April 2011 - Devel - Libvirt List Archives

[libvirt] [PATCH 0/4] RFC: vcpupin: configure inactive domains' CPU affinity setting

by Taku Izumi

Hi all, This patchset enables us to configure inactive domains' CPU affinity setting. The basic technique is the same as that of "virsh setmem" command. => http://www.redhat.com/archives/libvir-list/2011-March/msg00013.html *[PATCH 1/4] vcpupin: inroduce a new libvir API (virDomainPinVcpuFlags) *[PATCH 2/4] vcpupin: implement the code to address the new API in the qemu driver *[PATCH 3/4] vcpupin: implement the remote protocol to address the new API *[PATCH 4/4] vcpupin: add the new options to "virsh vcpupin" command Best regards, Taku Izumi

14 years

4
13
0 / 0

[libvirt] [RFC PATCH] build: detect doc build errors

by Eric Blake

I'm still stumped by xsltproc complaining about   not being a valid XML entity, hence the (hackish) exemption in docs/Makefile.am that adds --html for a couple of .html.in files. But for the remaining files, this does make input validation stricter, and caught several bugs. Hence, this is an RFC (either we live with my hack that caught all the issues in the prior patch, or someone with more xsltproc knowledge than me will step in and teach it how to resolve html entities while processing the documents as xml instead of html). * docs/Makefile.am (maintainer-clean-local): Remove generated docs in VPATH build. (%.html.tmp): Don't use looser --html; our input should be strict xhtml. HACK - use --html when entities like   are involved. (html/index.html): Exit on formatting problems. (rebuild): Run full doc build on request. --- docs/Makefile.am | 24 ++++++++++++++---------- 1 files changed, 14 insertions(+), 10 deletions(-) diff --git a/docs/Makefile.am b/docs/Makefile.am index db4bc59..2d1afe4 100644 --- a/docs/Makefile.am +++ b/docs/Makefile.am @@ -123,7 +123,7 @@ internals/%.html.tmp: internals/%.html.in subsite.xsl page.xsl sitemap.html.in echo "Generating $@"; \ $(MKDIR_P) "$(builddir)/internals"; \ name=`echo $@ | sed -e 's/.tmp//'`; \ - $(XSLTPROC) --stringparam pagename $$name --nonet --html \ + $(XSLTPROC) --stringparam pagename $$name --nonet \ $(top_srcdir)/docs/subsite.xsl $< > $@ \ || { rm $@ && exit 1; }; fi @@ -131,7 +131,8 @@ internals/%.html.tmp: internals/%.html.in subsite.xsl page.xsl sitemap.html.in @if [ -x $(XSLTPROC) ] ; then \ echo "Generating $@"; \ name=`echo $@ | sed -e 's/.tmp//'`; \ - $(XSLTPROC) --stringparam pagename $$name --nonet --html \ + $(XSLTPROC) --stringparam pagename $$name --nonet \ + $$(grep -qE '&(nbsp|uuml|mdash);' $< && printf %s --html) \ $(top_srcdir)/docs/site.xsl $< > $@ \ || { rm $@ && exit 1; }; fi @@ -147,21 +148,22 @@ internals/%.html.tmp: internals/%.html.in subsite.xsl page.xsl sitemap.html.in html/index.html: libvirt-api.xml newapi.xsl page.xsl sitemap.html.in - -@if [ -x $(XSLTPROC) ] ; then \ + @if [ -x $(XSLTPROC) ] ; then \ echo "Rebuilding the HTML pages from the XML API" ; \ $(XSLTPROC) --nonet -o $(srcdir)/ \ $(srcdir)/newapi.xsl $(srcdir)/libvirt-api.xml ; fi - -@if test -x $(XMLLINT) && test -x $(XMLCATALOG) ; then \ - if $(XMLCATALOG) '$(XML_CATALOG_FILE)' "-//W3C//DTD XHTML 1.0 Strict//EN" \ - > /dev/null ; then \ + @if test -x $(XMLLINT) && test -x $(XMLCATALOG) ; then \ + if $(XMLCATALOG) '$(XML_CATALOG_FILE)' \ + "-//W3C//DTD XHTML 1.0 Strict//EN" > /dev/null ; then \ echo "Validating the resulting XHTML pages" ; \ SGML_CATALOG_FILES='$(XML_CATALOG_FILE)' \ - $(XMLLINT) --catalogs --nonet --valid --noout $(srcdir)/html/*.html ; \ + $(XMLLINT) --catalogs --nonet --valid --noout $(srcdir)/html/*.html \ + || { rm $(srcdir)/$@ && exit 1; }; \ else echo "missing XHTML1 DTD" ; fi ; fi $(addprefix $(srcdir)/,$(devhelphtml)): $(srcdir)/libvirt-api.xml $(devhelpxsl) -@echo Rebuilding devhelp files - -@if [ -x $(XSLTPROC) ] ; then \ + @if [ -x $(XSLTPROC) ] ; then \ $(XSLTPROC) --nonet -o $(srcdir)/devhelp/ \ $(top_srcdir)/docs/devhelp/devhelp.xsl $(srcdir)/libvirt-api.xml ; fi @@ -183,9 +185,11 @@ clean-local: rm -f *~ *.bak *.hierarchy *.signals *-unused.txt *.html maintainer-clean-local: clean-local - rm -rf $(srcdir)/libvirt-api.xml $(srcdir)/libvirt-refs.xml todo.html.in + rm -rf $(srcdir)/libvirt-api.xml $(srcdir)/libvirt-refs.xml \ + todo.html.in $(srcdir)/*.html $(srcdir)/devhelp/*.html \ + $(srcdir)/html/*.html $(srcdir)/internals/*.html -rebuild: api all +rebuild: maintainer-clean-local api all install-data-local: $(mkinstalldirs) $(DESTDIR)$(HTML_DIR) -- 1.7.4

