALLOC(driverState) < 0)
goto alloc_err_exit;
@@ -120,6 +125,9 @@ error:
alloc_err_exit:
virNWFilterConfLayerShutdown();
+conf_init_err:
+ virNWFilterLearnShutdown();
+
return -1;
}
@@ -413,5 +421,6 @@ static virStateDriver stateDriver = {
int nwfilterRegister(void) {
virRegisterNWFilterDriver(&nwfilterDriver);
virRegisterStateDriver(&stateDriver);
+ virNWFilterLearnInit();
return 0;
}
Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.h
+++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h
@@ -46,13 +46,25 @@ int virNWFilterRollbackUpdateFilter(virC
int virNWFilterTearOldFilter(virConnectPtr conn,
const virDomainNetDefPtr net);
+int virNWFilterInstantiateFilterLate(virConnectPtr conn,
+ const char *ifname,
+ const char *linkdev,
+ enum virDomainNetType nettype,
+ const unsigned char *macaddr,
+ const char *filtername,
+ virNWFilterHashTablePtr filterparams,
+ virNWFilterDriverStatePtr driver);
+
int virNWFilterTeardownFilter(const virDomainNetDefPtr net);
virNWFilterHashTablePtr virNWFilterCreateVarHashmap(virConnectPtr conn,
- char *macaddr);
+ char *macaddr,
+ char *ipaddr);
void virNWFilterDomainFWUpdateCB(void *payload,
const char *name ATTRIBUTE_UNUSED,
void *data);
+int checkIf(const char *ifname, const unsigned char *macaddr);
+
#endif
Index: libvirt-acl/src/libvirt_private.syms
===================================================================
--- libvirt-acl.orig/src/libvirt_private.syms
+++ libvirt-acl/src/libvirt_private.syms
@@ -488,6 +488,8 @@ virNWFilterRegisterCallbackDriver;
virNWFilterTestUnassignDef;
virNWFilterConfLayerInit;
virNWFilterConfLayerShutdown;
+virNWFilterLockFilterUpdates;
+virNWFilterUnlockFilterUpdates;
#nwfilter_params.h
@@ -503,6 +505,16 @@ virNWFilterInstantiateFilter;
virNWFilterTeardownFilter;
+#nwfilter_learnipaddr.h
+ipAddressMap;
+ipAddressMapLock;
+pendingLearnReq;
+pendingLearnReqLock;
+virNWFilterGetIpAddrForIfname;
+virNWFilterDelIpAddrForIfname;
+virNWFilterLookupLearnReq;
+
+
# pci.h
pciGetDevice;
pciFreeDevice;
Index: libvirt-acl/src/conf/nwfilter_conf.c
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -111,17 +111,18 @@ struct int_map {
*/
static virMutex updateMutex;
-static void
+void
virNWFilterLockFilterUpdates(void) {
virMutexLock(&updateMutex);
}
-static void
+void
virNWFilterUnlockFilterUpdates(void) {
virMutexUnlock(&updateMutex);
}
+
/*
* attribute names for the rules XML
*/
@@ -2731,7 +2732,7 @@ int virNWFilterConfLayerInit(virHashIter
{
virNWFilterDomainFWUpdateCB = domUpdateCB;
- if (virMutexInit(&updateMutex))
+ if (virMutexInitRecursive(&updateMutex))
return 1;
if (virNWFilterParamConfLayerInit())
Index: libvirt-acl/src/conf/nwfilter_conf.h
===================================================================
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -565,6 +565,9 @@ virNWFilterDefPtr virNWFilterDefParseFil
void virNWFilterPoolObjLock(virNWFilterPoolObjPtr obj);
void virNWFilterPoolObjUnlock(virNWFilterPoolObjPtr obj);
+void virNWFilterLockFilterUpdates(void);
+void virNWFilterUnlockFilterUpdates(void);
+
int virNWFilterConfLayerInit(virHashIterator domUpdateCB);
void virNWFilterConfLayerShutdown(void);
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2533,6 +2533,106 @@ ebiptablesInstCommand(virConnectPtr conn
}
