November 2011 - Devel - libvirt List Archives

[libvirt] [PATCH v2] nwfilter: Enable detection of multiple IP addresses
by Stefan Berger 23 Nov '11

23 Nov '11

In preparation of DHCP Snooping and the detection of multiple IP addresses per interface: The hash table that is used to collect the detected IP address of an interface can so far only handle one IP address per interface. With this patch we extend this to allow it to handle a list of IP addresses. Above changes the returned variable type of virNWFilterGetIpAddrForIfname() from char * to virNWFilterVarValuePtr; adapt all existing functions calling this function. --- v2: - fixed logic bug pointed out by Eric Blake - sorted symbols --- src/conf/nwfilter_params.c | 62 ++++++++++++++++++-- src/conf/nwfilter_params.h | 7 +- src/libvirt_private.syms | 6 + src/nwfilter/nwfilter_gentech_driver.c | 21 ++---- src/nwfilter/nwfilter_gentech_driver.h | 2 src/nwfilter/nwfilter_learnipaddr.c | 100 ++++++++++++++++++++++++++------- src/nwfilter/nwfilter_learnipaddr.h | 6 + 7 files changed, 158 insertions(+), 46 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.c +++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c @@ -310,41 +310,99 @@ virNWFilterDeregisterLearnReq(int ifinde return res; } - - +/* Add an IP address to the list of IP addresses an interface is + * known to use. This function feeds the per-interface cache that + * is used to instantiate filters with variable '$IP'. + * + * @ifname: The name of the (tap) interface + * @addr: An IPv4 address in dotted decimal format that the (tap) + * interface is known to use. + * + * This function returns 0 on success, -1 otherwise + */ static int -virNWFilterAddIpAddrForIfname(const char *ifname, char *addr) { +virNWFilterAddIpAddrForIfname(const char *ifname, char *addr) +{ int ret; - virNWFilterVarValuePtr val = virNWFilterVarValueCreateSimple(addr); - - if (!val) - return 1; + virNWFilterVarValuePtr val; virMutexLock(&ipAddressMapLock); - ret = virNWFilterHashTablePut(ipAddressMap, ifname, val, 1); + val = virHashLookup(ipAddressMap->hashTable, ifname); + if (!val) { + val = virNWFilterVarValueCreateSimple(addr); + if (!val) { + virReportOOMError(); + ret = -1; + goto err_exit; + } + ret = virNWFilterHashTablePut(ipAddressMap, ifname, val, 1); + } else { + if (virNWFilterVarValueAddValue(val, addr) < 0) + ret = -1; + } +err_exit: virMutexUnlock(&ipAddressMapLock); return ret; } #endif - -void -virNWFilterDelIpAddrForIfname(const char *ifname) { +/* Delete all or a specific IP address from an interface. After this + * call either all or the given IP address will not be associated + * with the interface anymore. + * + * @ifname: The name of the (tap) interface + * @addr: An IPv4 address in dotted decimal format that the (tap) + * interface is not using anymore; provide NULL to remove all IP + * addresses associated with the given interface + * + * This function returns the number of IP addresses that are still + * known to be associated with this interface, in case of an error + * -1 is returned. Error conditions are: + * - IP addresses is not known to be associated with the interface + */ +int +virNWFilterDelIpAddrForIfname(const char *ifname, const char *ipaddr) +{ + int ret = -1; + virNWFilterVarValuePtr val = NULL; virMutexLock(&ipAddressMapLock); - if (virHashLookup(ipAddressMap->hashTable, ifname)) - virNWFilterHashTableRemoveEntry(ipAddressMap, ifname); + if (ipaddr != NULL) { + val = virHashLookup(ipAddressMap->hashTable, ifname); + if (val) { + if (virNWFilterVarValueGetCardinality(val) == 1 && + STREQ(ipaddr, + virNWFilterVarValueGetNthValue(val, 0))) + goto remove_entry; + virNWFilterVarValueDelValue(val, ipaddr); + ret = virNWFilterVarValueGetCardinality(val); + } + } else { +remove_entry: + /* remove whole entry */ + val = virNWFilterHashTableRemoveEntry(ipAddressMap, ifname); + virNWFilterVarValueFree(val); + ret = 0; + } virMutexUnlock(&ipAddressMapLock); -} + return ret; +} -const char * -virNWFilterGetIpAddrForIfname(const char *ifname) { +/* Get the list of IP addresses known to be in use by an interface + * + * This function returns NULL in case no IP address is known to be + * associated with the interface, a virNWFilterVarValuePtr otherwise + * that then can contain one or multiple entries. + */ +virNWFilterVarValuePtr +virNWFilterGetIpAddrForIfname(const char *ifname) +{ virNWFilterVarValuePtr res; virMutexLock(&ipAddressMapLock); @@ -353,10 +411,7 @@ virNWFilterGetIpAddrForIfname(const char virMutexUnlock(&ipAddressMapLock); - if (res) - return virNWFilterVarValueGetSimple(res); - - return NULL; + return res; } @@ -642,7 +697,10 @@ learnIPAddressThread(void *arg) char *inetaddr; if ((inetaddr = virSocketAddrFormat(&sa))!= NULL) { - virNWFilterAddIpAddrForIfname(req->ifname, inetaddr); + if (virNWFilterAddIpAddrForIfname(req->ifname, inetaddr) < 0) { + VIR_ERROR(_("Failed to add IP address %s to IP address " + "cache for interface %s"), inetaddr, req->ifname); + } ret = virNWFilterInstantiateFilterLate(NULL, req->ifname, Index: libvirt-acl/src/libvirt_private.syms =================================================================== --- libvirt-acl.orig/src/libvirt_private.syms +++ libvirt-acl/src/libvirt_private.syms @@ -846,8 +846,14 @@ virNWFilterVarCombIterCreate; virNWFilterVarCombIterFree; virNWFilterVarCombIterGetVarValue; virNWFilterVarCombIterNext; +virNWFilterVarValueAddValue; +virNWFilterVarValueCopy; virNWFilterVarValueCreateSimple; virNWFilterVarValueCreateSimpleCopyValue; +virNWFilterVarValueDelValue; +virNWFilterVarValueFree; +virNWFilterVarValueGetCardinality; +virNWFilterVarValueGetNthValue; virNWFilterVarValueGetSimple; Index: libvirt-acl/src/conf/nwfilter_params.