November 2011 - Devel - libvirt List Archives

[libvirt] [PATCH 2/2] nwfilter: use shell variable to invoke 'ip(6)tables' command
by Stefan Berger 21 Nov '11

21 Nov '11

Introduce a shell variable 'IBT' to invoke the ip(6)tables command. Tested with libvirt-tck. --- src/nwfilter/nwfilter_ebiptables_driver.c | 313 ++++++++++++++---------------- 1 file changed, 155 insertions(+), 158 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -146,6 +146,10 @@ static const char ebiptables_script_set_ #define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \ virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path); +#define NWFILTER_SET_IPTABLES_SHELLVAR(BUFPTR) \ + virBufferAsprintf(BUFPTR, "IPT=%s\n", iptables_cmd_path); +#define NWFILTER_SET_IP6TABLES_SHELLVAR(BUFPTR) \ + virBufferAsprintf(BUFPTR, "IPT=%s\n", ip6tables_cmd_path); #define VIRT_IN_CHAIN "libvirt-in" #define VIRT_OUT_CHAIN "libvirt-out" @@ -493,66 +497,60 @@ ebtablesHandleEthHdr(virBufferPtr buf, /************************ iptables support ************************/ -static int iptablesLinkIPTablesBaseChain(const char *iptables_cmd, - virBufferPtr buf, +static int iptablesLinkIPTablesBaseChain(virBufferPtr buf, const char *udchain, const char *syschain, unsigned int pos, int stopOnError) { virBufferAsprintf(buf, - "res=$(%s -L %s -n --line-number | " + "res=$($IPT -L %s -n --line-number | " "%s \" %s \")\n" "if [ $? -ne 0 ]; then\n" - " %s -I %s %d -j %s\n" + " $IPT -I %s %d -j %s\n" "else\n" " r=$(echo $res | %s '{print $1}')\n" " if [ \"${r}\" != \"%d\" ]; then\n" - " " CMD_DEF("%s -I %s %d -j %s") CMD_SEPARATOR + " " CMD_DEF("$IPT -I %s %d -j %s") CMD_SEPARATOR " " CMD_EXEC " %s" " r=$(( $r + 1 ))\n" - " " CMD_DEF("%s -D %s ${r}") CMD_SEPARATOR + " " CMD_DEF("$IPT -D %s ${r}") CMD_SEPARATOR " " CMD_EXEC " %s" " fi\n" "fi\n", - iptables_cmd, syschain, + syschain, grep_cmd_path, udchain, - iptables_cmd, syschain, pos, udchain, + syschain, pos, udchain, gawk_cmd_path, pos, - iptables_cmd, syschain, pos, udchain, + syschain, pos, udchain, CMD_STOPONERR(stopOnError), - iptables_cmd, syschain, + syschain, CMD_STOPONERR(stopOnError)); return 0; } -static int iptablesCreateBaseChains(const char *iptables_cmd, - virBufferPtr buf) +static int iptablesCreateBaseChains(virBufferPtr buf) { - virBufferAsprintf(buf,"%s -N " VIRT_IN_CHAIN CMD_SEPARATOR - "%s -N " VIRT_OUT_CHAIN CMD_SEPARATOR - "%s -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR - "%s -N " HOST_IN_CHAIN CMD_SEPARATOR, - iptables_cmd, - iptables_cmd, - iptables_cmd, - iptables_cmd); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + virBufferAddLit(buf, "$IPT -N " VIRT_IN_CHAIN CMD_SEPARATOR + "$IPT -N " VIRT_OUT_CHAIN CMD_SEPARATOR + "$IPT -N " VIRT_IN_POST_CHAIN CMD_SEPARATOR + "$IPT -N " HOST_IN_CHAIN CMD_SEPARATOR); + iptablesLinkIPTablesBaseChain(buf, VIRT_IN_CHAIN , "FORWARD", 1, 1); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + iptablesLinkIPTablesBaseChain(buf, VIRT_OUT_CHAIN , "FORWARD", 2, 1); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + iptablesLinkIPTablesBaseChain(buf, VIRT_IN_POST_CHAIN, "FORWARD", 3, 1); - iptablesLinkIPTablesBaseChain(iptables_cmd, buf, + iptablesLinkIPTablesBaseChain(buf, HOST_IN_CHAIN , "INPUT" , 1, 1); return 0; @@ -560,8 +558,7 @@ static int iptablesCreateBaseChains(cons static int -iptablesCreateTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesCreateTmpRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname, int stopOnError) @@ -576,10 +573,9 @@ iptablesCreateTmpRootChain(const char *i PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -N %s") CMD_SEPARATOR + CMD_DEF("$IPT -N %s") CMD_SEPARATOR CMD_EXEC "%s", - iptables_cmd, chain, CMD_STOPONERR(stopOnError)); @@ -588,20 +584,18 @@ iptablesCreateTmpRootChain(const char *i static int -iptablesCreateTmpRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesCreateTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 0, ifname, 1); - iptablesCreateTmpRootChain(iptables_cmd, buf, 'F', 1, ifname, 1); - iptablesCreateTmpRootChain(iptables_cmd, buf, 'H', 1, ifname, 1); + iptablesCreateTmpRootChain(buf, 'F', 0, ifname, 1); + iptablesCreateTmpRootChain(buf, 'F', 1, ifname, 1); + iptablesCreateTmpRootChain(buf, 'H', 1, ifname, 1); return 0; } static int -_iptablesRemoveRootChain(const char *iptables_cmd, - virBufferPtr buf, +_iptablesRemoveRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname, int isTempChain) @@ -621,66 +615,60 @@ _iptablesRemoveRootChain(const char *ipt PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -F %s" CMD_SEPARATOR - "%s -X %s" CMD_SEPARATOR, - iptables_cmd, chain, - iptables_cmd, chain); + "$IPT -F %s" CMD_SEPARATOR + "$IPT -X %s" CMD_SEPARATOR, + chain, + chain); return 0; } static int -iptablesRemoveRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname) { - return _iptablesRemoveRootChain(iptables_cmd, - buf, prefix, incoming, ifname, 0); + return _iptablesRemoveRootChain(buf, prefix, incoming, ifname, 0); } static int -iptablesRemoveTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveTmpRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname) { - return _iptablesRemoveRootChain(iptables_cmd, buf, prefix, + return _iptablesRemoveRootChain(buf, prefix, incoming, ifname, 1); } static int -iptablesRemoveTmpRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 0, ifname); - iptablesRemoveTmpRootChain(iptables_cmd, buf, 'F', 1, ifname); - iptablesRemoveTmpRootChain(iptables_cmd, buf, 'H', 1, ifname); + iptablesRemoveTmpRootChain(buf, 'F', 0, ifname); + iptablesRemoveTmpRootChain(buf, 'F', 1, ifname); + iptablesRemoveTmpRootChain(buf, 'H', 1, ifname); return 0; } static int -iptablesRemoveRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesRemoveRootChains(virBufferPtr buf, const char *ifname) { - iptablesRemoveRootChain(iptables_cmd, buf, 'F', 0, ifname); - iptablesRemoveRootChain(iptables_cmd, buf, 'F', 1, ifname); - iptablesRemoveRootChain(iptables_cmd, buf, 'H', 1, ifname); + iptablesRemoveRootChain(buf, 'F', 0, ifname); + iptablesRemoveRootChain(buf, 'F', 1, ifname); + iptablesRemoveRootChain(buf, 'H', 1, ifname); return 0; } static int -iptablesLinkTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesLinkTmpRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname, @@ -698,11 +686,10 @@ iptablesLinkTmpRootChain(const char *ipt PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -A %s " + CMD_DEF("$IPT -A %s " "%s %s -g %s") CMD_SEPARATOR CMD_EXEC "%s", - iptables_cmd, basechain, match, ifname, chain, @@ -713,37 +700,33 @@ iptablesLinkTmpRootChain(const char *ipt static int -iptablesLinkTmpRootChains(const char *cmd, - virBufferPtr buf, +iptablesLinkTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesLinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1); - iptablesLinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1); - iptablesLinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname, 1); + iptablesLinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname, 1); + iptablesLinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname, 1); + iptablesLinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname, 1); return 0; } static int -iptablesSetupVirtInPost(const char *iptables_cmd, - virBufferPtr buf, +iptablesSetupVirtInPost(virBufferPtr buf, const char *ifname) { const char *match = MATCH_PHYSDEV_IN; virBufferAsprintf(buf, - "res=$(%s -n -L " VIRT_IN_POST_CHAIN + "res=$($IPT -n -L " VIRT_IN_POST_CHAIN " | grep \"\\%s %s\")\n" "if [ \"${res}\" = \"\" ]; then " - CMD_DEF("%s" + CMD_DEF("$IPT" " -A " VIRT_IN_POST_CHAIN " %s %s -j ACCEPT") CMD_SEPARATOR CMD_EXEC "%s" "fi\n", - iptables_cmd, PHYSDEV_IN, ifname, - iptables_cmd, match, ifname, CMD_STOPONERR(1)); return 0; @@ -751,22 +734,19 @@ iptablesSetupVirtInPost(const char *ipta static int -iptablesClearVirtInPost(const char *iptables_cmd, - virBufferPtr buf, +iptablesClearVirtInPost(virBufferPtr buf, const char *ifname) { const char *match = MATCH_PHYSDEV_IN; virBufferAsprintf(buf, - "%s -D " VIRT_IN_POST_CHAIN + "$IPT -D " VIRT_IN_POST_CHAIN " %s %s -j ACCEPT" CMD_SEPARATOR, - iptables_cmd, match, ifname); return 0; } static int -_iptablesUnlinkRootChain(const char *iptables_cmd, - virBufferPtr buf, +_iptablesUnlinkRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname, @@ -788,9 +768,8 @@ _iptablesUnlinkRootChain(const char *ipt PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -D %s " + "$IPT -D %s " "%s %s -g %s" CMD_SEPARATOR, - iptables_cmd, basechain, match, ifname, chain); @@ -799,57 +778,52 @@ _iptablesUnlinkRootChain(const char *ipt static int -iptablesUnlinkRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesUnlinkRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname) { - return _iptablesUnlinkRootChain(iptables_cmd, buf, + return _iptablesUnlinkRootChain(buf, basechain, prefix, incoming, ifname, 0); } static int -iptablesUnlinkTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesUnlinkTmpRootChain(virBufferPtr buf, const char *basechain, char prefix, int incoming, const char *ifname) { - return _iptablesUnlinkRootChain(iptables_cmd, buf, + return _iptablesUnlinkRootChain(buf, basechain, prefix, incoming, ifname, 1); } static int -iptablesUnlinkRootChains(const char *cmd, - virBufferPtr buf, +iptablesUnlinkRootChains(virBufferPtr buf, const char *ifname) { - iptablesUnlinkRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname); - iptablesUnlinkRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname); - iptablesUnlinkRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname); + iptablesUnlinkRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname); + iptablesUnlinkRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname); + iptablesUnlinkRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname); return 0; } static int -iptablesUnlinkTmpRootChains(const char *cmd, - virBufferPtr buf, +iptablesUnlinkTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesUnlinkTmpRootChain(cmd, buf, VIRT_OUT_CHAIN, 'F', 0, ifname); - iptablesUnlinkTmpRootChain(cmd, buf, VIRT_IN_CHAIN , 'F', 1, ifname); - iptablesUnlinkTmpRootChain(cmd, buf, HOST_IN_CHAIN , 'H', 1, ifname); + iptablesUnlinkTmpRootChain(buf, VIRT_OUT_CHAIN, 'F', 0, ifname); + iptablesUnlinkTmpRootChain(buf, VIRT_IN_CHAIN , 'F', 1, ifname); + iptablesUnlinkTmpRootChain(buf, HOST_IN_CHAIN , 'H', 1, ifname); return 0; } static int -iptablesRenameTmpRootChain(const char *iptables_cmd, - virBufferPtr buf, +iptablesRenameTmpRootChain(virBufferPtr buf, char prefix, int incoming, const char *ifname) @@ -870,8 +844,7 @@ iptablesRenameTmpRootChain(const char *i PRINT_IPT_ROOT_CHAIN( chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -E %s %s" CMD_SEPARATOR, - iptables_cmd, + "$IPT -E %s %s" CMD_SEPARATOR, tmpchain, chain); return 0; @@ -879,13 +852,12 @@ iptablesRenameTmpRootChain(const char *i static int -iptablesRenameTmpRootChains(const char *iptables_cmd, - virBufferPtr buf, +iptablesRenameTmpRootChains(virBufferPtr buf, const char *ifname) { - iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 0, ifname); - iptablesRenameTmpRootChain(iptables_cmd, buf, 'F', 1, ifname); - iptablesRenameTmpRootChain(iptables_cmd, buf, 'H', 1, ifname); + iptablesRenameTmpRootChain(buf, 'F', 0, ifname); + iptablesRenameTmpRootChain(buf, 'F', 1, ifname); + iptablesRenameTmpRootChain(buf, 'H', 1, ifname); return 0; } @@ -1259,8 +1231,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_TCP: case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p tcp"); @@ -1315,8 +1286,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_UDP: case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p udp"); @@ -1349,8 +1319,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p udplite"); @@ -1378,8 +1347,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_ESP: case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p esp"); @@ -1407,8 +1375,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_AH: case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p ah"); @@ -1436,8 +1403,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_SCTP: case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p sctp"); @@ -1470,8 +1436,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_ICMP: case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP) @@ -1536,8 +1501,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_IGMP: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p igmp"); @@ -1565,8 +1529,7 @@ _iptablesCreateRuleInstance(int directio case VIR_NWFILTER_RULE_PROTOCOL_ALL: case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -%%c %s %%s", - iptables_cmd, + CMD_DEF_PRE "$IPT -%%c %s %%s", chain); virBufferAddLit(&buf, " -p all"); @@ -3681,24 +3644,32 @@ ebiptablesApplyNewRules(virConnectPtr co goto tear_down_tmpebchains; if (haveIptables) { - iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); - iptablesCreateBaseChains(iptables_cmd_path, &buf); + iptablesCreateBaseChains(&buf); if (ebiptablesExecCLI(&buf, &cli_status, &errmsg) || cli_status != 0) goto tear_down_tmpebchains; - iptablesCreateTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesCreateTmpRootChains(&buf, ifname); if (ebiptablesExecCLI(&buf, &cli_status, &errmsg) || cli_status != 0) goto tear_down_tmpiptchains; - iptablesLinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesSetupVirtInPost(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesLinkTmpRootChains(&buf, ifname); + iptablesSetupVirtInPost(&buf, ifname); if (ebiptablesExecCLI(&buf, &cli_status, &errmsg) || cli_status != 0) goto tear_down_tmpiptchains; + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + for (i = 0; i < nruleInstances; i++) { sa_assert (inst); if (inst[i]->ruleType == RT_IPTABLES) @@ -3714,24 +3685,32 @@ ebiptablesApplyNewRules(virConnectPtr co } if (haveIp6tables) { - iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); - iptablesCreateBaseChains(ip6tables_cmd_path, &buf); + iptablesCreateBaseChains(&buf); if (ebiptablesExecCLI(&buf, &cli_status, &errmsg) || cli_status != 0) goto tear_down_tmpiptchains; - iptablesCreateTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesCreateTmpRootChains(&buf, ifname); if (ebiptablesExecCLI(&buf, &cli_status, &errmsg) || cli_status != 0) goto tear_down_tmpip6tchains; - iptablesLinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesSetupVirtInPost(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesLinkTmpRootChains(&buf, ifname); + iptablesSetupVirtInPost(&buf, ifname); if (ebiptablesExecCLI(&buf, &cli_status, &errmsg) || cli_status != 0) goto tear_down_tmpip6tchains; + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + for (i = 0; i < nruleInstances; i++) { if (inst[i]->ruleType == RT_IP6TABLES) iptablesInstCommand(&buf, @@ -3776,14 +3755,18 @@ tear_down_ebsubchains_and_unlink: tear_down_tmpip6tchains: if (haveIp6tables) { - iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } tear_down_tmpiptchains: if (haveIptables) { - iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } tear_down_tmpebchains: @@ -3825,13 +3808,17 @@ ebiptablesTearNewRules(virConnectPtr con virBuffer buf = VIR_BUFFER_INITIALIZER; if (iptables_cmd_path) { - iptablesUnlinkTmpRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } if (ip6tables_cmd_path) { - iptablesUnlinkTmpRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveTmpRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkTmpRootChains(&buf, ifname); + iptablesRemoveTmpRootChains(&buf, ifname); } if (ebtables_cmd_path) { @@ -3860,18 +3847,22 @@ ebiptablesTearOldRules(virConnectPtr con /* switch to new iptables user defined chains */ if (iptables_cmd_path) { - iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkRootChains(&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); - iptablesRenameTmpRootChains(iptables_cmd_path, &buf, ifname); + iptablesRenameTmpRootChains(&buf, ifname); ebiptablesExecCLI(&buf, &cli_status, NULL); } if (ip6tables_cmd_path) { - iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); - iptablesRenameTmpRootChains(ip6tables_cmd_path, &buf, ifname); + iptablesUnlinkRootChains(&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); + + iptablesRenameTmpRootChains(&buf, ifname); ebiptablesExecCLI(&buf, &cli_status, NULL); } @@ -3958,15 +3949,19 @@ ebiptablesAllTeardown(const char *ifname int cli_status; if (iptables_cmd_path) { - iptablesUnlinkRootChains(iptables_cmd_path, &buf, ifname); - iptablesClearVirtInPost (iptables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(iptables_cmd_path, &buf, ifname); + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + + iptablesUnlinkRootChains(&buf, ifname); + iptablesClearVirtInPost (&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); } if (ip6tables_cmd_path) { - iptablesUnlinkRootChains(ip6tables_cmd_path, &buf, ifname); - iptablesClearVirtInPost (ip6tables_cmd_path, &buf, ifname); - iptablesRemoveRootChains(ip6tables_cmd_path, &buf, ifname); + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + + iptablesUnlinkRootChains(&buf, ifname); + iptablesClearVirtInPost (&buf, ifname); + iptablesRemoveRootChains(&buf, ifname); } if (ebtables_cmd_path) { @@ -4041,11 +4036,12 @@ ebiptablesDriverInit(bool privileged) iptables_cmd_path = virFindFileInPath("iptables"); if (iptables_cmd_path) { + NWFILTER_SET_IPTABLES_SHELLVAR(&buf); + virBufferAsprintf(&buf, - CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR + CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR CMD_EXEC "%s", - iptables_cmd_path, CMD_STOPONERR(1)); if (ebiptablesExecCLI(&buf, &cli_status, NULL) || cli_status) @@ -4054,11 +4050,12 @@ ebiptablesDriverInit(bool privileged) ip6tables_cmd_path = virFindFileInPath("ip6tables"); if (ip6tables_cmd_path) { + NWFILTER_SET_IP6TABLES_SHELLVAR(&buf); + virBufferAsprintf(&buf, - CMD_DEF("%s -n -L FORWARD") CMD_SEPARATOR + CMD_DEF("$IPT -n -L FORWARD") CMD_SEPARATOR CMD_EXEC "%s", - ip6tables_cmd_path, CMD_STOPONERR(1)); if (ebiptablesExecCLI(&buf, &cli_status, NULL) || cli_status)