+int
+ebtablesApplyBasicRules(virConnectPtr conn,
+ const char *ifname,
+ const unsigned char *macaddr)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ int cli_status;
+ char chain[MAX_CHAINNAME_LENGTH];
+ char chainPrefix = CHAINPREFIX_HOST_IN_TEMP;
+ char macaddr_str[VIR_MAC_STRING_BUFLEN];
+
+ virFormatMacAddr(macaddr, macaddr_str);
+
+ ebtablesUnlinkTmpRootChain(conn, &buf, 1, ifname);
+ ebtablesUnlinkTmpRootChain(conn, &buf, 0, ifname);
+ ebtablesRemoveTmpSubChains(conn, &buf, ifname);
+ ebtablesRemoveTmpRootChain(conn, &buf, 1, ifname);
+ ebtablesRemoveTmpRootChain(conn, &buf, 0, ifname);
+ ebiptablesExecCLI(conn, &buf, &cli_status);
+
+ ebtablesCreateTmpRootChain(conn, &buf, 1, ifname, 1);
+
+ PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
+ virBufferVSprintf(&buf,
+ CMD_DEF(EBTABLES_CMD
+ " -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
+ CMD_EXEC
+ "%s",
+
+ EBTABLES_DEFAULT_TABLE,
+ chain,
+ macaddr_str,
+ CMD_STOPONERR(1));
+
+ virBufferVSprintf(&buf,
+ CMD_DEF(EBTABLES_CMD
+ " -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR
+ CMD_EXEC
+ "%s",
+
+ EBTABLES_DEFAULT_TABLE,
+ chain,
+ CMD_STOPONERR(1));
+
+ virBufferVSprintf(&buf,
+ CMD_DEF(EBTABLES_CMD
+ " -t %s -A %s -p ARP -j ACCEPT") CMD_SEPARATOR
+ CMD_EXEC
+ "%s",
+
+ EBTABLES_DEFAULT_TABLE,
+ chain,
+ CMD_STOPONERR(1));
+
+ virBufferVSprintf(&buf,
+ CMD_DEF(EBTABLES_CMD
+ " -t %s -A %s -j DROP") CMD_SEPARATOR
+ CMD_EXEC
+ "%s",
+
+ EBTABLES_DEFAULT_TABLE,
+ chain,
+ CMD_STOPONERR(1));
+
+ ebtablesLinkTmpRootChain(conn, &buf, 1, ifname, 1);
+
+ if (ebiptablesExecCLI(conn, &buf, &cli_status) || cli_status != 0)
+ goto tear_down_tmpebchains;
+
+ return 0;
+
+tear_down_tmpebchains:
+ ebtablesRemoveBasicRules(conn, ifname);
+
+ virNWFilterReportError(conn, VIR_ERR_BUILD_FIREWALL,
+ "%s",
+ _("Some rules could not be created."));
+
+ return 1;
+}
+
+
+int
+ebtablesRemoveBasicRules(virConnectPtr conn,
+ const char *ifname)
+{
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ int cli_status;
+
+ ebtablesUnlinkTmpRootChain(conn, &buf, 1, ifname);
+ ebtablesUnlinkTmpRootChain(conn, &buf, 0, ifname);
+ ebtablesRemoveTmpSubChains(conn, &buf, ifname);
+ ebtablesRemoveTmpRootChain(conn, &buf, 1, ifname);
+ ebtablesRemoveTmpRootChain(conn, &buf, 0, ifname);
+
+ ebiptablesExecCLI(conn, &buf, &cli_status);
+ return 0;
+}
+
+
static int
ebiptablesRuleOrderSort(const void *a, const void *b)
{
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
===================================================================
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.h
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -45,4 +45,11 @@ extern virNWFilterTechDriver ebiptables_
# define EBIPTABLES_DRIVER_ID "ebiptables"
+
+int ebtablesApplyBasicRules(virConnectPtr conn,
+ const char *ifname,
+ const unsigned char *macaddr);
+int ebtablesRemoveBasicRules(virConnectPtr conn,
+ const char *ifname);
+
#endif
Index: libvirt-acl/configure.ac
===================================================================
--- libvirt-acl.orig/configure.ac
+++ libvirt-acl/configure.ac
@@ -41,6 +41,7 @@ XMLRPC_REQUIRED=1.14.0
HAL_REQUIRED=0.5.0
DEVMAPPER_REQUIRED=1.0.0
LIBCURL_REQUIRED="7.18.0"
+LIBPCAP_REQUIRED="1.0.0"
dnl Checks for C compiler.