14 years

2
1
0 / 0

[libvirt] [PATCH] fix memory leak in qemuProcessHandleGraphics()

by Wen Congyang

If strdup("x509dname") or strdup("saslUsername") success, but strdup(x509dname) or strdup(saslUsername) failed, subject->nidentity is not the num elements of subject->identities, and we will leak some memory. --- src/qemu/qemu_process.c | 12 ++++++------ 1 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index e74e0f1..0d2ccdc 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -544,18 +544,18 @@ qemuProcessHandleGraphics(qemuMonitorPtr mon ATTRIBUTE_UNUSED, if (x509dname) { if (VIR_REALLOC_N(subject->identities, subject->nidentity+1) < 0) goto no_memory; - if (!(subject->identities[subject->nidentity].type = strdup("x509dname")) || - !(subject->identities[subject->nidentity].name = strdup(x509dname))) - goto no_memory; subject->nidentity++; + if (!(subject->identities[subject->nidentity-1].type = strdup("x509dname")) || + !(subject->identities[subject->nidentity-1].name = strdup(x509dname))) + goto no_memory; } if (saslUsername) { if (VIR_REALLOC_N(subject->identities, subject->nidentity+1) < 0) goto no_memory; - if (!(subject->identities[subject->nidentity].type = strdup("saslUsername")) || - !(subject->identities[subject->nidentity].name = strdup(saslUsername))) - goto no_memory; subject->nidentity++; + if (!(subject->identities[subject->nidentity-1].type = strdup("saslUsername")) || + !(subject->identities[subject->nidentity-1].name = strdup(saslUsername))) + goto no_memory; } virDomainObjLock(vm); -- 1.7.1