2 1

[libvirt] [PATCH 1/2] nwfilter: use shell variable to invoke 'ebtables' command
by Stefan Berger 21 Nov '11

21 Nov '11

Introduce a shell variable 'EBT' to invoke the ebtables command. Hard-code the used ebtables table to '-t nat'. Tested with libvirt-tck. --- src/nwfilter/nwfilter_ebiptables_driver.c | 170 +++++++++++++++++------------- 1 file changed, 97 insertions(+), 73 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -46,7 +46,6 @@ #define VIR_FROM_THIS VIR_FROM_NWFILTER -#define EBTABLES_DEFAULT_TABLE "nat" #define EBTABLES_CHAIN_INCOMING "PREROUTING" #define EBTABLES_CHAIN_OUTGOING "POSTROUTING" @@ -86,7 +85,6 @@ static char *ip6tables_cmd_path; static char *grep_cmd_path; static char *gawk_cmd_path; - #define PRINT_ROOT_CHAIN(buf, prefix, ifname) \ snprintf(buf, sizeof(buf), "libvirt-%c-%s", prefix, ifname) #define PRINT_CHAIN(buf, prefix, ifname, suffix) \ @@ -110,7 +108,7 @@ static const char ebtables_script_func_c "collect_chains()\n" "{\n" " for tmp2 in $*; do\n" - " for tmp in $(%s -t %s -L $tmp2 | \\\n" + " for tmp in $($EBT -t nat -L $tmp2 | \\\n" " sed -n \"/Bridge chain/,\\$ s/.*-j \\\$[%s]-.*\\\$/\\\\1/p\");\n" " do\n" " echo $tmp\n" @@ -122,8 +120,8 @@ static const char ebtables_script_func_c static const char ebiptables_script_func_rm_chains[] = "rm_chains()\n" "{\n" - " for tmp in $*; do %s -t %s -F $tmp; done\n" - " for tmp in $*; do %s -t %s -X $tmp; done\n" + " for tmp in $*; do $EBT -t nat -F $tmp; done\n" + " for tmp in $*; do $EBT -t nat -X $tmp; done\n" "}\n"; static const char ebiptables_script_func_rename_chains[] = @@ -131,8 +129,8 @@ static const char ebiptables_script_func "{\n" " for tmp in $*; do\n" " case $tmp in\n" - " %c*) %s -t %s -E $tmp %c${tmp#?} ;;\n" - " %c*) %s -t %s -E $tmp %c${tmp#?} ;;\n" + " %c*) $EBT -t nat -E $tmp %c${tmp#?} ;;\n" + " %c*) $EBT -t nat -E $tmp %c${tmp#?} ;;\n" " esac\n" " done\n" "}\n"; @@ -146,6 +144,9 @@ static const char ebiptables_script_set_ #define NWFILTER_FUNC_RENAME_CHAINS ebiptables_script_func_rename_chains #define NWFILTER_FUNC_SET_IFS ebiptables_script_set_ifs +#define NWFILTER_SET_EBTABLES_SHELLVAR(BUFPTR) \ + virBufferAsprintf(BUFPTR, "EBT=%s\n", ebtables_cmd_path); + #define VIRT_IN_CHAIN "libvirt-in" #define VIRT_OUT_CHAIN "libvirt-out" #define VIRT_IN_POST_CHAIN "libvirt-in-post" @@ -1990,9 +1991,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_MAC: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); - + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2015,8 +2015,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_VLAN: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, @@ -2082,8 +2082,8 @@ ebtablesCreateRuleInstance(char chainPre } virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, @@ -2120,8 +2120,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_RARP: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2229,8 +2229,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_IP: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2365,8 +2365,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_IPV6: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); if (ebtablesHandleEthHdr(&buf, vars, @@ -2489,8 +2489,8 @@ ebtablesCreateRuleInstance(char chainPre case VIR_NWFILTER_RULE_PROTOCOL_NONE: virBufferAsprintf(&buf, - CMD_DEF_PRE "%s -t %s -%%c %s %%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + CMD_DEF_PRE "$EBT -t nat -%%c %s %%s", + chain); break; default: @@ -2757,10 +2757,10 @@ ebtablesCreateTmpRootChain(virBufferPtr PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(stopOnError)); return 0; @@ -2780,10 +2780,9 @@ ebtablesLinkTmpRootChain(virBufferPtr bu PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - CMD_DEF("%s -t %s -A %s -%c %s -j %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -%c %s -j %s") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, (incoming) ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, iodev, ifname, chain, @@ -2811,10 +2810,10 @@ _ebtablesRemoveRootChain(virBufferPtr bu PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -t %s -F %s" CMD_SEPARATOR - "%s -t %s -X %s" CMD_SEPARATOR, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain); + "$EBT -t nat -F %s" CMD_SEPARATOR + "$EBT -t nat -X %s" CMD_SEPARATOR, + chain, + chain); return 0; } @@ -2856,8 +2855,7 @@ _ebtablesUnlinkRootChain(virBufferPtr bu PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(buf, - "%s -t %s -D %s -%c %s -j %s" CMD_SEPARATOR, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, + "$EBT -t nat -D %s -%c %s -j %s" CMD_SEPARATOR, (incoming) ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING, iodev, ifname, chain); @@ -2917,25 +2915,24 @@ ebtablesCreateTmpSubChain(ebiptablesRule } virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -F %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -F %s") CMD_SEPARATOR CMD_EXEC - CMD_DEF("%s -t %s -X %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -X %s") CMD_SEPARATOR CMD_EXEC - CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -N %s") CMD_SEPARATOR CMD_EXEC "%s" - CMD_DEF("%s -t %s -%%c %s %%s %s -j %s") + CMD_DEF("$EBT -t nat -%%c %s %%s %s -j %s") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, + chain, + chain, CMD_STOPONERR(stopOnError), - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, rootchain, protostr, chain, CMD_STOPONERR(stopOnError)); @@ -2967,11 +2964,11 @@ _ebtablesRemoveSubChains(virBufferPtr bu char rootchain[MAX_CHAINNAME_LENGTH]; unsigned i; + NWFILTER_SET_EBTABLES_SHELLVAR(buf); + virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chains); - virBufferAsprintf(buf, NWFILTER_FUNC_RM_CHAINS, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE); + chains); + virBufferAdd(buf, NWFILTER_FUNC_RM_CHAINS, -1); virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS); virBufferAddLit(buf, "chains=\"$(collect_chains"); @@ -2984,8 +2981,7 @@ _ebtablesRemoveSubChains(virBufferPtr bu for (i = 0; chains[i] != 0; i++) { PRINT_ROOT_CHAIN(rootchain, chains[i], ifname); virBufferAsprintf(buf, - "%s -t %s -F %s\n", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, + "$EBT -t nat -F %s\n", rootchain); } virBufferAddLit(buf, "rm_chains $chains\n"); @@ -3040,8 +3036,8 @@ ebtablesRenameTmpSubChain(virBufferPtr b } virBufferAsprintf(buf, - "%s -t %s -E %s %s" CMD_SEPARATOR, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, tmpchain, chain); + "$EBT -t nat -E %s %s" CMD_SEPARATOR, + tmpchain, chain); return 0; } @@ -3064,14 +3060,14 @@ ebtablesRenameTmpSubAndRootChains(virBuf CHAINPREFIX_HOST_OUT_TEMP, 0}; + NWFILTER_SET_EBTABLES_SHELLVAR(buf); + virBufferAsprintf(buf, NWFILTER_FUNC_COLLECT_CHAINS, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chains); + chains); virBufferAsprintf(buf, NWFILTER_FUNC_RENAME_CHAINS, CHAINPREFIX_HOST_IN_TEMP, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, CHAINPREFIX_HOST_IN, CHAINPREFIX_HOST_OUT_TEMP, - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, CHAINPREFIX_HOST_OUT); virBufferAsprintf(buf, NWFILTER_FUNC_SET_IFS); @@ -3151,40 +3147,41 @@ ebtablesApplyBasicRules(const char *ifna ebiptablesAllTeardown(ifname); + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); PRINT_ROOT_CHAIN(chain, chainPrefix, ifname); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -s ! %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, macaddr_str, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -p ARP -j ACCEPT") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -p ARP -j ACCEPT") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, + chain, CMD_STOPONERR(1)); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); @@ -3250,6 +3247,8 @@ ebtablesApplyDHCPOnlyRules(const char *i ebiptablesAllTeardown(ifname); + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); @@ -3257,7 +3256,7 @@ ebtablesApplyDHCPOnlyRules(const char *i PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s" + CMD_DEF("$EBT -t nat -A %s" " -s %s -d Broadcast " " -p ipv4 --ip-protocol udp" " --ip-src 0.0.0.0 --ip-dst 255.255.255.255" @@ -3266,20 +3265,20 @@ ebtablesApplyDHCPOnlyRules(const char *i CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, + chain_in, macaddr_str, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, + chain_in, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s" + CMD_DEF("$EBT -t nat -A %s" " -d %s" " -p ipv4 --ip-protocol udp" " %s" @@ -3288,17 +3287,17 @@ ebtablesApplyDHCPOnlyRules(const char *i CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, + chain_out, macaddr_str, srcIPParam != NULL ? srcIPParam : "", CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, + chain_out, CMD_STOPONERR(1)); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); @@ -3352,6 +3351,8 @@ ebtablesApplyDropAllRules(const char *if ebiptablesAllTeardown(ifname); + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesCreateTmpRootChain(&buf, 1, ifname, 1); ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); @@ -3359,19 +3360,19 @@ ebtablesApplyDropAllRules(const char *if PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_in, + chain_in, CMD_STOPONERR(1)); virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -A %s -j DROP") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -A %s -j DROP") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain_out, + chain_out, CMD_STOPONERR(1)); ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); @@ -3410,6 +3411,8 @@ static int ebtablesCleanAll(const char * if (!ebtables_cmd_path) return 0; + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname); ebtablesRemoveSubChains(&buf, ifname); @@ -3611,8 +3614,11 @@ ebiptablesApplyNewRules(virConnectPtr co } } + /* cleanup whatever may exist */ if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname); ebtablesRemoveTmpSubChains(&buf, ifname); @@ -3621,6 +3627,8 @@ ebiptablesApplyNewRules(virConnectPtr co ebiptablesExecCLI(&buf, &cli_status, NULL); } + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + /* create needed chains */ if (ebtablesCreateTmpRootAndSubChains(&buf, ifname, chains_in_set , 1, &ebtChains, &nEbtChains) || @@ -3636,6 +3644,8 @@ ebiptablesApplyNewRules(virConnectPtr co if (ebiptablesExecCLI(&buf, &cli_status, &errmsg) || cli_status != 0) goto tear_down_tmpebchains; + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + /* process ebtables commands; interleave commands from filters with commands for creating and connecting ebtables chains */ j = 0; @@ -3735,6 +3745,8 @@ ebiptablesApplyNewRules(virConnectPtr co iptablesCheckBridgeNFCallEnabled(true); } + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + if (virHashSize(chains_in_set) != 0) ebtablesLinkTmpRootChain(&buf, 1, ifname, 1); if (virHashSize(chains_out_set) != 0) @@ -3756,6 +3768,8 @@ ebiptablesApplyNewRules(virConnectPtr co tear_down_ebsubchains_and_unlink: if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname); } @@ -3774,6 +3788,8 @@ tear_down_tmpiptchains: tear_down_tmpebchains: if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesRemoveTmpSubChains(&buf, ifname); ebtablesRemoveTmpRootChain(&buf, 1, ifname); ebtablesRemoveTmpRootChain(&buf, 0, ifname); @@ -3819,6 +3835,8 @@ ebiptablesTearNewRules(virConnectPtr con } if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkTmpRootChain(&buf, 1, ifname); ebtablesUnlinkTmpRootChain(&buf, 0, ifname); @@ -3858,6 +3876,8 @@ ebiptablesTearOldRules(virConnectPtr con } if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname); @@ -3899,6 +3919,8 @@ ebiptablesRemoveRules(virConnectPtr conn virBuffer buf = VIR_BUFFER_INITIALIZER; ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst; + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + for (i = 0; i < nruleInstances; i++) ebiptablesInstCommand(&buf, inst[i]->commandTemplate, @@ -3948,6 +3970,8 @@ ebiptablesAllTeardown(const char *ifname } if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); + ebtablesUnlinkRootChain(&buf, 1, ifname); ebtablesUnlinkRootChain(&buf, 0, ifname); @@ -4003,12 +4027,12 @@ ebiptablesDriverInit(bool privileged) ebtables_cmd_path = virFindFileInPath("ebtables"); if (ebtables_cmd_path) { + NWFILTER_SET_EBTABLES_SHELLVAR(&buf); /* basic probing */ virBufferAsprintf(&buf, - CMD_DEF("%s -t %s -L") CMD_SEPARATOR + CMD_DEF("$EBT -t nat -L") CMD_SEPARATOR CMD_EXEC "%s", - ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, CMD_STOPONERR(1)); if (ebiptablesExecCLI(&buf, &cli_status, NULL) || cli_status)

2 1

[libvirt] [libvirt-glib] Add API to redefine an existing domain
by Zeeshan Ali (Khattak) 21 Nov '11