AC_PROG_CC
@@ -1045,6 +1046,39 @@ AC_SUBST([NUMACTL_CFLAGS])
AC_SUBST([NUMACTL_LIBS])
+dnl pcap lib
+LIBPCAP_CONFIG="pcap-config"
+LIBPCAP_CFLAGS=""
+LIBPCAP_LIBS=""
+LIBPCAP_FOUND="no"
+
+AC_ARG_WITH([libpcap], AC_HELP_STRING([--with-libpcap=@<:@PFX@:>@], [libpcap location]))
+if test "$with_qemu" = "yes"; then
+ if test "x$with_libpcap" != "xno" ; then
+ if test "x$with_libpcap" != "x" ; then
+ LIBPCAP_CONFIG=$with_libpcap/bin/$LIBPCAP_CONFIG
+ fi
+ AC_MSG_CHECKING(libpcap $LIBPCAP_CONFIG >= $LIBPCAP_REQUIRED )
+ if ! $LIBPCAP_CONFIG --libs > /dev/null 2>&1 ; then
+ AC_MSG_RESULT(no)
+ else
+ LIBPCAP_LIBS="`$LIBPCAP_CONFIG --libs`"
+ LIBPCAP_CFLAGS="`$LIBPCAP_CONFIG --cflags`"
+ LIBPCAP_FOUND="yes"
+ AC_MSG_RESULT(yes)
+ fi
+ fi
+fi
+
+if test "x$LIBPCAP_FOUND" = "xyes"; then
+ AC_DEFINE_UNQUOTED([HAVE_LIBPCAP], 1, [whether libpcap can be used])
+fi
+
+AC_SUBST([LIBPCAP_CFLAGS])
+AC_SUBST([LIBPCAP_LIBS])
+
+
+
dnl
dnl Checks for the UML driver
dnl
@@ -2129,6 +2163,11 @@ AC_MSG_NOTICE([ xmlrpc: $XMLRPC_CFLAGS
else
AC_MSG_NOTICE([ xmlrpc: no])
fi
+if test "$with_qemu" = "yes" ; then
+AC_MSG_NOTICE([ pcap: $LIBPCAP_CFLAGS $LIBPCAP_LIBS])
+else
+AC_MSG_NOTICE([ pcap: no])
+fi
AC_MSG_NOTICE([])
AC_MSG_NOTICE([Test suite])
AC_MSG_NOTICE([])
3
4
Hello,
After our discussions about the snapshot API last week, I went ahead and implemented
quite a bit of the API. I also went back to the ESX, Virtualbox, and QEMU API's to
try and make sure our API's matched up. What's below is my revised API based on
that survey. Following my revised API are notes that I took regarding how the
libvirt API matches up to the various API's, and some questions about semantics that
I had while doing the survey. More comments and questions are welcome.
/* NOTE: struct _virDomainSnapshot is a private structure, ala
* struct _virDomain.