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_params.c +++ libvirt-acl/src/conf/nwfilter_params.c @@ -37,7 +37,7 @@ static bool isValidVarValue(const char *value); -static void +void virNWFilterVarValueFree(virNWFilterVarValuePtr val) { unsigned i; @@ -60,7 +60,7 @@ virNWFilterVarValueFree(virNWFilterVarVa VIR_FREE(val); } -static virNWFilterVarValuePtr +virNWFilterVarValuePtr virNWFilterVarValueCopy(const virNWFilterVarValuePtr val) { virNWFilterVarValuePtr res; @@ -222,6 +222,56 @@ virNWFilterVarValueAddValue(virNWFilterV return rc; } +static int +virNWFilterVarValueDelNthValue(virNWFilterVarValuePtr val, unsigned int pos) +{ + switch (val->valType) { + case NWFILTER_VALUE_TYPE_SIMPLE: + return -1; + + case NWFILTER_VALUE_TYPE_ARRAY: + if (pos < val->u.array.nValues) { + VIR_FREE(val->u.array.values[pos]); + val->u.array.nValues--; + + if (pos < val->u.array.nValues) + memmove(&val->u.array.values[pos], + &val->u.array.values[pos + 1], + sizeof(val->u.array.values[0]) * + (val->u.array.nValues - pos)); + return 0; + } + break; + + case NWFILTER_VALUE_TYPE_LAST: + break; + } + + return -1; +} + +int +virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value) +{ + unsigned int i; + + switch (val->valType) { + case NWFILTER_VALUE_TYPE_SIMPLE: + return -1; + + case NWFILTER_VALUE_TYPE_ARRAY: + for (i = 0; i < val->u.array.nValues; i++) + if (STREQ(value, val->u.array.values[i])) + return virNWFilterVarValueDelNthValue(val, i); + break; + + case NWFILTER_VALUE_TYPE_LAST: + break; + } + + return -1; +} + void virNWFilterVarCombIterFree(virNWFilterVarCombIterPtr ci) { @@ -521,14 +571,14 @@ virNWFilterHashTableCreate(int n) { } -int +void * virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr ht, const char *entry) { int i; - int rc = virHashRemoveEntry(ht->hashTable, entry); + void *value = virHashSteal(ht->hashTable, entry); - if (rc == 0) { + if (value) { for (i = 0; i < ht->nNames; i++) { if (STREQ(ht->names[i], entry)) { VIR_FREE(ht->names[i]); @@ -538,7 +588,7 @@ virNWFilterHashTableRemoveEntry(virNWFil } } } - return rc; + return value; } Index: libvirt-acl/src/conf/nwfilter_params.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_params.h +++ libvirt-acl/src/conf/nwfilter_params.h @@ -50,11 +50,14 @@ struct _virNWFilterVarValue { virNWFilterVarValuePtr virNWFilterVarValueCreateSimple(char *); virNWFilterVarValuePtr virNWFilterVarValueCreateSimpleCopyValue(const char *); +virNWFilterVarValuePtr virNWFilterVarValueCopy(const virNWFilterVarValuePtr); +void virNWFilterVarValueFree(virNWFilterVarValuePtr val); const char *virNWFilterVarValueGetSimple(const virNWFilterVarValuePtr val); const char *virNWFilterVarValueGetNthValue(virNWFilterVarValuePtr val, unsigned int idx); unsigned int virNWFilterVarValueGetCardinality(const virNWFilterVarValuePtr); int virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value); +int virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value); typedef struct _virNWFilterHashTable virNWFilterHashTable; typedef virNWFilterHashTable *virNWFilterHashTablePtr; @@ -77,8 +80,8 @@ int virNWFilterHashTablePut(virNWFilterH const char *name, virNWFilterVarValuePtr val, int freeName); -int virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr table, - const char *name); +void *virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr table, + const char *name); int virNWFilterHashTablePutAll(virNWFilterHashTablePtr src, virNWFilterHashTablePtr dest); Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.h +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h @@ -61,7 +61,7 @@ int virNWFilterInstantiateFilterLate(vir int virNWFilterTeardownFilter(const virDomainNetDefPtr net); virNWFilterHashTablePtr virNWFilterCreateVarHashmap(char *macaddr, - char *ipaddr); + const virNWFilterVarValuePtr); void virNWFilterDomainFWUpdateCB(void *payload, const void *name, Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c @@ -145,7 +145,7 @@ virNWFilterRuleInstFree(virNWFilterRuleI static int virNWFilterVarHashmapAddStdValues(virNWFilterHashTablePtr table, char *macaddr, - char *ipaddr) + const virNWFilterVarValuePtr ipaddr) { virNWFilterVarValue *val; @@ -164,7 +164,7 @@ virNWFilterVarHashmapAddStdValues(virNWF } if (ipaddr) { - val = virNWFilterVarValueCreateSimple(ipaddr); + val = virNWFilterVarValueCopy(ipaddr); if (!val) return 1; @@ -194,7 +194,8 @@ virNWFilterVarHashmapAddStdValues(virNWF * is attached to the virConnect object. */ virNWFilterHashTablePtr -virNWFilterCreateVarHashmap(char *macaddr, char *ipaddr) { +virNWFilterCreateVarHashmap(char *macaddr, + const virNWFilterVarValuePtr ipaddr) { virNWFilterHashTablePtr table = virNWFilterHashTableCreate(0); if (!table) { virReportOOMError(); @@ -796,7 +797,7 @@ __virNWFilterInstantiateFilter(virConnec virNWFilterDefPtr filter; char vmmacaddr[VIR_MAC_STRING_BUFLEN] = {0}; char *str_macaddr = NULL; - const char *ipaddr; + virNWFilterVarValuePtr ipaddr; char *str_ipaddr = NULL; techdriver = virNWFilterTechDriverForName(drvname); @@ -836,16 +837,8 @@ __virNWFilterInstantiateFilter(virConnec } ipaddr = virNWFilterGetIpAddrForIfname(ifname); - if (ipaddr) { - str_ipaddr = strdup(ipaddr); - if (!str_ipaddr) { - virReportOOMError(); - rc = 1; - goto err_exit; - } - } - vars1 = virNWFilterCreateVarHashmap(str_macaddr, str_ipaddr); + vars1 = virNWFilterCreateVarHashmap(str_macaddr, ipaddr); if (!vars1) { rc = 1; goto err_exit; @@ -1101,7 +1094,7 @@ _virNWFilterTeardownFilter(const char *i techdriver->allTeardown(ifname); - virNWFilterDelIpAddrForIfname(ifname); + virNWFilterDelIpAddrForIfname(ifname, NULL); virNWFilterUnlockIface(ifname); Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.h +++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h @@ -25,6 +25,8 @@ #ifndef __NWFILTER_LEARNIPADDR_H # define __NWFILTER_LEARNIPADDR_H +# include "conf/nwfilter_params.h" + enum howDetect { DETECT_DHCP = 1, DETECT_STATIC = 2, @@ -63,8 +65,8 @@ int virNWFilterLearnIPAddress(virNWFilte virNWFilterIPAddrLearnReqPtr virNWFilterLookupLearnReq(int ifindex); int virNWFilterTerminateLearnReq(const char *ifname); -void virNWFilterDelIpAddrForIfname(const char *ifname); -const char *virNWFilterGetIpAddrForIfname(const char *ifname); +int virNWFilterDelIpAddrForIfname(const char *ifname, const char *ipaddr); +virNWFilterVarValuePtr virNWFilterGetIpAddrForIfname(const char *ifname); int virNWFilterLockIface(const char *ifname) ATTRIBUTE_RETURN_CHECK; void virNWFilterUnlockIface(const char *ifname);