21 Nov '11

From: "Zeeshan Ali (Khattak)" <zeeshanak(a)gnome.org> --- libvirt-gobject/libvirt-gobject-domain.c | 65 ++++++++++++++++++++++++++++++ libvirt-gobject/libvirt-gobject-domain.h | 3 + libvirt-gobject/libvirt-gobject.sym | 1 + 3 files changed, 69 insertions(+), 0 deletions(-) diff --git a/libvirt-gobject/libvirt-gobject-domain.c b/libvirt-gobject/libvirt-gobject-domain.c index 1fa27bd..7121a21 100644 --- a/libvirt-gobject/libvirt-gobject-domain.c +++ b/libvirt-gobject/libvirt-gobject-domain.c @@ -449,6 +449,71 @@ GVirConfigDomain *gvir_domain_get_config(GVirDomain *dom, return conf; } +/** + * gvir_domain_set_config: + * @domain: the domain + * @conf: the new configuration for the domain + * @err: (allow-none): Place-holder for error or NULL + * + * Resets configuration of an existing domain. + * + * Note: If domain is already running, the new configuration will not take + * affect until domain reboots. + * + * Returns: TRUE on success, FALSE if an error occurred. + */ +gboolean gvir_domain_set_config(GVirDomain *domain, + GVirConfigDomain *conf, + GError **err) +{ + const gchar *xml; + virConnectPtr conn; + virDomainPtr handle; + gchar uuid[VIR_UUID_STRING_BUFLEN]; + GVirDomainPrivate *priv = domain->priv; + + g_return_val_if_fail(GVIR_IS_DOMAIN (domain), FALSE); + g_return_val_if_fail(GVIR_IS_CONFIG_DOMAIN (conf), FALSE); + g_return_val_if_fail(err == NULL || *err == NULL, FALSE); + + xml = gvir_config_object_to_xml(GVIR_CONFIG_OBJECT(conf)); + + g_return_val_if_fail(xml != NULL, FALSE); + + if ((conn = virDomainGetConnect(priv->handle)) == NULL) { + if (err != NULL) + *err = gvir_error_new_literal(GVIR_DOMAIN_ERROR, + 0, + "Failed to get domain connection"); + return FALSE; + } + + handle = virDomainDefineXML(conn, xml); + + if (handle == NULL) { + if (err != NULL) + *err = gvir_error_new_literal(GVIR_DOMAIN_ERROR, + 0, + "Failed to set " + "domain configuration"); + return FALSE; + } + + virDomainGetUUIDString(handle, uuid); + virDomainFree(handle); + + if (g_strcmp0 (uuid, priv->uuid) != 0) { + if (err != NULL) + *err = gvir_error_new_literal(GVIR_DOMAIN_ERROR, + 0, + "Failed to set " + "domain configuration"); + + return FALSE; + } + + return TRUE; +} /** * gvir_domain_get_info: diff --git a/libvirt-gobject/libvirt-gobject-domain.h b/libvirt-gobject/libvirt-gobject-domain.h index 94bd53e..0479de8 100644 --- a/libvirt-gobject/libvirt-gobject-domain.h +++ b/libvirt-gobject/libvirt-gobject-domain.h @@ -123,6 +123,9 @@ GVirDomainInfo *gvir_domain_get_info(GVirDomain *dom, GVirConfigDomain *gvir_domain_get_config(GVirDomain *dom, guint64 flags, GError **err); +gboolean gvir_domain_set_config(GVirDomain *domain, + GVirConfigDomain *conf, + GError **err); gchar *gvir_domain_screenshot(GVirDomain *dom, GVirStream *stream, diff --git a/libvirt-gobject/libvirt-gobject.sym b/libvirt-gobject/libvirt-gobject.sym index 164b6b8..46c53f9 100644 --- a/libvirt-gobject/libvirt-gobject.sym +++ b/libvirt-gobject/libvirt-gobject.sym @@ -53,6 +53,7 @@ LIBVIRT_GOBJECT_0.0.1 { gvir_domain_shutdown; gvir_domain_reboot; gvir_domain_get_config; + gvir_domain_set_config; gvir_domain_get_info; gvir_domain_screenshot; -- 1.7.7.1

1 0

[libvirt] [libvirt-glib 01/37] Add gvir_config_object_new_child helper
by Christophe Fergeau 21 Nov '11

21 Nov '11

This allows us to factor the code to add an XML node to a config object. --- libvirt-gconfig/libvirt-gconfig-object.c | 72 ++++++++++++++++++------------ libvirt-gconfig/libvirt-gconfig-object.h | 4 ++ libvirt-gconfig/libvirt-gconfig.h | 2 +- 3 files changed, 49 insertions(+), 29 deletions(-) diff --git a/libvirt-gconfig/libvirt-gconfig-object.c b/libvirt-gconfig/libvirt-gconfig-object.c index fbdbedd..598ac0c 100644 --- a/libvirt-gconfig/libvirt-gconfig-object.c +++ b/libvirt-gconfig/libvirt-gconfig-object.c @@ -294,35 +294,62 @@ char *gvir_config_object_get_node_content(GVirConfigObject *object, return gvir_config_xml_get_child_element_content_glib(node, node_name); } -/* FIXME: if there are multiple nodes with the same name, this function - * won't behave as expected. Should we get rid of the duplicated node names - * here? - */ -void gvir_config_object_set_node_content(GVirConfigObject *object, - const char *node_name, - const char *value) +void +gvir_config_object_set_child(GVirConfigObject *object, xmlNodePtr child) { xmlNodePtr parent_node; xmlNodePtr old_node; - xmlNodePtr new_node; - xmlChar *encoded_name; parent_node = gvir_config_object_get_xml_node(GVIR_CONFIG_OBJECT(object)); - encoded_name = xmlEncodeEntitiesReentrant(parent_node->doc, - (xmlChar *)value); - new_node = xmlNewDocNode(parent_node->doc, NULL, - (xmlChar *)node_name, encoded_name); - xmlFree(encoded_name); + g_return_if_fail (parent_node != NULL); - old_node = gvir_config_xml_get_element(parent_node, node_name, NULL); + old_node = gvir_config_xml_get_element(parent_node, child->name, NULL); + /* FIXME: should we make sure there are no multiple occurrences + * of this node? + */ if (old_node) { - old_node = xmlReplaceNode(old_node, new_node); + old_node = xmlReplaceNode(old_node, child); xmlFreeNode(old_node); } else { - xmlAddChild(parent_node, new_node); + xmlAddChild(parent_node, child); } } +xmlNodePtr +gvir_config_object_new_child(GVirConfigObject *object, const char *child_name) +{ + xmlNodePtr new_node; + + new_node = xmlNewDocNode(NULL, NULL, (xmlChar *)child_name, NULL); + gvir_config_object_set_child(object, new_node); + return new_node; +} + +void gvir_config_object_set_node_content(GVirConfigObject *object, + const char *node_name, + const char *value) +{ + xmlNodePtr node; + xmlChar *encoded_data; + + node = gvir_config_object_new_child(object, node_name); + g_return_if_fail(node != NULL); + encoded_data = xmlEncodeEntitiesReentrant(node->doc, + (xmlChar *)value); + xmlNodeSetContent(node, encoded_data); + xmlFree(encoded_data); +} + +void gvir_config_object_set_node_content_uint64(GVirConfigObject *object, + const char *node_name, + guint64 value) +{ + char *str; + str = g_strdup_printf("%"G_GUINT64_FORMAT, value); + gvir_config_object_set_node_content(object, node_name, str); + g_free(str); +} + /* FIXME: how to notify of errors/node not found? */ guint64 gvir_config_object_get_node_content_uint64(GVirConfigObject *object, const char *node_name) @@ -345,17 +372,6 @@ guint64 gvir_config_object_get_node_content_uint64(GVirConfigObject *object, return value; } - -void gvir_config_object_set_node_content_uint64(GVirConfigObject *object, - const char *node_name, - guint64 value) -{ - char *str; - str = g_strdup_printf("%"G_GUINT64_FORMAT, value); - gvir_config_object_set_node_content(object, node_name, str); - g_free(str); -} - GVirConfigObject *gvir_config_object_new_from_xml(GType type, const char *root_name, const char *schema, diff --git a/libvirt-gconfig/libvirt-gconfig-object.h b/libvirt-gconfig/libvirt-gconfig-object.h index 52e4525..8e67b92 100644 --- a/libvirt-gconfig/libvirt-gconfig-object.h +++ b/libvirt-gconfig/libvirt-gconfig-object.h @@ -78,6 +78,10 @@ char *gvir_config_object_get_node_content(GVirConfigObject *object, const char *node_name); guint64 gvir_config_object_get_node_content_uint64(GVirConfigObject *object, const char *node_name); +xmlNodePtr gvir_config_object_new_child(GVirConfigObject *object, + const char *child_name); +void gvir_config_object_set_child(GVirConfigObject *object, + xmlNodePtr child); void gvir_config_object_set_node_content(GVirConfigObject *object, const char *node_name, const char *value); diff --git a/libvirt-gconfig/libvirt-gconfig.h b/libvirt-gconfig/libvirt-gconfig.h index fdc78a4..4e23f0d 100644 --- a/libvirt-gconfig/libvirt-gconfig.h +++ b/libvirt-gconfig/libvirt-gconfig.h @@ -26,11 +26,11 @@ #include <glib-object.h> #include <libxml/tree.h> -#include <libvirt-gconfig/libvirt-gconfig-helpers.h> #include <libvirt-gconfig/libvirt-gconfig-object.h> #include <libvirt-gconfig/libvirt-gconfig-capabilities.h> #include <libvirt-gconfig/libvirt-gconfig-domain.h> #include <libvirt-gconfig/libvirt-gconfig-domain-snapshot.h> +#include <libvirt-gconfig/libvirt-gconfig-helpers.h> #include <libvirt-gconfig/libvirt-gconfig-interface.h> #include <libvirt-gconfig/libvirt-gconfig-network.h> #include <libvirt-gconfig/libvirt-gconfig-node-device.h> -- 1.7.7