*/
typedef struct _virDomainSnapshot virDomainSnapshot;
/* Take a snapshot of the current VM state. Throws an error if
* the VM is not currently running */
virDomainSnapshotPtr virDomainSnapshotCreateXML(virDomainPtr domain,
const char *xmlDesc,
unsigned int flags);
/* Dump the XML of a snapshot */
/* NOTE: see below for proposed XML */
char *virDomainSnapshotGetXMLDesc(virDomainSnapshotPtr snapshot,
unsigned int flags);
/* Return the number of snapshots for this domain */
int virDomainSnapshotNum(virDomainPtr domain, unsigned int flags);
/* Get the names of all snapshots for this domain */
int virDomainListSnapshotNames(virDomainPtr domain, char **names, int nameslen,
unsigned int flags);
/* Get a handle to a named snapshot */
virDomainSnapshotPtr virDomainSnapshotLookupByName(virDomainPtr domain,
const char *name,
unsigned int flags);
/* Get a handle to the current in-use snapshot for the domain */
virDomainSnapshotPtr virDomainSnapshotCurrent(virDomainPtr domain,
unsigned int flags);
/* Start the guest from the snapshot "snapshot" */
int virDomainCreateFromSnapshot(virDomainSnapshotPtr snapshot,
unsigned int flags);
/* Rename the snapshot */
/* Do we really need this? In theory we could use
* virsh snapshot-edit <domain> <name> and then detect
* name changes, but that will require a UUID, which may
* or may not be overkill
*/
int virDomainSnapshotRename(virDomainSnapshotPtr snapshot,
char *newname,
unsigned int flags);
/* Delete a snapshot - with no flags, the snapshot is not used anymore,
* but also not removed. With a MERGE flag, it merges the snapshot into
* the parent snapshot (or the base image, if there is no parent snapshot).
* Note that if other snapshots would be discarded because of this
* MERGE action, this operation will fail. If that is really what is intended,
* use MERGE_FORCE.
*
* With a DISCARD flag, it deletes the snapshot. Note that if children snapshots
* would be discarded because of this delete action, this operation will
* fail. If this is really what is intended, use DISCARD_FORCE.
*
* MERGE, MERGE_FORCE, DISCARD, and DISCARD_FORCE are mutually-exclusive.
*
* Note that this operation can happen when the domain is running or shut
* down, though this is hypervisor specific */
typedef enum {
VIR_DOMAIN_SNAPSHOT_DELETE_MERGE,
VIR_DOMAIN_SNAPSHOT_DELETE_MERGE_FORCE,
VIR_DOMAIN_SNAPSHOT_DELETE_DISCARD,
VIR_DOMAIN_SNAPSHOT_DELETE_DISCARD_FORCE,
} virDomainSnapshotDelete;
int virDomainSnapshotDelete(virDomainSnapshotPtr snapshot,
unsigned int flags);
int virDomainSnapshotFree(virDomainSnapshotPtr snapshot);
NOTE: During snapshot creation, *none* of the fields are required. That is,
you can call virDomainSnapshotCreateXML() with an XML of "<domainsnapshot/>".
In this case, the individual driver will make up a <name> and <uuid> for you,
the <creationdate> will be set to the current time+date, <description> will be
empty, <state> will be the current state of the VM, and <parent> will
be set to the current snapshot (if any). If you do want to specify some
fields during virDomainSnapshotCreateXML(), note that the only ones that are
settable are <name>, <uuid>, and <description>;
the rest are ignored, and filled in by the driver when the snapshot is
actually created.
NOTE: <state> refers to the state of the VM when the snapshot was taken.