2 1

[libvirt] nwfilter: Enable detection of multiple IP addresses
by Stefan Berger 23 Nov '11

23 Nov '11

In preparation of DHCP Snooping and the detection of multiple IP addresses per interface: The hash table that is used to collect the detected IP address of an interface can so far only handle one IP address per interface. With this patch we extend this to allow it to handle a list of IP addresses. Above changes the returned variable type of virNWFilterGetIpAddrForIfname() from char * to virNWFilterVarValuePtr; adapt all existing functions calling this function. --- src/conf/nwfilter_params.c | 62 ++++++++++++++++++-- src/conf/nwfilter_params.h | 7 +- src/libvirt_private.syms | 5 + src/nwfilter/nwfilter_gentech_driver.c | 21 ++----- src/nwfilter/nwfilter_gentech_driver.h | 2 src/nwfilter/nwfilter_learnipaddr.c | 98 +++++++++++++++++++++++++-------- src/nwfilter/nwfilter_learnipaddr.h | 6 +- 7 files changed, 155 insertions(+), 46 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.c +++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c @@ -310,41 +310,97 @@ virNWFilterDeregisterLearnReq(int ifinde return res; } - - +/* Add an IP address to the list of IP addresses an interface is + * known to use. This function feeds the per-interface cache that + * is used to instantiate filters with variable '$IP'. + * + * @ifname: The name of the (tap) interface + * @addr: An IPv4 address in dotted decimal format that the (tap) + * interface is known to use. + * + * This function returns 0 on success, -1 otherwise + */ static int -virNWFilterAddIpAddrForIfname(const char *ifname, char *addr) { +virNWFilterAddIpAddrForIfname(const char *ifname, char *addr) +{ int ret; - virNWFilterVarValuePtr val = virNWFilterVarValueCreateSimple(addr); - - if (!val) - return 1; + virNWFilterVarValuePtr val; virMutexLock(&ipAddressMapLock); - ret = virNWFilterHashTablePut(ipAddressMap, ifname, val, 1); + val = virHashLookup(ipAddressMap->hashTable, ifname); + if (!val) { + val = virNWFilterVarValueCreateSimple(addr); + if (!val) { + virReportOOMError(); + ret = -1; + goto err_exit; + } + ret = virNWFilterHashTablePut(ipAddressMap, ifname, val, 1); + } else { + if (virNWFilterVarValueAddValue(val, addr) < 0) + ret = -1; + } +err_exit: virMutexUnlock(&ipAddressMapLock); return ret; } #endif - -void -virNWFilterDelIpAddrForIfname(const char *ifname) { +/* Delete all or a specific IP address from an interface. + * + * @ifname: The name of the (tap) interface + * @addr: An IPv4 address in dotted decimal format that the (tap) + * interface is not using anymore; provide NULL to remove all IP + * addresses associated with the given interface + * + * This function returns the number of IP addresses that are still + * known to be associated with this interface, in case of an error + * -1 is returned. Error conditions are: + * - no IP addresses is known to be associated with an interface + */ +int +virNWFilterDelIpAddrForIfname(const char *ifname, const char *ipaddr) +{ + int ret = -1; + virNWFilterVarValuePtr val = NULL; virMutexLock(&ipAddressMapLock); - if (virHashLookup(ipAddressMap->hashTable, ifname)) - virNWFilterHashTableRemoveEntry(ipAddressMap, ifname); + if (ipaddr != NULL) { + val = virHashLookup(ipAddressMap->hashTable, ifname); + if (val) { + if (virNWFilterVarValueGetCardinality(val) == 1) + goto remove_entry; + virNWFilterVarValueDelValue(val, ipaddr); + ret = virNWFilterVarValueGetCardinality(val); + } + } else { +remove_entry: + /* remove whole entry */ + val = virNWFilterHashTableRemoveEntry(ipAddressMap, ifname); + if (val) { + ret = 0; + virNWFilterVarValueFree(val); + } + } virMutexUnlock(&ipAddressMapLock); -} + return ret; +} -const char * -virNWFilterGetIpAddrForIfname(const char *ifname) { +/* Get the list of IP addresses known to be in use by an interface + * + * This function returns NULL in case no IP address is known to be + * associated with the interface, a virNWFilterVarValuePtr otherwise + * that then can contain one or multiple entries. + */ +virNWFilterVarValuePtr +virNWFilterGetIpAddrForIfname(const char *ifname) +{ virNWFilterVarValuePtr res; virMutexLock(&ipAddressMapLock); @@ -353,10 +409,7 @@ virNWFilterGetIpAddrForIfname(const char virMutexUnlock(&ipAddressMapLock); - if (res) - return virNWFilterVarValueGetSimple(res); - - return NULL; + return res; } @@ -642,7 +695,10 @@ learnIPAddressThread(void *arg) char *inetaddr; if ((inetaddr = virSocketAddrFormat(&sa))!= NULL) { - virNWFilterAddIpAddrForIfname(req->ifname, inetaddr); + if (virNWFilterAddIpAddrForIfname(req->ifname, inetaddr) < 0) { + VIR_ERROR("Failed to add IP address %s to IP address cache " + "for interface %s", inetaddr, req->ifname); + } ret = virNWFilterInstantiateFilterLate(NULL, req->ifname, Index: libvirt-acl/src/libvirt_private.syms =================================================================== --- libvirt-acl.orig/src/libvirt_private.syms +++ libvirt-acl/src/libvirt_private.syms @@ -846,9 +846,14 @@ virNWFilterVarCombIterCreate; virNWFilterVarCombIterFree; virNWFilterVarCombIterGetVarValue; virNWFilterVarCombIterNext; +virNWFilterVarValueAddValue; +virNWFilterVarValueCopy; virNWFilterVarValueCreateSimple; virNWFilterVarValueCreateSimpleCopyValue; +virNWFilterVarValueDelValue; +virNWFilterVarValueFree; virNWFilterVarValueGetSimple; +virNWFilterVarValueGetCardinality; # pci.h Index: libvirt-acl/src/conf/nwfilter_params.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_params.c +++ libvirt-acl/src/conf/nwfilter_params.c @@ -37,7 +37,7 @@ static bool isValidVarValue(const char *value); -static void +void virNWFilterVarValueFree(virNWFilterVarValuePtr val) { unsigned i; @@ -60,7 +60,7 @@ virNWFilterVarValueFree(virNWFilterVarVa VIR_FREE(val); } -static virNWFilterVarValuePtr +virNWFilterVarValuePtr virNWFilterVarValueCopy(const virNWFilterVarValuePtr val) { virNWFilterVarValuePtr res; @@ -222,6 +222,56 @@ virNWFilterVarValueAddValue(virNWFilterV return rc; } +static int +virNWFilterVarValueDelNthValue(virNWFilterVarValuePtr val, unsigned int pos) +{ + switch (val->valType) { + case NWFILTER_VALUE_TYPE_SIMPLE: + return -1; + + case NWFILTER_VALUE_TYPE_ARRAY: + if (pos < val->u.array.nValues) { + VIR_FREE(val->u.array.values[pos]); + val->u.array.nValues--; + + if (pos < val->u.array.nValues) + memmove(&val->u.array.values[pos], + &val->u.array.values[pos + 1], + sizeof(val->u.array.values[0]) * + (val->u.array.nValues - pos)); + return 0; + } + break; + + case NWFILTER_VALUE_TYPE_LAST: + break; + } + + return -1; +} + +int +virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value) +{ + unsigned int i; + + switch (val->valType) { + case NWFILTER_VALUE_TYPE_SIMPLE: + return -1; + + case NWFILTER_VALUE_TYPE_ARRAY: + for (i = 0; i < val->u.array.nValues; i++) + if (STREQ(value, val->u.array.values[i])) + return virNWFilterVarValueDelNthValue(val, i); + break; + + case NWFILTER_VALUE_TYPE_LAST: + break; + } + + return -1; +} + void virNWFilterVarCombIterFree(virNWFilterVarCombIterPtr ci) { @@ -521,14 +571,14 @@ virNWFilterHashTableCreate(int n) { } -int +void * virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr ht, const char *entry) { int i; - int rc = virHashRemoveEntry(ht->hashTable, entry); + void *value = virHashSteal(ht->hashTable, entry); - if (rc == 0) { + if (value) { for (i = 0; i < ht->nNames; i++) { if (STREQ(ht->names[i], entry)) { VIR_FREE(ht->names[i]); @@ -538,7 +588,7 @@ virNWFilterHashTableRemoveEntry(virNWFil } } } - return rc; + return value; } Index: libvirt-acl/src/conf/nwfilter_params.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_params.h +++ libvirt-acl/src/conf/nwfilter_params.h @@ -50,11 +50,14 @@ struct _virNWFilterVarValue { virNWFilterVarValuePtr virNWFilterVarValueCreateSimple(char *); virNWFilterVarValuePtr virNWFilterVarValueCreateSimpleCopyValue(const char *); +virNWFilterVarValuePtr virNWFilterVarValueCopy(const virNWFilterVarValuePtr); +void virNWFilterVarValueFree(virNWFilterVarValuePtr val); const char *virNWFilterVarValueGetSimple(const virNWFilterVarValuePtr val); const char *virNWFilterVarValueGetNthValue(virNWFilterVarValuePtr val, unsigned int idx); unsigned int virNWFilterVarValueGetCardinality(const virNWFilterVarValuePtr); int virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value); +int virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value); typedef struct _virNWFilterHashTable virNWFilterHashTable; typedef virNWFilterHashTable *virNWFilterHashTablePtr; @@ -77,8 +80,8 @@ int virNWFilterHashTablePut(virNWFilterH const char *name, virNWFilterVarValuePtr val, int freeName); -int virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr table, - const char *name); +void *virNWFilterHashTableRemoveEntry(virNWFilterHashTablePtr table, + const char *name); int virNWFilterHashTablePutAll(virNWFilterHashTablePtr src, virNWFilterHashTablePtr dest); Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.h +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h @@ -61,7 +61,7 @@ int virNWFilterInstantiateFilterLate(vir int virNWFilterTeardownFilter(const virDomainNetDefPtr net); virNWFilterHashTablePtr virNWFilterCreateVarHashmap(char *macaddr, - char *ipaddr); + const virNWFilterVarValuePtr); void virNWFilterDomainFWUpdateCB(void *payload, const void *name, Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.c @@ -145,7 +145,7 @@ virNWFilterRuleInstFree(virNWFilterRuleI static int virNWFilterVarHashmapAddStdValues(virNWFilterHashTablePtr table, char *macaddr, - char *ipaddr) + const virNWFilterVarValuePtr ipaddr) { virNWFilterVarValue *val; @@ -164,7 +164,7 @@ virNWFilterVarHashmapAddStdValues(virNWF } if (ipaddr) { - val = virNWFilterVarValueCreateSimple(ipaddr); + val = virNWFilterVarValueCopy(ipaddr); if (!val) return 1; @@ -194,7 +194,8 @@ virNWFilterVarHashmapAddStdValues(virNWF * is attached to the virConnect object. */ virNWFilterHashTablePtr -virNWFilterCreateVarHashmap(char *macaddr, char *ipaddr) { +virNWFilterCreateVarHashmap(char *macaddr, + const virNWFilterVarValuePtr ipaddr) { virNWFilterHashTablePtr table = virNWFilterHashTableCreate(0); if (!table) { virReportOOMError(); @@ -796,7 +797,7 @@ __virNWFilterInstantiateFilter(virConnec virNWFilterDefPtr filter; char vmmacaddr[VIR_MAC_STRING_BUFLEN] = {0}; char *str_macaddr = NULL; - const char *ipaddr; + virNWFilterVarValuePtr ipaddr; char *str_ipaddr = NULL; techdriver = virNWFilterTechDriverForName(drvname); @@ -836,16 +837,8 @@ __virNWFilterInstantiateFilter(virConnec } ipaddr = virNWFilterGetIpAddrForIfname(ifname); - if (ipaddr) { - str_ipaddr = strdup(ipaddr); - if (!str_ipaddr) { - virReportOOMError(); - rc = 1; - goto err_exit; - } - } - vars1 = virNWFilterCreateVarHashmap(str_macaddr, str_ipaddr); + vars1 = virNWFilterCreateVarHashmap(str_macaddr, ipaddr); if (!vars1) { rc = 1; goto err_exit; @@ -1101,7 +1094,7 @@ _virNWFilterTeardownFilter(const char *i techdriver->allTeardown(ifname); - virNWFilterDelIpAddrForIfname(ifname); + virNWFilterDelIpAddrForIfname(ifname, NULL); virNWFilterUnlockIface(ifname); Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.h +++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.h @@ -25,6 +25,8 @@ #ifndef __NWFILTER_LEARNIPADDR_H # define __NWFILTER_LEARNIPADDR_H +# include "conf/nwfilter_params.h" + enum howDetect { DETECT_DHCP = 1, DETECT_STATIC = 2, @@ -63,8 +65,8 @@ int virNWFilterLearnIPAddress(virNWFilte virNWFilterIPAddrLearnReqPtr virNWFilterLookupLearnReq(int ifindex); int virNWFilterTerminateLearnReq(const char *ifname); -void virNWFilterDelIpAddrForIfname(const char *ifname); -const char *virNWFilterGetIpAddrForIfname(const char *ifname); +int virNWFilterDelIpAddrForIfname(const char *ifname, const char *ipaddr); +virNWFilterVarValuePtr virNWFilterGetIpAddrForIfname(const char *ifname); int virNWFilterLockIface(const char *ifname) ATTRIBUTE_RETURN_CHECK; void virNWFilterUnlockIface(const char *ifname);