14 years

3
2
0 / 0

[libvirt] [PATCH] do not lock vm while allocating memory

by Wen Congyang

There is no need to lock vm while allocating memory. If allocating memory failed, we forgot to unlock vm. --- src/qemu/qemu_process.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index e31e1b4..e74e0f1 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -525,8 +525,6 @@ qemuProcessHandleGraphics(qemuMonitorPtr mon ATTRIBUTE_UNUSED, virDomainEventGraphicsSubjectPtr subject = NULL; int i; - virDomainObjLock(vm); - if (VIR_ALLOC(localAddr) < 0) goto no_memory; localAddr->family = localFamily; @@ -560,6 +558,7 @@ qemuProcessHandleGraphics(qemuMonitorPtr mon ATTRIBUTE_UNUSED, subject->nidentity++; } + virDomainObjLock(vm); event = virDomainEventGraphicsNewFromObj(vm, phase, localAddr, remoteAddr, authScheme, subject); virDomainObjUnlock(vm); -- 1.7.1

14 years

3
2
0 / 0

[libvirt] mingw: virsh event loop failure in current git

by Matthias Bolte

Commit 2ed6cc7bec41dd344d41ea1531f6760c93099128 "Expose event loop implementation as a public API" turned a failure to initialize the default event loop into a fatal error in virsh on Windows. Before that commit such a failure was ignored. virEventRegisterDefaultImpl calls virEventPollInit that calls virSetNonBlock that calls ioctl that is replaced by gnulib and calls ioctlsocket. ioctlsocket fails because the given FD is a pipe but ioctlsocket expects a socket. A version that works on pipes on Windows looks like this. Although the pipe is actually not a named pipe the call to SetNamedPipeHandleState doesn't fail at least. int virSetPipeNonBlock(int fd) { DWORD mode = PIPE_NOWAIT; HANDLE handle = _get_osfhandle(fd) BOOL result = SetNamedPipeHandleState(handle, &mode, NULL, NULL); return result ? 0 : -1; } So, is the event loop stuff supposed to work on Windows at all and we should get it fixed? Or do we just put an #ifndef WIN32 around virEventRegisterDefaultImpl in virsh, because the only event loop user in virsh is the console command that is disabled on Windows anyway? Matthias

14 years

5
7
0 / 0

[libvirt] [PATCH] Fix several formatting mistakes in doc

by Michal Privoznik

--- docs/formatdomain.html.in | 2 +- docs/hooks.html.in | 6 +++--- src/libvirt.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 8b50814..438cbf0 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -353,7 +353,7 @@ <dd> The optional <code>vcpupin</code> element specifies which of host physical CPUS the domain VCPU will be pinned to. If this is ommited, each VCPU pinned to all the physical CPUS by default. It contains two - required attributes, the attribute <code>vcpu</vcpu> specifies vcpu id, + required attributes, the attribute <code>vcpu</code> specifies vcpu id, and the attribute <code>cpuset</code> is same as attribute <code>cpuset</code> of element <code>vcpu</code>. NB, Only qemu driver supports</dd> <dt><code>shares</code></dt> diff --git a/docs/hooks.html.in b/docs/hooks.html.in index eec7a6a..890359e 100644 --- a/docs/hooks.html.in +++ b/docs/hooks.html.in @@ -105,16 +105,16 @@ is not started. The first location, <span class="since">since 0.9.0</span>, is before libvirt performs any resource labeling, and the hook can allocate resources not managed by - libvirt such as DRBD or missing bridges. This is called as:</br> + libvirt such as DRBD or missing bridges. This is called as:<br/> <pre>/etc/libvirt/hooks/qemu guest_name prepare begin -</pre> The second location, available <span class="since">Since 0.8.0</span>, occurs after libvirt has finished labeling - all resources, but has not yet started the guest, called as:</br> + all resources, but has not yet started the guest, called as:<br/> <pre>/etc/libvirt/hooks/qemu guest_name start begin -</pre></li> <li>When a QEMU guest is stopped, the qemu hook script is called in two locations, to match the startup. First, <span class="since">since 0.8.0</span>, the hook is - called before libvirt restores any labels:</br> + called before libvirt restores any labels:<br/> <pre>/etc/libvirt/hooks/qemu guest_name stopped end -</pre> Then, after libvirt has released all resources, the hook is called again, <span class="since">since 0.9.0</span>, to allow diff --git a/src/libvirt.c b/src/libvirt.c index 9bdb4c8..8be18d4 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -2852,7 +2852,7 @@ error: } /* - * virDomainSetMemoryFlags + * virDomainSetMemoryFlags: * @domain: a domain object or NULL * @memory: the memory size in kilobytes * @flags: an OR'ed set of virDomainMemoryModFlags -- 1.7.4