<domainsnapshot>
<name>XYZ</name>
<creationdate>...</creationdate>
<description>...</description>
<state>RUNNING</state>
<domain>
<uuid>XXXXX-XXXX-XXXX-XXXX-XXXXXXXXX</uuid>
</domain>
<parent>
<name>ABC</name>
</parent>
</domainsnapshot>
The virsh commands will be:
virsh snapshot-create <dom> <xmlfile>
virsh snapshot-list <dom>
virsh snapshot-dumpxml <dom> <name>
virsh start-with-snapshot <dom> <snapshotname>
virsh snapshot-delete <dom> <snapshotname> [--merge|--mergeforce|--delete|--deleteforce]
virsh snapshot-delete-all <dom>
Possible issues:
1) I don't see a way to support "managed" save/restore and snapshotting with
this API. I think we'll have to have a separate API for managed save/restore.
2) What is the semantic for deleting snapshots from a running domain?
Virtualbox seems to not allow you to manipulate snapshots while the domain is
running. Qemu does allow this, but it's currently unclear what the exact
semantics are. VMware seems to allow manipulation of snapshots while the
domain is running.
3) Do we need a snapshot UUID? Virtualbox allows you to have multiple snapshots
with the same name, differentiated by UUID. Confusingly, they also have a
"FindByName" method that returns the first depth-first search snapshot that matches
a given name. For qemu, if you specify the same name twice it overwrites the previous
one with the new one. I don't know what ESX does here.
Mapping of our interface to various hypervisors:
+-------------------------------+-----------------+-------------------+------------------------------+
| Libvirt | Qemu | Virtualbox | ESX |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotCreateXML | monitor command | takeSnapshot | CreateSnapshot_task |
| | "savevm"; if | Snapshots can | takes a name, description, |
| | snapshot name | be taken on | memory (true/false) and |
| | is already in | powered off, | quiesce (true/false). |
| | use, replaces | saved, running, | What does "memory" mean? |
| | the previous | or paused VMs. | Should we model "quiesce" |
| | snapshot. Also | The snapshot is | Trees of snapshots are |
| | qemu-img | always taken | supported. What happens |
| | snapshot -c can | against the | on a duplicate name? What |
| | be used to | current snapshot. | state(s) can a VM be in |
| | create a | What happens on | when calling this? Does |
| | disk-only | a duplicate | a VM get paused when this |
| | snapshot. What | name? Trees of | is called? |
| | happens if the | snapshots are | |
| | VM is running | not currently | |
| | when you do | supported. | |
| | this? Trees of | Taking a snapshot | |
| | snapshots seem | of a running VM | |
| | to be supported | pauses the VM | |
| | VM gets paused | before taking the | |
| | while this is | snapshot. | |
| | happening. What | | |
| | states can the | | |
| | VM be in? | | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotGetXMLDesc | Libvirt qemu | GetId | VirtualMachine object-> |
| | snapshot | GetDescription | snapshot-> rootSnapshotList |
| | metadata | GetTimeStamp | [i].createTime |
| | | GetParent | .description |
| | | GetCurrentSnapshot| .name |
| | | | .id |
| | | | .state |
| | | | .quiesced |
| | | | .vm |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotNum | Libvirt qemu | GetSnapshotCount | VirtualMachine object-> |
| | snapshot | | snapshot-> rootSnapshotList |
| | metadata | | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainListSnapshotNames | Libvirt qemu | GetSnapshotCount | VirtualMachine object-> |
| | snapshot | GetChildren | snapshot-> rootSnapshotList |
| | metadata, or | | |
| | listvm monitor | | |
| | command or | | |
| | qemu-img | | |
| | snapshot -l | | |
| | <file>. If the | | |
| | VM has multiple | | |
| | disks and the | | |
| | disks have | | |
| | different | | |
| | snapshots, what | | |
| | do you do? | | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotLookupByName | " | findSnapshot | VirtualMachine object-> |
| | | Takes a name and | snapshot-> rootSnapshotList |
| | | returns a | |
| | | snapshot object. | |
| | | In case of | |
| | | multiple snapshots| |
| | | with the same | |
| | | name, it returns | |
| | | the first object | |
| | | from a depth | |
| | | first search. | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainCreateFromSnapshot | qemu-img | restoreSnapshot | RevertToSnapshot_Task |
| | snapshot -a | Takes a snapshot | Changes execution state |
| | <snapname> | object, and | of VM to state of this |
| | <file>. What | resets the VM's | snapshot. Takes a |