2 2

[libvirt] [PATCH] nwfilter: Pass additional parameter into applyDHCPOnly function
by Stefan Berger 22 Nov '11

22 Nov '11

In preparation for the DHCP Snooping code: Pass an additional parameter into the applyDHCPOnly function of the 'techdriver'. --- src/conf/nwfilter_conf.h | 3 ++- src/nwfilter/nwfilter_ebiptables_driver.c | 13 ++++++++++--- src/nwfilter/nwfilter_learnipaddr.c | 2 +- 3 files changed, 13 insertions(+), 5 deletions(-) Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -630,7 +630,8 @@ typedef int (*virNWFilterApplyBasicRules typedef int (*virNWFilterApplyDHCPOnlyRules)(const char *ifname, const unsigned char *macaddr, - const char *dhcpserver); + const char *dhcpserver, + bool leaveTemporary); typedef int (*virNWFilterRemoveBasicRules)(const char *ifname); Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -3191,6 +3191,9 @@ tear_down_tmpebchains: * interface * @dhcpserver: The DHCP server from which the VM may receive traffic * from; may be NULL + * @leaveTemporary: Whether to leave the table names with their temporary + * names (true) or also perform the renaming to their final names as + * part of this call (false) * * Returns 0 on success, 1 on failure with the rules removed * @@ -3200,7 +3203,8 @@ tear_down_tmpebchains: static int ebtablesApplyDHCPOnlyRules(const char *ifname, const unsigned char *macaddr, - const char *dhcpserver) + const char *dhcpserver, + bool leaveTemporary) { virBuffer buf = VIR_BUFFER_INITIALIZER; char chain_in [MAX_CHAINNAME_LENGTH], @@ -3281,8 +3285,11 @@ ebtablesApplyDHCPOnlyRules(const char *i ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); ebtablesLinkTmpRootChain(&buf, 0, ifname, 1); - ebtablesRenameTmpRootChain(&buf, 1, ifname); - ebtablesRenameTmpRootChain(&buf, 0, ifname); + + if (!leaveTemporary) { + ebtablesRenameTmpRootChain(&buf, 1, ifname); + ebtablesRenameTmpRootChain(&buf, 0, ifname); + } if (ebiptablesExecCLI(&buf, NULL, NULL) < 0) goto tear_down_tmpebchains; Index: libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_learnipaddr.c +++ libvirt-acl/src/nwfilter/nwfilter_learnipaddr.c @@ -460,7 +460,7 @@ learnIPAddressThread(void *arg) case DETECT_DHCP: if (techdriver->applyDHCPOnlyRules(req->ifname, req->macaddr, - NULL)) { + NULL, false)) { req->status = EINVAL; goto done; }

2 1

[libvirt] [PATCH V2 0/5] NWFilter: Filter more protocols and other extensions
by Stefan Berger 22 Nov '11

22 Nov '11

This patch series adds: - support for a 'mac' chain - filtering support for STP (spanning tree protocol) - better error reporting if ebtables/ip(6)table commands fail v2: - shortened series since VLAN patches have been pushed - addressed Eric Blake's comments Regards, Stefan

2 12

[libvirt] [PATCH v2 2/2] nwfilter: use shell variable to invoke 'ip(6)tables' command
by Stefan Berger 22 Nov '11