3 102

[libvirt] [libvirt-glib] Add API to redefine an existing domain
by Zeeshan Ali (Khattak) 21 Nov '11

21 Nov '11

From: "Zeeshan Ali (Khattak)" <zeeshanak(a)gnome.org> --- libvirt-gobject/libvirt-gobject-connection.c | 37 ++++++++++++++++++++++++++ libvirt-gobject/libvirt-gobject-connection.h | 4 +++ libvirt-gobject/libvirt-gobject.sym | 1 + 3 files changed, 42 insertions(+), 0 deletions(-) diff --git a/libvirt-gobject/libvirt-gobject-connection.c b/libvirt-gobject/libvirt-gobject-connection.c index 6c8de11..471c795 100644 --- a/libvirt-gobject/libvirt-gobject-connection.c +++ b/libvirt-gobject/libvirt-gobject-connection.c @@ -1201,6 +1201,43 @@ GVirDomain *gvir_connection_create_domain(GVirConnection *conn, } /** + * gvir_connection_redefine_domain: + * @conn: the connection on which the dmain exists + * @conf: the new configuration for the domain + * + * Redefines an existing domain. + */ +void gvir_connection_redefine_domain(GVirConnection *conn, + GVirDomain *domain, + GVirConfigDomain *conf, + GError **err) +{ + const gchar *xml; + virDomainPtr handle; + GVirDomain *dom; + virDomainPtr dom_handle; + GVirConnectionPrivate *priv = conn->priv; + + xml = gvir_config_object_to_xml(GVIR_CONFIG_OBJECT(conf)); + + g_return_if_fail(xml != NULL); + + g_mutex_lock(priv->lock); + dom = g_hash_table_lookup (priv->domains, + (gpointer)gvir_domain_get_uuid(domain)); + g_mutex_unlock(priv->lock); + g_return_if_fail(dom != NULL); + /* FIXME: Check if config's domain ID is the same as domain passed */ + + if (!(handle = virDomainDefineXML(priv->conn, xml))) { + *err = gvir_error_new_literal(GVIR_CONNECTION_ERROR, + 0, + "Failed to redefine domain"); + return NULL; + } +} + +/** * gvir_connection_create_storage_pool: * @conn: the connection on which to create the pool * @conf: the configuration for the new storage pool diff --git a/libvirt-gobject/libvirt-gobject-connection.h b/libvirt-gobject/libvirt-gobject-connection.h index 9f4bdc3..c23d948 100644 --- a/libvirt-gobject/libvirt-gobject-connection.h +++ b/libvirt-gobject/libvirt-gobject-connection.h @@ -110,6 +110,10 @@ GVirDomain *gvir_connection_find_domain_by_name(GVirConnection *conn, GVirDomain *gvir_connection_create_domain(GVirConnection *conn, GVirConfigDomain *conf, GError **err); +void gvir_connection_redefine_domain(GVirConnection *conn, + GVirDomain *domain, + GVirConfigDomain *conf, + GError **err); #if 0 GList *gvir_connection_get_interfaces(GVirConnection *conn); diff --git a/libvirt-gobject/libvirt-gobject.sym b/libvirt-gobject/libvirt-gobject.sym index 164b6b8..b5cc347 100644 --- a/libvirt-gobject/libvirt-gobject.sym +++ b/libvirt-gobject/libvirt-gobject.sym @@ -27,6 +27,7 @@ LIBVIRT_GOBJECT_0.0.1 { gvir_connection_find_domain_by_name; gvir_connection_find_storage_pool_by_name; gvir_connection_create_domain; + gvir_connection_redefine_domain; gvir_connection_create_storage_pool; gvir_domain_device_get_type; -- 1.7.7.1

3 4

[libvirt] [PATCH] Fix build on Mingw32 wrt export of virNetServerGetDBusConn
by Daniel P. Berrange 21 Nov '11

21 Nov '11

From: "Daniel P. Berrange" <berrange(a)redhat.com> Mingw32 complains if you request export of a symbol which does not in fact exist. * src/libvirt_bridge.syms, src/libvirt_macvtap.syms: Delete obsolete files * src/libvirt_private.syms: Remove virNetServerGetDBusConn * src/libvirt_dbus.syms: Add virNetServerGetDBusConn --- src/Makefile.am | 8 ++------ src/libvirt_bridge.syms | 23 ----------------------- src/libvirt_dbus.syms | 2 ++ src/libvirt_macvtap.syms | 10 ---------- src/libvirt_private.syms | 1 - 5 files changed, 4 insertions(+), 40 deletions(-) delete mode 100644 src/libvirt_bridge.syms create mode 100644 src/libvirt_dbus.syms delete mode 100644 src/libvirt_macvtap.syms diff --git a/src/Makefile.am b/src/Makefile.am index f82be78..2ee42a1 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1175,16 +1175,12 @@ if WITH_DRIVER_MODULES USED_SYM_FILES += libvirt_driver_modules.syms endif -if WITH_BRIDGE -USED_SYM_FILES += libvirt_bridge.syms -endif - if WITH_LINUX USED_SYM_FILES += libvirt_linux.syms endif -if WITH_MACVTAP -USED_SYM_FILES += libvirt_macvtap.syms +if HAVE_DBUS +USED_SYM_FILES += libvirt_dbus.syms endif if WITH_LIBVIRTD diff --git a/src/libvirt_bridge.syms b/src/libvirt_bridge.syms deleted file mode 100644 index 626f6ee..0000000 --- a/src/libvirt_bridge.syms +++ /dev/null @@ -1,23 +0,0 @@ -# -# These symbols are dependent upon --with-qemu or --with-lxc via -# WITH_BRIDGE. -# - - -# bridge.h -brAddBridge; -brAddInetAddress; -brAddInterface; -brAddTap; -brCreateTap; -brDelInetAddress; -brDeleteBridge; -brDeleteTap; -brHasBridge; -brInit; -brSetEnableSTP; -brSetForwardDelay; -brSetInetNetmask; -brSetInterfaceMac; -brSetInterfaceUp; -brShutdown; diff --git a/src/libvirt_dbus.syms b/src/libvirt_dbus.syms new file mode 100644 index 0000000..a460ec5 --- /dev/null +++ b/src/libvirt_dbus.syms @@ -0,0 +1,2 @@ +# virnetserver.h +virNetServerGetDBusConn; diff --git a/src/libvirt_macvtap.syms b/src/libvirt_macvtap.syms deleted file mode 100644 index b48565b..0000000 --- a/src/libvirt_macvtap.syms +++ /dev/null @@ -1,10 +0,0 @@ -# -# These symbols are dependent on WITH_MACVTAP. -# - - -# macvtap.h -delMacvtap; -openMacvtapTap; -vpAssociatePortProfileId; -vpDisassociatePortProfileId; diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 7906f5d..f4e25c1 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1252,7 +1252,6 @@ virNetServerAddSignalHandler; virNetServerAutoShutdown; virNetServerClose; virNetServerFree; -virNetServerGetDBusConn; virNetServerIsPrivileged; virNetServerNew; virNetServerQuit; -- 1.7.6.4