| | happens if the | state to that of | snapshot object, an |
| | VM has multiple | the snapshot. | optional host, and |
| | files with | If this is a | suppressPowerOn, which |
| | different | snapshot taken | forces the VM to the off |
| | snapshots? | against a running | state regardless of the |
| | | machine, then the | state when the snapshot |
| | | memory is | was taken. Implies that |
| | | restored as well. | without this flag, VM |
| | | Does *not* start | starts in whatever |
| | | the VM. The VM | <state> was when snapshot |
| | | must be off for | was taken. |
| | | this operation to | |
| | | succeed. | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotDelete | monitor command | deleteSnapshot | RemoveSnapshot_Task |
| | "delvm". What | deletes the | removes this snapshot and |
| | happens if the | specified | deletes any associated |
| | snapshot is in | snapshot. Takes | storage. Operates on a |
| | use? What | an ID. The VM | VirtualMachineSnapshot |
| | states can the | must be off. | object. What states can |
| | VM be in? Also | Differences to | the VM be in? What |
| | qemu-img | children | happens if this snapshot |
| | snapshot -d | snapshots will be | is in-use? What happens |
| | <name> <file> | merged with the | to parents and children? |
| | command can be | children to keep | |
| | used. What | children valid. | |
| | happens if the | Parent for this | |
| | disk is in-use? | snapshot will | |
| | What happens to | become parent of | |
| | parents and | any children | |
| | children? | snapshots. | |
| | How do we | | |
| | handle merges? | | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotCurrent | Libvirt qemu | currentSnapshot | VirtualMachine object-> |
| | snapshot | | snapshot-> currentSnapshot |
| | metadata | | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotRename | Libvirt qemu | ISnapshot->name | RenameSnapshot |
| | snapshot | | |
| | metadata | | |
+-------------------------------+-----------------+-------------------+------------------------------+
| virDomainSnapshotDelete with | Libvirt qemu | deleteSnapshot | RemoveAllSnapshots_Task |
| DISCARD_FORCE flag against | snapshot | with manual depth | |
| root snapshot | metadata | deletion of | |
| | | children | |
+-------------------------------+-----------------+-------------------+------------------------------+
| | | | RevertToCurrentSnapshot_Task |
+-------------------------------+-----------------+-------------------+------------------------------+
Attribute mapping:
+----------------+----------+-------------+----------------------------+
| Libvirt | Qemu | Virtualbox | ESX |
+----------------+----------+-------------+----------------------------+
| <name> | TAG | name | name |
+----------------+----------+-------------+----------------------------+
| <creationdate> | DATE | timeStamp | createTime |
+----------------+----------+-------------+----------------------------+
| <description> | Libvirt | description | description |
| | qemu | | |
| | metadata | | |
+----------------+----------+-------------+----------------------------+
| <state> | Libvirt | online | state (this is the *power* |
| | qemu | | state of the VM when this |
| | metadata | | snapshot was taken) |
+----------------+----------+-------------+----------------------------+
| <domain><uuid> | Libvirt | machine | vm |
| | qemu | | |
| | metadata | | |
+----------------+----------+-------------+----------------------------+
| <parent><name> | Libvirt | parent | N/A |
| | qemu | | |
| | metadata | | |
+----------------+----------+-------------+----------------------------+
| N/A | N/A | id (uuid) | id |
+----------------+----------+-------------+----------------------------+
| N/A | N/A | children | childSnapshotList |
+----------------+----------+-------------+----------------------------+
| N/A | N/A | N/A | memory |
+----------------+----------+-------------+----------------------------+
| N/A | N/A | N/A | quiesced |
+----------------+----------+-------------+----------------------------+
| N/A | N/A | N/A | backupManifest |
+----------------+----------+-------------+----------------------------+
| N/A | N/A | N/A | replaySupported |
+----------------+----------+-------------+----------------------------+
--
Chris Lalancette
6
13
The current API provides the following Save abd Restore functions:
int virDomainSave (virDomainPtr domain,
const char *to);
int virDomainRestore (virConnectPtr conn,
const char *from);
where the user provide the path to the file used to hold the domain
saved state.