22 Nov '11

Introduce a shell variable 'IBT' to invoke the ip(6)tables command. Tested with libvirt-tck. --- v2: - rebased --- src/nwfilter/nwfilter_ebiptables_driver.c | 313 ++++++++++++++---------------- 1 file changed, 155 insertions(+), 158 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -147,6 +147,10 @@ static const char ebiptables_script_set_ #define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \ virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path); +#define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \ + virBufferAsprintf(BUFPTR, "IPT=%s\n", iptables_cmd_path); +#define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \ + virBufferAsprintf(BUFPTR, "IPT=%s\n", ip6tables_cmd_path); #define VIRT_IN_CHAIN "libvirt-in" #define VIRT_OUT_CHAIN "libvirt-out" @@ -494,66 +498,60 @@ ebtablesHandleEthHdr(virBufferPtr buf, /************************ iptables support ************************/ -static int iptablesLinkIPTablesBaseChain(const char *iptables_cmd, - virBufferPtr buf, +static int iptablesLinkIPTablesBaseChain(virBufferPtr buf, const char *udchain, const char *syschain, unsigned int pos, int stopOnError) { virBufferAsprintf(buf, - "res=$(%s -L %s -n --line-number | " + "res=$($IPT -L %s -n --line-number | " "%s \" %s \")\n" "if [ $? -ne 0 ]; then\n" - " %s -I %s %d -j %s\n" + " $IPT -I %s %d -j %s\n" "else\n" " r=$(echo $res | %s '{print $1}')\n" " if [ \"${r}\" != \"%d\" ]; then\n" - " " CMD_DEF("%s -I %s %d -j %s") CMD_SEPARATOR + " " CMD_DEF("$IPT -I %s %d -j %s") CMD_SEPARATOR " " CMD_EXEC " %s" " r=$(( $r + 1 ))\n" - " " CMD_DEF("%s -D %s ${r}") CMD_SEPARATOR + " " CMD_DEF("$IPT -D %s ${r}") CMD_SEPARATOR " " CMD_EXEC " %s" " fi\n" "fi\n", - iptables_cmd, syschain, + syschain, grep_cmd_path, udchain, - iptables_cmd, syschain, pos, udchain, + syschain, pos, udchain, gawk_cmd_path, pos, - iptables_cmd, syschain, pos, udchain, + syschain, pos, udchain, CMD_STOPONERR(stopOnError), - iptables_cmd, syschain, + syschain, CMD_STOPONERR(stopOnError)); return 0; } -static int iptablesCreateBaseChains(const char *iptables_cmd, - virBufferPtr buf) +static int iptablesCreateBaseChains(virBufferPtr buf) { - virBufferAsprintf(buf,"%s -N " VIRT_IN_CHAIN CMD_SEPARATOR - "%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR - "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR - "%s -N " HOST_IN_CHAIN CMD_SEPARATOR, - iptables_cmd, - iptables_cmd, - iptables_cmd, - iptables_cmd); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + virBufferAddLit(buf, "$IPT -N " VIRT_IN_CHAIN CMD_SEPARATOR + "$IPT -N " VIRT_OUT_CHAIN CMD_SEPARATOR + "$IPT -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR + "$IPT -N " HOST_IN_CHAIN CMD_SEPARATOR); + iptablesLinkIPTablesBaseChain(buf, VIRT_IN_CHAIN , "FORWARD", 1, 1); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + iptablesLinkIPTablesBaseChain(buf, VIRT_OUT_CHAIN , "FORWARD", 2, 1); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + iptablesLinkIPTablesBaseChain(buf, VIRT_IN_POST_CHAIN, "FORWARD", 3, 1); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + iptablesLinkIPTablesBaseChain(buf, HOST_IN_CHAIN , "INPUT" , 1, 1); return 0; @@ -561,8 +559,7 @@ static int iptablesCreateBaseChains(cons static int -iptablesCreateTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesCreateTmpRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname, int stopOnError) @@ -577,10 +574,9 @@ iptablesCreateTmpRootChain(const char *i PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -N %s") CMD_SEPARATOR + CMD_DEF("$IPT -N %s") CMD_SEPARATOR CMD_EXEC "%s", - iptables_cmd, chain, CMD_STOPONERR(stopOnError)); @@ -589,20 +585,18 @@ iptablesCreateTmpRootChain(const char *i static int -iptablesCreateTmpRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesCreateTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 0, ifname, 1); - iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 1, ifname, 1); - iptablesCreateTmpRootChain(iptables_cmd, buf, 'H', 1, ifname, 1); + iptablesCreateTmpRootChain(buf, 'F', 0, ifname, 1); + iptablesCreateTmpRootChain(buf, 'F', 1, ifname, 1); + iptablesCreateTmpRootChain(buf, 'H', 1, ifname, 1); return 0; } static int -_iptablesRemoveRootChain(const char *iptables_cmd, - virBufferPtr buf, +_iptablesRemoveRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname, int isTempChain) @@ -622,66 +616,60 @@ _iptablesRemoveRootChain(const char *ipt PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -F %s" CMD_SEPARATOR - "%s -X %s" CMD_SEPARATOR, - iptables_cmd, chain, - iptables_cmd, chain); + "$IPT -F %s" CMD_SEPARATOR + "$IPT -X %s" CMD_SEPARATOR, + chain, + chain); return 0; } static int -iptablesRemoveRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname) { - return _iptablesRemoveRootChain(iptables_cmd, - buf, prefix, incoming, ifname, 0); + return _iptablesRemoveRootChain(buf, prefix, incoming, ifname, 0); } static int -iptablesRemoveTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveTmpRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname) { - return _iptablesRemoveRootChain(iptables_cmd, buf, prefix, + return _iptablesRemoveRootChain(buf, prefix, incoming, ifname, 1); } static int -iptablesRemoveTmpRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 0, ifname); - iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 1, ifname); - iptablesRemoveTmpRootChain(iptables_cmd, buf, 'H', 1, ifname); + iptablesRemoveTmpRootChain(buf, 'F', 0, ifname); + iptablesRemoveTmpRootChain(buf, 'F', 1, ifname); + iptablesRemoveTmpRootChain(buf, 'H', 1, ifname); return 0; } static int -iptablesRemoveRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveRootChains(virBufferPtr buf, const char *ifname) { - iptablesRemoveRootChain(iptables_cmd, buf, 'F', 0, ifname); - iptablesRemoveRootChain(iptables_cmd, buf, 'F', 1, ifname); - iptablesRemoveRootChain(iptables_cmd, buf, 'H', 1, ifname); + iptablesRemoveRootChain(buf, 'F', 0, ifname); + iptablesRemoveRootChain(buf, 'F', 1, ifname); + iptablesRemoveRootChain(buf, 'H', 1, ifname); return 0; } static int -iptablesLinkTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesLinkTmpRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname, @@ -699,11 +687,10 @@ iptablesLinkTmpRootChain(const char *ipt PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -A %s " + CMD_DEF("$IPT -A %s " "%s %s -g %s") CMD_SEPARATOR CMD_EXEC "%s", - iptables_cmd, basechain, match, ifname, chain, @@ -714,37 +701,33 @@ iptablesLinkTmpRootChain(const char *ipt static int -iptablesLinkTmpRootChains(const char *cmd, - virBufferPtr buf, +iptablesLinkTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesLinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1); - iptablesLinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1); - iptablesLinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname, 1); + iptablesLinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1); + iptablesLinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1); + iptablesLinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname, 1); return 0; } static int -iptablesSetupVirtInPost(const char *iptables_cmd, - virBufferPtr buf, +iptablesSetupVirtInPost(virBufferPtr buf, const char *ifname) { const char *match = MATCH_PHYSDEV_IN; virBufferAsprintf(buf, - "res=$(%s -n -L " VIRT_IN_POST_CHAIN + "res=$($IPT -n -L " VIRT_IN_POST_CHAIN " | grep \"\\%s %s\")\n" "if [ \"${res}\" = \"\" ]; then " - CMD_DEF("%s" + CMD_DEF("$IPT" " -A " VIRT_IN_POST_CHAIN " %s %s -j ACCEPT") CMD_SEPARATOR CMD_EXEC "%s" "fi\n", - iptables_cmd, PHYSDEV_IN, ifname, - iptables_cmd, match, ifname, CMD_STOPONERR(1)); return 0; @@ -752,22 +735,19 @@ iptablesSetupVirtInPost(const char *ipta static int -iptablesClearVirtInPost(const char *iptables_cmd, - virBufferPtr buf, +iptablesClearVirtInPost(virBufferPtr buf, const char *ifname) { const char *match = MATCH_PHYSDEV_IN; virBufferAsprintf(buf, - "%s -D " VIRT_IN_POST_CHAIN + "$IPT -D " VIRT_IN_POST_CHAIN " %s %s -j ACCEPT" CMD_SEPARATOR, - iptables_cmd, match, ifname); return 0; } static int -_iptablesUnlinkRootChain(const char *iptables_cmd, - virBufferPtr buf, +_iptablesUnlinkRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname, @@ -789,9 +769,8 @@ _iptablesUnlinkRootChain(const char *ipt PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -D %s " + "$IPT -D %s " "%s %s -g %s" CMD_SEPARATOR, - iptables_cmd, basechain, match, ifname, chain); @@ -800,57 +779,52 @@ _iptablesUnlinkRootChain(const char *ipt static