14 years

4
13
0 / 0

[libvirt] [PATCH] docs: fix typo

by Eric Blake

* docs/formatdomain.html.in: Fix KVM name. --- Pushing under the trivial rule. docs/formatdomain.html.in | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 6c624ab..574fee5 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -314,7 +314,7 @@ <dt><code>memtune</code></dt> <dd> The optional <code>memtune</code> element provides details regarding the memory tunable parameters for the domain. If this is - omitted, it defaults to the OS provided defaults. For QEMU/KVMi, the + omitted, it defaults to the OS provided defaults. For QEMU/KVM, the parameters are applied to the QEMU process as a whole. Thus, when counting them, one needs to add up guest RAM, guest video RAM, and some memory overhead of QEMU itself. The last piece is hard to -- 1.7.4

14 years

1
0
0 / 0

[libvirt] [PATCH] docs: correct invalid xml

by Eric Blake

* docs/internals.html.in: Fix xml errors. * docs/formatstorageencryption.html.in: Likewise. * docs/drvesx.html.in: Likewise. * docs/archnetwork.html.in: Likewise. * docs/logging.html.in: Likewise. * docs/drvvmware.html.in: Likewise. * docs/api.html.in: Likewise. * docs/formatnwfilter.html.in: Likewise. * docs/formatdomain.html.in: Likewise. * docs/windows.html.in: Likewise. --- Tightening up xsltproc found all of these. I'm pushing under the trivial rule. docs/api.html.in | 11 ++-- docs/archnetwork.html.in | 2 +- docs/drvesx.html.in | 10 ++-- docs/drvvmware.html.in | 4 +- docs/formatdomain.html.in | 18 +++--- docs/formatnwfilter.html.in | 96 +++++++++++++++++----------------- docs/formatstorageencryption.html.in | 2 +- docs/internals.html.in | 4 +- docs/logging.html.in | 4 +- docs/windows.html.in | 12 ++-- 10 files changed, 83 insertions(+), 80 deletions(-) diff --git a/docs/api.html.in b/docs/api.html.in index e8bbeed..384eb77 100644 --- a/docs/api.html.in +++ b/docs/api.html.in @@ -4,7 +4,7 @@ <h1>The libvirt API concepts</h1> <p> This page describes the main principles and architecture choices - behind the definition of the libvirt API: + behind the definition of the libvirt API:</p> <ul id="toc"></ul> @@ -22,7 +22,7 @@ possible to use both KVM and LinuxContainers on the same node). A NULL name will default to a preselected hypervisor but it's probably not a wise thing to do in most cases. See the <a href="uri.html">connection - URI</a> page for a full descriptions of the values allowed.<p> + URI</a> page for a full descriptions of the values allowed.</p> <p> Once the application obtained a <code class='docref'>virConnectPtr</code> connection to the hypervisor it can then use it to manage domains and related resources @@ -61,7 +61,7 @@ <code>defined</code> in which case they are inactive but there is a permanent definition available in the system for them. Based on this thay can be activated dynamically in order to be used.</p> - <p> Most kind of object can also be named in various ways:<p> + <p> Most kind of object can also be named in various ways:</p> <ul> <li>by their <code>name</code>, an user friendly identifier but whose unicity cannot be garanteed between two nodes.</li> @@ -82,7 +82,7 @@ <p> For each first class object you will find apis for the following actions:</p> <ul> - <li><b>Lookup</b>:...LookupByName, + <li><b>Lookup</b>:...LookupByName,</li> <li><b>Enumeration</b>:virConnectList... and virConnectNumOf...: those are used to enumerate a set of object available to an given hypervisor connection like: @@ -108,7 +108,8 @@ <li><b>Destruction</b>: ... </li> </ul> <p> For more in-depth details of the storage related APIs see - <a href="storage.html">the storage management page</a>, + <a href="storage.html">the storage management page</a>. + </p> <h2><a name="Driver">The libvirt drivers</a></h2> <p></p> <p class="image"> diff --git a/docs/archnetwork.html.in b/docs/archnetwork.html.in index 57b8f3d..c7ca4ca 100644 --- a/docs/archnetwork.html.in +++ b/docs/archnetwork.html.in @@ -32,7 +32,7 @@ </li> <li><strong>Guest C</strong>. The only network interface is connected to a virtual network <code>VLAN 2</code>. It has no direct connectivity - to a physical LAN, relying on <code>Guest B</codE> to route traffic + to a physical LAN, relying on <code>Guest B</code> to route traffic on its behalf. </li> </ul> diff --git a/docs/drvesx.html.in b/docs/drvesx.html.in index a0f87c1..613cd07 100644 --- a/docs/drvesx.html.in +++ b/docs/drvesx.html.in @@ -74,7 +74,7 @@ vpx://example-vcenter.com/dc1/cluster1/example-esx.com </pre> - <h4><a name="extraparams">Extra parameters</h4> + <h4><a name="extraparams">Extra parameters</a></h4> <p> Extra parameters can be added to a URI as part of the query string (the part following <code>?</code>). A single parameter is formed by a @@ -308,7 +308,7 @@ error: invalid argument in libvirt was built without the 'esx' driver There are several specialties in the domain XML config for ESX domains. </p> - <h3><a name="restrictions">Restrictions</h3> + <h3><a name="restrictions">Restrictions</a></h3> <p> There are some restrictions for some values of the domain XML config. The driver will complain if this restrictions are violated. @@ -328,7 +328,7 @@ error: invalid argument in libvirt was built without the 'esx' driver </ul> - <h3><a name="datastore">Datastore references</h3> + <h3><a name="datastore">Datastore references</a></h3> <p> Storage is managed in datastores. VMware uses a special path format to reference files in a datastore. Basically, the datastore name is put @@ -347,7 +347,7 @@ error: invalid argument in libvirt was built without the 'esx' driver </p> - <h3><a name="macaddresses">MAC addresses</h3> + <h3><a name="macaddresses">MAC addresses</a></h3> <p> VMware has registered two MAC address prefixes for domains: <code>00:0c:29</code> and <code>00:50:56</code>. These prefixes are @@ -408,7 +408,7 @@ ethernet0.checkMACAddress = "false" </pre> - <h3><a name="hardware">Available hardware</h3> + <h3><a name="hardware">Available hardware</a></h3> <p> VMware ESX supports different models of SCSI controllers and network cards. diff --git a/docs/drvvmware.html.in b/docs/drvvmware.html.in index 0ef6044..44814d3 100644 --- a/docs/drvvmware.html.in +++ b/docs/drvvmware.html.in @@ -8,7 +8,9 @@ </p> <p> This driver uses the "vmrun" utility which is distributed with the VMware VIX API. - You can download the VIX API from <a href="http://www.vmware.com/support/developer/vix-api/">here</a>. + You can download the VIX API + from <a href="http://www.vmware.com/support/developer/vix-api/">here</a>. + </p> <h2>Connections to VMware driver</h2> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 5523fc7..6c624ab 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -1277,7 +1277,7 @@ <p> Provides direct attachment of the virtual machine's NIC to the given physial interface of the host. - <span class="since">Since 0.7.7 (QEMU and KVM only)</span><br> + <span class="since">Since 0.7.7 (QEMU and KVM only)</span><br/> This setup requires the Linux macvtap driver to be available. <span class="since">(Since Linux 2.6.34.)</span> One of the modes 'vepa' @@ -1299,7 +1299,7 @@ originate from are directly delivered to the target macvtap device. Both origin and destination devices need to be in bridge mode for direct delivery. If either one of them is in <code>vepa</code> mode, - a VEPA capable bridge is required. + a VEPA capable bridge is required.</dd> <dt><code>private</code></dt> <dd>All packets are sent to the external bridge and will only be delivered to a target VM on the same host if they are sent through an @@ -1488,23 +1488,23 @@ qemu-kvm -net nic,model=? /dev/null The <code>txmode</code> attribute specifies how to handle transmission of packets when the transmit buffer is full. The value can be either 'iothread' or 'timer'. - <span class="since">Since 0.8.8 (QEMU and KVM only)</span><br><br> + <span class="since">Since 0.8.8 (QEMU and KVM only)</span><br/><br/> If set to 'iothread', packet tx is all done in an iothread in the bottom half of the driver (this option translates into adding "tx=bh" to the qemu commandline -device virtio-net-pci - option).