However it can be really useful to have a managed version where
libvirt itself stores the data. It can then automatically reuse it
once the domain is to be restarted. This also avoid the problem of
keeping stale saved data once a domain has been restarted independantly.
One of our use case was to save the running domains state on shutdown,
and unfortunately virDomainSave()/virDomainRestore() can't be used
for that because if one of the domain is labelled as autorestart,
as soon as the daemon would restart it would recreate the guest but
without knowledge of the backup state.
So we propose the 3 following new APIs to deal with managed saves:
int virDomainManagedSave(virDomainPtr dom, unsigned int flags);
int virDomainHasManagedSaveImage(virDomainPtr dom, unsigned int flags);
int virDomainManagedSaveRemove(virDomainPtr dom, unsigned int flags);
virDomainManagedSave() is to be run on a running domain. Once the call
complete, as in virDomainSave() the domain is stopped upon completion,
but there is no restore counterpart as any order to start the domain
from the API would load the state from the managed file, similary if
the domain is autostarted when libvirtd starts.
Once a domain has restarted his managed save image is destroyed,
basically managed save image can only exist for a stopped domain,
for a running domain that would be by definition outdated data.
Suggested new entry points in libvirt.c are below, thanks in advance for
any feedback (and thanks to Chris Lalancette who started this work):
diff --git a/src/libvirt.c b/src/libvirt.c
index cc5b4c5..293ea17 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -12135,3 +12135,143 @@ error:
virDispatchError(conn);
return -1;
}
+
+/**
+ * virDomainManagedSave:
+ * @dom: pointer to the domain
+ * @flags: optional flags currently unused
+ *
+ * This method will suspend a domain and save its memory contents to
+ * a file on disk. After the call, if successful, the domain is not
+ * listed as running anymore.
+ * The difference from virDomainSave() is that libvirt is keeping track of
+ * the saved state itself, and will reuse it once the domain is being
+ * restarted (automatically or via an explicit libvirt call).
+ * As a result any running domain is sure to not have a managed saved image.
+ *
+ * Returns 0 in case of success or -1 in case of failure
+ */
+int virDomainManagedSave(virDomainPtr dom, unsigned int flags)
+{
+ virConnectPtr conn;
+
+ VIR_DEBUG("dom=%p, flags=%u", dom, flags);
+
+ virResetLastError();
+
+ if (!VIR_IS_CONNECTED_DOMAIN(dom)) {
+ virLibDomainError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__);
+ virDispatchError(NULL);
+ return -1;
+ }
+
+ conn = dom->conn;
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
+
+ if (conn->driver->domainManagedSave) {
+ int ret;
+
+ ret = conn->driver->domainManagedSave(dom, flags);
+ if (ret < 0)
+ goto error;
+ return ret;
+ }
+
+ virLibConnError(conn, VIR_ERR_NO_SUPPORT, __FUNCTION__);
+
+error:
+ virDispatchError(conn);
+ return -1;
+}
+
+/**
+ * virDomainHasManagedSaveImage:
+ * @dom: pointer to the domain
+ * @flags: optional flags currently unused
+ *
+ * Check if a domain has a managed save image as created by
+ * virDomainManagedSave(). Note that any running domain should not have
+ * such an image, as it should have been removed on restart.