int -iptablesUnlinkRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesUnlinkRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname) { - return _iptablesUnlinkRootChain(iptables_cmd, buf, + return _iptablesUnlinkRootChain(buf, basechain, prefix, incoming, ifname, 0); } static int -iptablesUnlinkTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesUnlinkTmpRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname) { - return _iptablesUnlinkRootChain(iptables_cmd, buf, + return _iptablesUnlinkRootChain(buf, basechain, prefix, incoming, ifname, 1); } static int -iptablesUnlinkRootChains(const char *cmd, - virBufferPtr buf, +iptablesUnlinkRootChains(virBufferPtr buf, const char *ifname) { - iptablesUnlinkRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname); - iptablesUnlinkRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname); - iptablesUnlinkRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname); + iptablesUnlinkRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname); + iptablesUnlinkRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname); + iptablesUnlinkRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname); return 0; } static int -iptablesUnlinkTmpRootChains(const char *cmd, - virBufferPtr buf, +iptablesUnlinkTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesUnlinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname); - iptablesUnlinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname); - iptablesUnlinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname); + iptablesUnlinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname); + iptablesUnlinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname); + iptablesUnlinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname); return 0; } static int -iptablesRenameTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesRenameTmpRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname) @@ -871,8 +845,7 @@ iptablesRenameTmpRootChain(const char *i PRINT_IPT_ROOT_CHAIN( chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -E %s %s" CMD_SEPARATOR, - iptables_cmd, + "$IPT -E %s %s" CMD_SEPARATOR, tmpchain, chain); return 0; @@ -880,13 +853,12 @@ iptablesRenameTmpRootChain(const char *i static int -iptablesRenameTmpRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesRenameTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 0, ifname); - iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 1, ifname); - iptablesRenameTmpRootChain(iptables_cmd, buf, 'H', 1, ifname); + iptablesRenameTmpRootChain(buf, 'F', 0, ifname); + iptablesRenameTmpRootChain(buf, 'F', 1, ifname); + iptablesRenameTmpRootChain(buf, 'H', 1, ifname); return 0; } @@ -1260,8 +1232,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p tcp"); @@ -1316,8 +1287,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_UDP: case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p udp"); @@ -1350,8 +1320,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p udplite"); @@ -1379,8 +1348,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_ESP: case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p esp"); @@ -1408,8 +1376,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p ah"); @@ -1437,8 +1404,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p sctp"); @@ -1471,8 +1437,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP) @@ -1537,8 +1502,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_IGMP: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p igmp"); @@ -1566,8 +1530,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_ALL: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p all"); @@ -3692,24 +3655,32 @@ ebiptablesApplyNewRules(virConnectPtr co goto tear_down_tmpebchains; if (haveIptables) { - iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); - iptablesCreateBaseChains(iptables_cmd_path, &buf); + iptablesCreateBaseChains(&buf); if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) goto tear_down_tmpebchains; - iptablesCreateTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesCreateTmpRootChains(&buf, ifname); if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) goto tear_down_tmpiptchains; - iptablesLinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesSetupVirtInPost(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesLinkTmpRootChains(&buf, ifname); + iptablesSetupVirtInPost(&buf, ifname); if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) goto tear_down_tmpiptchains; + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + for (i = 0; i < nruleInstances; i++) { sa_assert (inst); if (inst[i]->ruleType == RT_IPTABLES) @@ -3725,24 +3696,32 @@ ebiptablesApplyNewRules(virConnectPtr co } if (haveIp6tables) { - iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); - iptablesCreateBaseChains(ip6tables_cmd_path, &buf); + iptablesCreateBaseChains(&buf); if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) goto tear_down_tmpiptchains; - iptablesCreateTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesCreateTmpRootChains(&buf, ifname); if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) goto tear_down_tmpip6tchains; - iptablesLinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesSetupVirtInPost(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesLinkTmpRootChains(&buf, ifname); + iptablesSetupVirtInPost(&buf, ifname); if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) goto tear_down_tmpip6tchains; + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + for (i = 0; i < nruleInstances; i++) { if (inst[i]->ruleType == RT_IP6TABLES) iptablesInstCommand(&buf, @@ -3787,14 +3766,18 @@ tear_down_ebsubchains_and_unlink: tear_down_tmpip6tchains: if (haveIp6tables) { - iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } tear_down_tmpiptchains: if (haveIptables) { - iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } tear_down_tmpebchains: @@ -3837,13 +3820,17 @@ ebiptablesTearNewRules(virConnectPtr con virBuffer buf = VIR_BUFFER_INITIALIZER; if (iptables_cmd_path) { - iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } if (ip6tables_cmd_path) { - iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } if (ebtables_cmd_path) { @@ -3872,18 +3859,22 @@ ebiptablesTearOldRules(virConnectPtr con /* switch to new iptables user defined chains */ if (iptables_cmd_path) { - iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkRootChains(&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); - iptablesRenameTmpRootChains(iptables_cmd_path, &buf, ifname); + iptablesRenameTmpRootChains(&buf, ifname); ebiptablesExecCLI(&buf, &cli_status, NULL); } if (ip6tables_cmd_path) { - iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); - iptablesRenameTmpRootChains(ip6tables_cmd_path, &buf, ifname); + iptablesUnlinkRootChains(&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); + + iptablesRenameTmpRootChains(&buf, ifname); ebiptablesExecCLI(&buf, &cli_status, NULL); } @@ -3970,15 +3961,19 @@ ebiptablesAllTeardown(const char *ifname int cli_status; if (iptables_cmd_path) { - iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname); - iptablesClearVirtInPost (iptables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkRootChains(&buf, ifname); + iptablesClearVirtInPost (&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); } if (ip6tables_cmd_path) { - iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesClearVirtInPost (ip6tables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkRootChains(&buf, ifname); + iptablesClearVirtInPost (&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); } if (ebtables_cmd_path) { @@ -4052,11 +4047,12 @@ ebiptablesDriverInit(bool privileged) iptables_cmd_path = virFindFileInPath("iptables"); if (iptables_cmd_path) { + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + virBufferAsprintf(&buf, - CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR + CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR CMD_EXEC "%s", - iptables_cmd_path, CMD_STOPONERR(1)); if (ebiptablesExecCLI(&buf, NULL, NULL) < 0) @@ -4065,11 +4061,12 @@ ebiptablesDriverInit(bool privileged) ip6tables_cmd_path = virFindFileInPath("ip6tables"); if (ip6tables_cmd_path) { + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + virBufferAsprintf(&buf, - CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR + CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR CMD_EXEC "%s", - ip6tables_cmd_path, CMD_STOPONERR(1)); if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)