<br><br> + option).<br/><br/> If set to 'timer', tx work is done in qemu, and if there is more tx data than can be sent at the present time, a timer is set before qemu moves on to do other things; when the timer - fires, another attempt is made to send more data.<br><br> + fires, another attempt is made to send more data.<br/><br/> The resulting difference, according to the qemu developer who added the option is: "bh makes tx more asynchronous and reduces latency, but potentially causes more processor bandwidth contention since the cpu doing the tx isn't necessarily the - cpu where the guest generated the packets."<br><br> + cpu where the guest generated the packets."<br/><br/> <b>In general you should leave this option alone, unless you are very certain you know what you are doing.</b> @@ -1628,8 +1628,8 @@ qemu-kvm -net nic,model=? /dev/null in clear text. The <code>keymap</code> attribute specifies the keymap to use. It is possible to set a limit on the validity of the password be giving an timestamp <code>passwdValidTo='2010-04-09T15:51:00'</code> - assumed to be in UTC. NB, this may not be supported by all hypervisors.<br> - <br> + assumed to be in UTC. NB, this may not be supported by all hypervisors.<br/> + <br/> Rather than using listen/port, QEMU supports a <code>socket</code> attribute for listening on a unix domain socket path. <span class="since">Since 0.8.8</span> @@ -2103,7 +2103,7 @@ qemu-kvm -net nic,model=? /dev/null Alternatively you can use <code>telnet</code> instead of <code>raw</code> TCP. <span class="since">Since 0.8.5</span> you can also use <code>telnets</code> (secure telnet) and <code>tls</code>. - <p> + </p> <pre> ... diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in index 8840856..eb3c72b 100644 --- a/docs/formatnwfilter.html.in +++ b/docs/formatnwfilter.html.in @@ -25,18 +25,18 @@ cannot be circumvented from within the virtual machine, it makes them mandatory from the point of view of a virtual machine user. - <br><br> + <br/><br/> The network filter subsystem allows each virtual machine's network traffic filtering rules to be configured individually on a per interface basis. The rules are applied on the host when the virtual machine is started and can be modified while the virtual machine is running. The latter can be achieved by modifying the XML description of a network filter. - <br><br> + <br/><br/> Multiple virtual machines can make use of the same generic network filter. When such a filter is modified, the network traffic filtering rules of all running virtual machines that reference this filter are updated. - <br><br> + <br/><br/> Network filtering support is available <span class="since">since 0.8.1 (Qemu, KVM)</span> </p> @@ -79,7 +79,7 @@ other filters can be used, a <i>tree</i> of filters can be built. The <code>clean-traffic</code> filter can be viewed using the command <code>virsh nwfilter-dumpxml clean-traffic</code>. - <br><br> + <br/><br/> As previously mentioned, a single network filter can be referenced by multiple virtual machines. Since interfaces will typically have individual parameters associated with their respective traffic @@ -108,7 +108,7 @@ 10.0.0.1 and enforce that the traffic from this interface will always be using 10.0.0.1 as the source IP address, which is one of the purposes of this particular filter. - <br><br> + <br/><br/> </p> <h3><a name="nwfconceptsvars">Usage of variables in filters</a></h3> @@ -117,7 +117,7 @@ Two variables names have so far been reserved for usage by the network traffic filtering subsystem: <code>MAC</code> and <code>IP</code>. - <br><br> + <br/><br/> <code>MAC</code> is the MAC address of the network interface. A filtering rule that references this variable will automatically be instantiated with