2 1

[libvirt] bug: try to take disk snapshot for LVM2 Volume
by MATSUDA, Daiki 21 Nov '11

21 Nov '11

I tried the new snapshot function implemented by Eric Blake. It works very well for QCOW2 disk image system. But I often use LVM2 volume for QEMU virtual machines and tried to take disk snapshot by virsh command ( snapshot-create DOMNAME --disk-only). So, finally qemu monitor command 'snapshot_blkdev' accepts the LVM2 volume and create QCOW2 snapshot image. In addition, domain's configuration file is replaced to use snapshot disk image instead of LVM2 volume. configuration file from .... <disk type='block' device='disk> <driver name='qemu' type='raw' cache='none'/> <source dev='dev/VG1/LVM2_dom'/> .... to <disk type='block' device='disk> <driver name='qemu' type='qcow2' cache='none'/> <source dev='dev/VG1/LVM2_dom.1317357844'/> After then, the domain runs well till it is shutdowned. I started the domain, but it does not with following error virtsh # start LVM2_dom error: Failed to start domain LVM2_dom error: 内部エラー Process exited while reading console log output: char device redirected to /dev/pts/7 qemu: could not open disk image /dev/VG1/LVM2_dom.1317357844: Invalid argument. I think that if the volume but qcow2 is given libvirt should be refuse, e.g. in qemuDomainSnapshotCreateDiskActive() with voulme driver type. But currently the structures concerning with snapshot or disk has no member to hold such a volume driver information. In addition, as we want to add the LVM2 and other volume snapshot function, we hope you add its information and fix. Regards MATSUDA Daiki

5 20

[libvirt] [TCK] [PATCH] nwfilter: Add '-n' flag to iptables command where missing
by Stefan Berger 21 Nov '11

21 Nov '11

Add the -n flag to the iptables command where it is missing to avoid delays due to name resolution. --- scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall | 9 +++++---- scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall | 8 ++++---- scripts/nwfilter/nwfilterxml2fwallout/target-test2.fwall | 8 ++++---- 3 files changed, 13 insertions(+), 12 deletions(-) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall @@ -24,7 +24,8 @@ FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-out -n | grep vnet0 | tr -s " " FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 -#iptables -L FORWARD --line-number | grep libvirt -1 libvirt-in all -- anywhere anywhere -2 libvirt-out all -- anywhere anywhere -3 libvirt-in-post all -- anywhere anywhere +#iptables -L FORWARD -n --line-number | grep libvirt +1 libvirt-in all -- 0.0.0.0/0 0.0.0.0/0 +2 libvirt-out all -- 0.0.0.0/0 0.0.0.0/0 +3 libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall @@ -42,10 +42,10 @@ FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-out -n | grep vnet0 | tr -s " " FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 -#iptables -L FORWARD --line-number | grep libvirt -1 libvirt-in all -- anywhere anywhere -2 libvirt-out all -- anywhere anywhere -3 libvirt-in-post all -- anywhere anywhere +#iptables -L FORWARD -n --line-number | grep libvirt +1 libvirt-in all -- 0.0.0.0/0 0.0.0.0/0 +2 libvirt-out all -- 0.0.0.0/0 0.0.0.0/0 +3 libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0 #ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" -i vnet0 -j libvirt-I-vnet0 #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test2.fwall =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilterxml2fwallout/target-test2.fwall +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test2.fwall @@ -27,8 +27,8 @@ FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [got ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 #iptables -L libvirt-out -n | grep vnet0 | tr -s " " FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 -#iptables -L FORWARD --line-number | grep libvirt -1 libvirt-in all -- anywhere anywhere -2 libvirt-out all -- anywhere anywhere -3 libvirt-in-post all -- anywhere anywhere +#iptables -L FORWARD -n --line-number | grep libvirt +1 libvirt-in all -- 0.0.0.0/0 0.0.0.0/0 +2 libvirt-out all -- 0.0.0.0/0 0.0.0.0/0 +3 libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0

2 2

[libvirt] [TCK] [PATCH] networks: Fix some errors in test 100
by Stefan Berger 21 Nov '11

21 Nov '11

Network test 100 when run via sh ./networkApplyTest.sh --tap-test --verbose --wait currently exhibits some problems. This patch fixes them. I now only looking for dnsmasq to be running with some of the parameters from tck-testnet having gone into its command line arguments. --- scripts/networks/networkxml2hostout/tck-testnet-1.dat | 10 ++++++---- scripts/networks/networkxml2hostout/tck-testnet-1.post.dat | 6 ++++-- scripts/networks/networkxml2hostout/tck-testnet-2.dat | 10 ++++++---- scripts/networks/networkxml2hostout/tck-testnet-2.post.dat | 5 +++-- 4 files changed, 19 insertions(+), 12 deletions(-) Index: libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-1.dat =================================================================== --- libvirt-tck.orig/scripts/networks/networkxml2hostout/tck-testnet-1.dat +++ libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-1.dat @@ -5,12 +5,14 @@ MASQUERADE all -- 10.1.2.0/24 #iptables -n -L FORWARD | grep ' 10\.1\.2\.' ACCEPT all -- 0.0.0.0/0 10.1.2.0/24 state RELATED,ESTABLISHED ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 -#ps aux | sed -n '/dnsmasq .*10\.1\.2\./ s|.*$dnsmasq[[:print:]*]$|\1|p' -dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/tck-testnet.pid --conf-file= --listen-address 10.1.2.1 --except-interface lo --dhcp-range 10.1.2.2,10.1.2.254 --dhcp-lease-max=253 --dhcp-no-override +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 10\.1\.2\.1*$.*|\1|p' +listen-address 10.1.2.1 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$dhcp-range 10\.1\.2\.2\,10\.1\.2\.254*$.*|\1|p' +dhcp-range 10.1.2.2,10.1.2.254 #route -n | grep '10\.1\.2\.' 10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tck-testbr -#brctl show | grep tck-testbr -tck-testbr 8000.000000000000 yes +#brctl show | grep tck-testbr | gawk '{print $1" "$3}' +tck-testbr yes #ifconfig tck-testbr | grep ':10\.1\.2\.' inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0 #virsh net-list | grep tck-testnet Index: libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-1.post.dat =================================================================== --- libvirt-tck.orig/scripts/networks/networkxml2hostout/tck-testnet-1.post.dat +++ libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-1.post.dat @@ -1,7 +1,9 @@ #iptables -t nat -L -n | grep ' 10\.1\.2\.' #iptables -n -L FORWARD | grep ' 10\.1\.2\.' -#ps aux | sed -n '/dnsmasq .*10\.1\.2\./ s|.*$dnsmasq[[:print:]*]$|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 10\.1\.2\.1*$.*|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$dhcp-range 10\.1\.2\.2\,10\.1\.2\.254*$.*|\1|p' #route -n | grep '10\.1\.2\.' -#brctl show | grep tck-testbr +#route -n | grep '10\.1\.2\.' +#brctl show | grep tck-testbr | gawk '{print $1" "$3}' #ifconfig tck-testbr 2>/dev/null| grep ':10\.1\.2\.' #virsh net-list | grep tck-testnet Index: libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-2.dat =================================================================== --- libvirt-tck.orig/scripts/networks/networkxml2hostout/tck-testnet-2.dat +++ libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-2.dat @@ -2,12 +2,14 @@ ACCEPT all -- 0.0.0.0/0 10.1.2.0/24 ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 #iptables -t nat -L -n | grep ' 10\.1\.2\.' -#ps aux | sed -n '/dnsmasq .*10\.1\.2\./ s|.*$dnsmasq[[:print:]*]$|\1|p' -dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/tck-testnet.pid --conf-file= --listen-address 10.1.2.1 --except-interface lo --dhcp-range 10.1.2.2,10.1.2.254 --dhcp-lease-max=253 --dhcp-no-override +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 10\.1\.2\.1$.*|\1|p' +listen-address 10.1.2.1 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$dhcp-range 10\.1\.2\.2,10\.1\.2\.254$.*|\1|p' +dhcp-range 10.1.2.2,10.1.2.254 #route -n | grep '10\.1\.2\.' 10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tck-testbr -#brctl show | grep tck-testbr -tck-testbr 8000.000000000000 yes +#brctl show | grep tck-testbr | gawk '{print $1" "$3}' +tck-testbr yes #ifconfig tck-testbr | grep ':10\.1\.2\.' inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0 #virsh net-list | grep tck-testnet Index: libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-2.post.dat =================================================================== --- libvirt-tck.orig/scripts/networks/networkxml2hostout/tck-testnet-2.post.dat +++ libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-2.post.dat @@ -1,7 +1,8 @@ #iptables -t nat -L -n | grep ' 10\.1\.2' #iptables -n -L FORWARD | grep ' 10\.1\.2' -#ps aux | sed -n '/dnsmasq .*10\.1\.2\./ s|.*$dnsmasq[[:print:]*]$|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 10\.1\.2\.1$.*|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$dhcp-range 10\.1\.2\.2,10\.1\.2\.254$.*|\1|p' #route -n | grep '10\.1\.2\.' -#brctl show | grep tck-testbr +#brctl show | grep tck-testbr | gawk '{print $1" "$3}' #ifconfig tck-testbr 2>/dev/null | grep ':10\.1\.2\.' #virsh net-list | grep tck-testnet