2 2

[libvirt] [PATCH v2 1/2] nwfilter: use shell variable to invoke 'ebtables' command
by Stefan Berger 22 Nov '11

22 Nov '11

Introduce a shell variable 'EBT' to invoke the ebtables command. Hard-code the used ebtables table to '-t nat'. Tested with libvirt-tck. --- v2: - rebased --- src/nwfilter/nwfilter_ebiptables_driver.c | 170 +++++++++++++++++------------- 1 file changed, 97 insertions(+), 73 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -47,7 +47,6 @@ #define VIR_FROM_THIS VIR_FROM_NWFILTER -#define EBTABLES_DEFAULT_TABLE "nat" #define EBTABLES_CHAIN_INCOMING "PREROUTING" #define EBTABLES_CHAIN_OUTGOING "POSTROUTING" @@ -87,7 +86,6 @@ static char *ip6tables_cmd_path; static char *grep_cmd_path; static char *gawk_cmd_path; - #define PRINT_ROOT_CHAIN(buf, prefix, ifname) \ snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname) #define PRINT_CHAIN(buf, prefix, ifname, suffix) \ @@ -111,7 +109,7 @@ static const char ebtables_script_func_c "collect_chains()\n" "{\n" " for tmp2 in $*; do\n" - " for tmp in $(%s -t %s -L $tmp2 | \\\n" + " for tmp in $($EBT -t nat -L $tmp2 | \\\n" " sed -n \"/Bridge chain/,\\$ s/.*-j \\\$[%s]-.*\\\$/\\\\1/p\");\n" " do\n" " echo $tmp\n" @@ -123,8 +121,8 @@ static const char ebtables_script_func_c static const char ebiptables_script_func_rm_chains[] = "rm_chains()\n" "{\n" - " for tmp in $*; do %s -t %s -F $tmp; done\n" - " for tmp in $*; do %s -t %s -X $tmp; done\n" + " for tmp in $*; do $EBT -t nat -F $tmp; done\n" + " for tmp in $*; do $EBT -t nat -X $tmp; done\n" "}\n"; static const char ebiptables_script_func_rename_chains[] = @@ -132,8 +130,8 @@ static const char ebiptables_script_func "{\n" " for tmp in $*; do\n" " case $tmp in\n" - " %c*) %s -t %s -E $tmp %c${tmp#?} ;;\n" - " %c*) %s -t %s -E $tmp %c${tmp#?} ;;\n" + " %c*) $EBT -t nat -E $tmp %c${tmp#?} ;;\n" + " %c*) $EBT -t nat -E $tmp %c${tmp#?} ;;\n" " esac\n" " done\n" "}\n"; @@ -147,6 +145,9 @@ static const char ebiptables_script_set_ #define NWFILTER_FUNC_RENAME_CHAINS ebiptables_script_func_rename_chains #define NWFILTER_FUNC_SET_IFS ebiptables_script_set_ifs +#define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \ + virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path); + #define VIRT_IN_CHAIN "libvirt-in" #define VIRT_OUT_CHAIN "libvirt-out" #define VIRT_IN_POST_CHAIN "libvirt-in-post" @@ -1992,9 +1993,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_MAC: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); - + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2017,8 +2017,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_VLAN: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, @@ -2084,8 +2084,8 @@ ebtablesCreateRuleInstance(char chainPre } virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, @@ -2122,8 +2122,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_RARP: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2231,8 +2231,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_IP: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2367,8 +2367,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_IPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2491,8 +2491,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_NONE: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); break; default: @@ -2765,10 +2765,10 @@ ebtablesCreateTmpRootChain(virBufferPtr PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(stopOnError)); return 0; @@ -2788,10 +2788,9 @@ ebtablesLinkTmpRootChain(virBufferPtr bu PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -t %s -A %s -%c %s -j %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -%c %s -j %s") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, (incoming) ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, iodev, ifname, chain, @@ -2819,10 +2818,10 @@ _ebtablesRemoveRootChain(virBufferPtr bu PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -t %s -F %s" CMD_SEPARATOR - "%s -t %s -X %s" CMD_SEPARATOR, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + "$EBT -t nat -F %s" CMD_SEPARATOR + "$EBT -t nat -X %s" CMD_SEPARATOR, + chain, + chain); return 0; } @@ -2864,8 +2863,7 @@ _ebtablesUnlinkRootChain(virBufferPtr bu PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -t %s -D %s -%c %s -j %s" CMD_SEPARATOR, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, + "$EBT -t nat -D %s -%c %s -j %s" CMD_SEPARATOR, (incoming) ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, iodev, ifname, chain); @@ -2929,25 +2927,24 @@ ebtablesCreateTmpSubChain(ebiptablesRule } virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -F %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -F %s") CMD_SEPARATOR CMD_EXEC - CMD_DEF("%s -t %s -X %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -X %s") CMD_SEPARATOR CMD_EXEC - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR CMD_EXEC "%s" - CMD_DEF("%s -t %s -%%c %s %%s %s -j %s") + CMD_DEF("$EBT -t nat -%%c %s %%s %s -j %s") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, + chain, + chain, CMD_STOPONERR(stopOnError), - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, rootchain, protostr, chain, CMD_STOPONERR(stopOnError)); @@ -2981,11 +2978,11 @@ _ebtablesRemoveSubChains(virBufferPtr bu char rootchain[MAX_CHAINNAME_LENGTH]; unsigned i; + NWFILTER_SET_EBTABLES_SHELLVAR(buf); + virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chains); - virBufferAsprintf(buf, NWFILTER_FUNC_RM_CHAINS, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE); + chains); + virBufferAdd(buf, NWFILTER_FUNC_RM_CHAINS, -1); virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS); virBufferAddLit(buf, "chains=\"$(collect_chains"); @@ -2998,8 +2995,7 @@ _ebtablesRemoveSubChains(virBufferPtr bu for (i = 0; chains[i] != 0; i++) { PRINT_ROOT_CHAIN(rootchain, chains[i], ifname); virBufferAsprintf(buf, - "%s -t %s -F %s\n", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, + "$EBT -t nat -F %s\n", rootchain); } virBufferAddLit(buf, "rm_chains $chains\n"); @@ -3054,8 +3050,8 @@ ebtablesRenameTmpSubChain(virBufferPtr b } virBufferAsprintf(buf, - "%s -t %s -E %s %s" CMD_SEPARATOR, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, tmpchain, chain); + "$EBT -t nat -E %s %s" CMD_SEPARATOR, + tmpchain, chain); return 0; } @@ -3078,14 +3074,14 @@ ebtablesRenameTmpSubAndRootChains(virBuf CHAINPREFIX_HOST_OUT_TEMP, 0}; + NWFILTER_SET_EBTABLES_SHELLVAR(buf); + virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chains); + chains); virBufferAsprintf(buf, NWFILTER_FUNC_RENAME_CHAINS, CHAINPREFIX_HOST_IN_TEMP, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, CHAINPREFIX_HOST_IN, CHAINPREFIX_HOST_OUT_TEMP, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, CHAINPREFIX_HOST_OUT); virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS); @@ -3164,40 +3160,41 @@ ebtablesApplyBasicRules(const char *ifna ebiptablesAllTeardown(ifname); + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -s ! %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, macaddr_str, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -p ARP -j ACCEPT") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -p ARP -j ACCEPT") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(1)); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); @@ -3262,6 +3259,8 @@ ebtablesApplyDHCPOnlyRules(const char *i ebiptablesAllTeardown(ifname); + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); @@ -3269,7 +3268,7 @@ ebtablesApplyDHCPOnlyRules(const char *i PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s" + CMD_DEF("$EBT -t nat -A %s" " -s %s -d Broadcast " " -p ipv4 --ip-protocol udp" " --ip-src 0.0.0.0 --ip-dst 255.255.255.255" @@ -3278,20 +3277,20 @@ ebtablesApplyDHCPOnlyRules(const char *i CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, + chain_in, macaddr_str, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, + chain_in, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s" + CMD_DEF("$EBT -t nat -A %s" " -d %s" " -p ipv4 --ip-protocol udp" " %s" @@ -3300,17 +3299,17 @@ ebtablesApplyDHCPOnlyRules(const char *i CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, + chain_out, macaddr_str, srcIPParam != NULL ? srcIPParam : "", CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, + chain_out, CMD_STOPONERR(1)); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); @@ -3363,6 +3362,8 @@ ebtablesApplyDropAllRules(const char *if ebiptablesAllTeardown(ifname); + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); @@ -3370,19 +3371,19 @@ ebtablesApplyDropAllRules(const char *if PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, + chain_in, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, + chain_out, CMD_STOPONERR(1)); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); @@ -3421,6 +3422,8 @@ static int ebtablesCleanAll(const char * if (!ebtables_cmd_path) return 0; + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname); ebtablesRemoveSubChains(&buf, ifname); @@ -3622,8 +3625,11 @@ ebiptablesApplyNewRules(virConnectPtr co } } + /* cleanup whatever may exist */ if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname); ebtablesRemoveTmpSubChains(&buf, ifname); @@ -3632,6 +3638,8 @@ ebiptablesApplyNewRules(virConnectPtr co ebiptablesExecCLI(&buf, &cli_status, NULL); } + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + /* create needed chains */ if (ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1, &ebtChains, &nEbtChains) || @@ -3647,6 +3655,8 @@ ebiptablesApplyNewRules(virConnectPtr co if (ebiptablesExecCLI(&buf, NULL, &errmsg) < 0) goto tear_down_tmpebchains; + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + /* process ebtables commands; interleave commands from filters with commands for creating and connecting ebtables chains */ j = 0; @@ -3746,6 +3756,8 @@ ebiptablesApplyNewRules(virConnectPtr co iptablesCheckBridgeNFCallEnabled(true); } + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + if (virHashSize(chains_in_set) != 0) ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); if (virHashSize(chains_out_set) != 0) @@ -3767,6 +3779,8 @@ ebiptablesApplyNewRules(virConnectPtr co tear_down_ebsubchains_and_unlink: if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname); } @@ -3785,6 +3799,8 @@ tear_down_tmpiptchains: tear_down_tmpebchains: if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesRemoveTmpSubChains(&buf, ifname); ebtablesRemoveTmpRootChain(&buf, 1, ifname); ebtablesRemoveTmpRootChain(&buf, 0, ifname); @@ -3831,6 +3847,8 @@ ebiptablesTearNewRules(virConnectPtr con } if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname); @@ -3870,6 +3888,8 @@ ebiptablesTearOldRules(virConnectPtr con } if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname); @@ -3911,6 +3931,8 @@ ebiptablesRemoveRules(virConnectPtr conn virBuffer buf = VIR_BUFFER_INITIALIZER; ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst; + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + for (i = 0; i < nruleInstances; i++) ebiptablesInstCommand(&buf, inst[i]->commandTemplate, @@ -3960,6 +3982,8 @@ ebiptablesAllTeardown(const char *ifname } if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname); @@ -4014,12 +4038,12 @@ ebiptablesDriverInit(bool privileged) ebtables_cmd_path = virFindFileInPath("ebtables"); if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); /* basic probing */ virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -L") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -L") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, CMD_STOPONERR(1)); if (ebiptablesExecCLI(&buf, NULL, NULL) < 0)