+ *
+ * Returns 0 if no image is present, 1 if an image is present, and
+ * -1 in case of error
+ */
+int virDomainHasManagedSaveImage(virDomainPtr dom, unsigned int flags)
+{
+ virConnectPtr conn;
+
+ VIR_DEBUG("dom=%p, flags=%u", dom, flags);
+
+ virResetLastError();
+
+ if (!VIR_IS_CONNECTED_DOMAIN(dom)) {
+ virLibDomainError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__);
+ virDispatchError(NULL);
+ return -1;
+ }
+
+ conn = dom->conn;
+
+ if (conn->driver->domainHasManagedSaveImage) {
+ int ret;
+
+ ret = conn->driver->domainHasManagedSaveImage(dom, flags);
+ if (ret < 0)
+ goto error;
+ return ret;
+ }
+
+ virLibConnError(conn, VIR_ERR_NO_SUPPORT, __FUNCTION__);
+
+error:
+ virDispatchError(conn);
+ return -1;
+}
+
+/**
+ * virDomainManagedSaveRemove:
+ * @dom: pointer to the domain
+ * @flags: optional flags currently unused
+ *
+ * Remove any managed save image as for this domain.
+ *
+ * Returns 0 in case of success, and -1 in case of error
+ */
+int virDomainManagedSaveRemove(virDomainPtr dom, unsigned int flags)
+{
+ virConnectPtr conn;
+
+ VIR_DEBUG("dom=%p, flags=%u", dom, flags);
+
+ virResetLastError();
+
+ if (!VIR_IS_CONNECTED_DOMAIN(dom)) {
+ virLibDomainError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__);
+ virDispatchError(NULL);
+ return -1;
+ }
+
+ conn = dom->conn;
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
+
+ if (conn->driver->domainManagedSaveRemove) {
+ int ret;
+
+ ret = conn->driver->domainManagedSaveRemove(dom, flags);
+ if (ret < 0)
+ goto error;
+ return ret;
+ }
+
+ virLibConnError(conn, VIR_ERR_NO_SUPPORT, __FUNCTION__);
+
+error:
+ virDispatchError(conn);
+ return -1;
+}
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
1
0
This set of patches is a first step towards removing the scanf and atoi
usage in libvirt. I began with the simple cases and post this now to get
some feedback before I start to convert the more difficult ones.
01/10 Replace sscanf in legacy device address parsing
02/10 Replace sscanf in nwfilter rule parsing
03/10 Refactor major.minor.micro version parsing into a function
04/10 cgroup: Replace sscanf with virStrToLong_ll
05/10 vbox: Replace atoi with virStrToLong_i
06/10 xen: Use virParseMacAddr instead of sscanf
07/10 openvz: Use strtok_r instead of sscanf for VPS UUID parsing
08/10 xenapi: Use virStrToLong_i instead of sscanf for CPU map parsing
09/10 xen: Use virStrToLong_i instead of sscanf for XenD port parsing
10/10 Replace sscanf in PCI device address parsing
src/conf/domain_conf.c | 38 +++++++++++++++++++---------
src/conf/nwfilter_conf.c | 10 +++---
src/esx/esx_driver.c | 31 ++++------------------
src/libvirt_private.syms | 1 +
src/lxc/lxc_driver.c | 10 +------
src/openvz/openvz_conf.c | 27 ++++++++++++-------
src/uml/uml_conf.h | 2 +-
src/uml/uml_driver.c | 17 ++++++------
src/util/cgroup.c | 3 +-
src/util/pci.c | 59 ++++++++++++++++++++++++++++++++++---------
src/util/util.c | 37 +++++++++++++++++++++++++++
src/util/util.h | 1 +
src/vbox/vbox_tmpl.c | 18 +++++--------
src/xen/xend_internal.c | 20 ++------------
src/xen/xm_internal.c | 19 +++----------
src/xenapi/xenapi_driver.c | 21 +++++++--------
src/xenapi/xenapi_utils.c | 3 +-
17 files changed, 179 insertions(+), 138 deletions(-)
Matthias
5
31