2 2

[libvirt] [TCK][PATCH] add more test cases
by Stefan Berger 21 Nov '11

21 Nov '11

This patch adds a couple more test cases (especially for IPv6 configurations) to the network test 100. Again make sure that some of the parameters from tck-testnet's XML have made it into command line parameters of dnsmasq. --- scripts/networks/networkxml2hostout/tck-testnet-3.dat | 49 +++++++++++++ scripts/networks/networkxml2hostout/tck-testnet-3.post.dat | 19 +++++ scripts/networks/networkxml2xmlin/tck-testnet-3.xml | 22 +++++ 3 files changed, 90 insertions(+) Index: libvirt-tck/scripts/networks/networkxml2xmlin/tck-testnet-3.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/networks/networkxml2xmlin/tck-testnet-3.xml @@ -0,0 +1,22 @@ +<network> + <name>tck-testnet</name> + <uuid>aadc8920-502a-4774-ac2b-cd382a204d06</uuid> + <bridge name="tck-testbr" /> + <forward mode="nat" /> + <ip address="10.1.2.1" netmask="255.255.255.0"> + <dhcp> + <range start="10.1.2.2" end="10.1.2.254" /> + <host mac="00:16:3e:77:e2:ed" name="a.example.com" ip="10.1.2.10" /> + <host mac="00:16:3e:3e:a9:1a" name="b.example.com" ip="10.1.2.11" /> + </dhcp> + </ip> + <ip family="ipv4" address="192.168.123.1" netmask="255.255.255.0"> + </ip> + <ip family="ipv6" address="2001:db8:ac10:fe01::1" prefix="64"> + </ip> + <ip family="ipv6" address="2001:db8:ac10:fd01::1" prefix="64"> + </ip> + <ip family="ipv4" address="172.28.255.241" netmask="255.255.255.240"> + </ip> +</network> + Index: libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-3.dat =================================================================== --- /dev/null +++ libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-3.dat @@ -0,0 +1,49 @@ +#iptables -t nat -L -n | grep ' 10\.1\.2\.' +MASQUERADE tcp -- 10.1.2.0/24 !10.1.2.0/24 masq ports: 1024-65535 +MASQUERADE udp -- 10.1.2.0/24 !10.1.2.0/24 masq ports: 1024-65535 +MASQUERADE all -- 10.1.2.0/24 !10.1.2.0/24 +#iptables -n -L FORWARD | grep ' 10\.1\.2\.' +ACCEPT all -- 0.0.0.0/0 10.1.2.0/24 state RELATED,ESTABLISHED +ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 +#ip6tables -n -L FORWARD | grep ' 2001:db8:ac10' +ACCEPT all ::/0 2001:db8:ac10:fd01::/64 +ACCEPT all 2001:db8:ac10:fd01::/64 ::/0 +ACCEPT all ::/0 2001:db8:ac10:fe01::/64 +ACCEPT all 2001:db8:ac10:fe01::/64 ::/0 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 10\.1\.2\.1$.*|\1|p' +listen-address 10.1.2.1 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 192\.168\.123\.1$.*|\1|p' +listen-address 192.168.123.1 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 172\.28\.255\.241$.*|\1|p' +listen-address 172.28.255.241 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$dhcp-range 10\.1\.2\.2,10\.1\.2\.254$.*|\1|p' +dhcp-range 10.1.2.2,10.1.2.254 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 2001\:db8\:ac10\:fe01\:\:1$.*|\1|p' +listen-address 2001:db8:ac10:fe01::1 +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 2001\:db8\:ac10\:fd01\:\:1$.*|\1|p' +listen-address 2001:db8:ac10:fd01::1 +#ps aux | sed -n '/radvd --.*tck-testnet-/ s|.*$\/radvd\/tck-testnet-radvd.conf$.*|\1|p' +/radvd/tck-testnet-radvd.conf +#route -n | grep '10\.1\.2\.' +10.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tck-testbr +#route -n | grep '192\.168\.123\.' +192.168.123.0 0.0.0.0 255.255.255.0 U 0 0 0 tck-testbr +#route -n | grep '172\.28\.255\.240' +172.28.255.240 0.0.0.0 255.255.255.240 U 0 0 0 tck-testbr +#brctl show | grep tck-testbr | gawk '{print $1" "$3}' +tck-testbr yes +#ifconfig tck-testbr | grep ':10\.1\.2\.' + inet addr:10.1.2.1 Bcast:10.1.2.255 Mask:255.255.255.0 +#ifconfig tck-testbr | grep 'inet6 addr: 2001' + inet6 addr: 2001:db8:ac10:fd01::1/64 Scope:Global + inet6 addr: 2001:db8:ac10:fe01::1/64 Scope:Global +#ip addr show tck-testbr | grep "inet " + inet 10.1.2.1/24 brd 10.1.2.255 scope global tck-testbr + inet 192.168.123.1/24 brd 192.168.123.255 scope global tck-testbr + inet 172.28.255.241/28 brd 172.28.255.255 scope global tck-testbr +#ip route show dev tck-testbr +172.28.255.240/28 proto kernel scope link src 172.28.255.241 +10.1.2.0/24 proto kernel scope link src 10.1.2.1 +192.168.123.0/24 proto kernel scope link src 192.168.123.1 +#virsh net-list | grep tck-testnet +tck-testnet active no Index: libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-3.post.dat =================================================================== --- /dev/null +++ libvirt-tck/scripts/networks/networkxml2hostout/tck-testnet-3.post.dat @@ -0,0 +1,19 @@ +#iptables -t nat -L -n | grep ' 10\.1\.2\.' +#iptables -n -L FORWARD | grep ' 10\.1\.2\.' +#ip6tables -n -L FORWARD | grep ' 2001:db8:ac10' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 10\.1\.2\.1$.*|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 192\.168\.123\.1$.*|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 172\.28\.255\.241$.*|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$dhcp-range 10\.1\.2\.2,10\.1\.2\.254$.*|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 2001\:db8\:ac10\:fe01\:\:1$.*|\1|p' +#ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*$listen-address 2001\:db8\:ac10\:fd01\:\:1$.*|\1|p' +#ps aux | sed -n '/radvd --.*tck-testnet-/ s|.*$\/radvd\/tck-testnet-radvd.conf$.*|\1|p' +#route -n | grep '10\.1\.2\.' +#route -n | grep '192\.168\.123\.' +#route -n | grep '172\.28\.255\.240' +#brctl show | grep tck-testbr +#ifconfig tck-testbr 2>/dev/null | grep ':10\.1\.2\.' +#ifconfig tck-testbr 2>/dev/null | grep 'inet6 addr: 2001' +#ip addr show tck-testbr 2>/dev/null | grep "inet " +#ip route show dev tck-testbr 2>/dev/null +#virsh net-list | grep tck-testnet

2 2