2 1

[libvirt] [PATCH 0/4] Small fixes to non-blocking I/O in client
by Jiri Denemark 22 Nov '11

22 Nov '11

I missed these when reviewing the series... Jiri Denemark (4): rpc: Pass the buck only to the first available thread rpc: Fix a typo in virNetClientSendNonBlock documentation rpc: Fix handling of non-blocking calls that could not be sent rpc: Add some debug messages to virNetClient src/rpc/virnetclient.c | 15 ++++++++++++--- 1 files changed, 12 insertions(+), 3 deletions(-) -- 1.7.8.rc3

2 8

[libvirt] [PATCH] docs: fix grammar of capabilities
by Eric Blake 22 Nov '11

22 Nov '11

* docs/formatcaps.html.in: Avoid run-on sentence, wrap lines. --- Pushing under the trivial rule. docs/formatcaps.html.in | 45 ++++++++++++++++++++++++++------------------- 1 files changed, 26 insertions(+), 19 deletions(-) diff --git a/docs/formatcaps.html.in b/docs/formatcaps.html.in index ce6f9a6..423bc48 100644 --- a/docs/formatcaps.html.in +++ b/docs/formatcaps.html.in @@ -64,25 +64,32 @@ BIOS you will see </guest> ... </capabilities></pre> - The first block (in red) indicates the host hardware capabilities, currently -it is limited to the CPU properties and the power management features of -the host platform, but other information may be available, it shows the CPU architecture, -topology, model name, and additional features which are not included in the model but the -CPU provides them. Features of the chip are shown within the feature block (the block is -similar to what you will find in a Xen fully virtualized domain description). Further, -the power management features supported by the host are shown, such as Suspend-to-RAM (S3) -and Suspend-to-Disk (S4). In case the query for power management features succeeded but the -host does not support any such feature, then an empty <power_management/> -tag will be shown. Otherwise, if the query itself failed, no such tag will -be displayed (i.e., there will not be any power_management block or empty tag in the XML). - The second block (in blue) indicates the paravirtualization support of the -Xen support, you will see the os_type of xen to indicate a paravirtual -kernel, then architecture information and potential features. - The third block (in green) gives similar information but when running a -32 bit OS fully virtualized with Xen using the hvm support. - This section is likely to be updated and augmented in the future, see <a href="https://www.redhat.com/archives/libvir-list/2007-March/msg00215.html">the -discussion</a> which led to the capabilities format in the mailing-list -archives. + The first block (in red) indicates the host hardware + capabilities, such as CPU properties and the power + management features of the host platform. CPU models are + shown as additional features relative to the closest base + model, within a feature block (the block is similar to what + you will find in a Xen fully virtualized domain + description). Further, the power management features + supported by the host are shown, such as Suspend-to-RAM (S3) + and Suspend-to-Disk (S4). In case the query for power + management features succeeded but the host does not support + any such feature, then an empty <power_management/> + tag will be shown. Otherwise, if the query itself failed, no + such tag will be displayed (i.e., there will not be any + power_management block or empty tag in the XML). + The second block (in blue) indicates the paravirtualization + support of the Xen support, you will see the os_type of xen + to indicate a paravirtual kernel, then architecture + information and potential features. + The third block (in green) gives similar information but + when running a 32 bit OS fully virtualized with Xen using + the hvm support. + This section is likely to be updated and augmented in the + future, + see <a href="https://www.redhat.com/archives/libvir-list/2007-March/msg00215.html">the + discussion</a> which led to the capabilities format in the + mailing-list archives. </body> </html> -- 1.7.7.3

1 0

[libvirt] [PATCH V1 0/9] NWFilter: Filter more protocols and other extensions
by Stefan Berger 22 Nov '11

22 Nov '11

This patch series adds: - filtering support for VLAN traffic - support for a 'mac' chain - filtering support for STP (spanning tree protocol) - new filters that enable filtering of multiple IP addresses per interface - better error reporting if ebtables/ip(6)table commands fail Regards, Stefan

3 25

[libvirt] ANNOUNCE: libvirt-glib release 0.0.2
by Daniel P. Berrange 22 Nov '11

22 Nov '11

I am pleased to announce that a new release of the libvirt-glib package, version 0.0.2 is now available from ftp://libvirt.org/libvirt/glib/ The packages are GPG signed with Key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF (4096R) New in this release: - Add API to redefine an existing domain. - Explicitly call virInitialize() to avoid connection races. - Adjust example to latest pygobject-3.0. - Add missing deps on libxml2-devel & libtool. - Add support for writing to streams - Add API for creating transient domains - Change all flags parameters to be guint - Uncomment & fix code for returning object config - Ensure pools & domains hashes are non-NULL to avoid SEGV - Don't de-reference GError instances which are NULL - Update COPYING file to have latest FSF address - Update RPM specfile to include Fedora review feedback libvirt-glib comprises three distinct libraries: - libvirt-glib - Integrate with the GLib event loop and error handling - libvirt-gconfig - Representation of libvirt XML documents as GObjects - libvirt-gobject - Mapping of libvirt APIs into the GObject type system NB: While libvirt aims to be API/ABI stable, for the first few releases, we are *NOT* guaranteeing that libvirt-glib libraries are API/ABI stable. ABI stability will only be guaranteed once the bulk of the APIs have been fleshed out and proved in non-trivial application usage. We anticipate this will be within the next 6 months in order to line up with Fedora 17. Follow up comments about libvirt-glib should be directed to the regular libvir-list(a)redhat.com development list. Thanks to all the people involved in contributing to this release. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

1 0