the MAC address of the @@ -125,7 +125,7 @@ the MAC parameter. Even though it is possible to specify the MAC parameter similar to the IP parameter above, it is discouraged since libvirt knows what MAC address an interface will be using. - <br><br> + <br/><br/> The parameter <code>IP</code> represents the IP address that the operating system inside the virtual machine is expected to use on the given interface. The <code>IP</code> parameter @@ -136,7 +136,7 @@ For current limitations on IP address detection, consult the <a href="#nwflimits">section on limitations</a> on how to use this feature and what to expect when using it. - <br><br> + <br/><br/> The following is the XML description of the network filer <code>no-arp-spoofing</code>. It serves as an example for a network filter XML referencing the <code>MAC</code> and @@ -205,7 +205,7 @@ filters may be referenced multiple times in a filter tree but references between filters must not introduce loops (directed acyclic graph). - <br><br> + <br/><br/> The following shows the XML of the <code>clean-traffic</code> network filter referencing several other filters. </p> @@ -226,7 +226,7 @@ needs to be provided inside a <code>filter</code> node. This node must have the attribute <code>filter</code> whose value contains the name of the filter to be referenced. - <br><br> + <br/><br/> New network filters can be defined at any time and may contain references to network filters that are not known to libvirt, yet. However, once a virtual machine @@ -282,7 +282,7 @@ <li> statematch -- optional; possible values are '0' or 'false' to turn the underlying connection state matching off; default is 'true' - <br> + <br/> Also read the section on <a href="#nwfelemsRulesAdv">advanced configuration</a> topics. </li> @@ -294,7 +294,7 @@ traffic of type <code>ip</code> is also associated with the chain 'ipv4' then that filter's rules will be ordered relative to the priority 500 of the shown rule. - <br><br> + <br/><br/> A rule may contain a single rule for filtering of traffic. The above example shows that traffic of type <code>ip</code> is to be filtered. @@ -325,7 +325,7 @@ <li>STRING: A string</li> </ul> <p> - <br><br> + <br/><br/> Every attribute except for those of type IP_MASK or IPV6_MASK can be negated using the <code>match</code> attribute with value <code>no</code>. Multiple negated attributes @@ -349,14 +349,14 @@ the protocol property attribute1 does not match value1 AND the protocol property attribute2 does not match value2 AND the protocol property attribute3 matches value3. - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoMAC">MAC (Ethernet)</a></h5> <p> Protocol ID: <code>mac</code> - <br> + <br/> Note: Rules of this type should go into the <code>root</code> chain. </p> <table class="top_table"> @@ -408,7 +408,7 @@ <h5><a name="nwfelemsRulesProtoARP">ARP/RARP</a></h5> <p> Protocol ID: <code>arp</code> or <code>rarp</code> - <br> + <br/> Note: Rules of this type should either go into the <code>root</code> or <code>arp/rarp</code> chain. </p> @@ -483,7 +483,7 @@ Valid strings for the <code>Opcode</code> field are: Request, Reply, Request_Reverse, Reply_Reverse, DRARP_Request, DRARP_Reply, DRARP_Error, InARP_Request, ARP_NAK - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoIP">IPv4</a></h5> @@ -572,7 +572,7 @@ <p> Valid strings for <code>protocol</code> are: tcp, udp, udplite, esp, ah, icmp, igmp, sctp - <br><br> + <br/><br/> </p> @@ -662,13 +662,13 @@ <p> Valid strings for <code>protocol</code> are: tcp, udp, udplite, esp, ah, icmpv6, sctp - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoTCP-ipv4">TCP/UDP/SCTP</a></h5> <p> Protocol ID: <code>tcp</code>, <code>udp</code>, <code>sctp</code> - <br> + <br/> Note: The chain parameter is ignored for this type of traffic and should either be omitted or set to <code>root</code>. </p> @@ -757,14 +757,14 @@ </tr> </table> <p> - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoICMP">ICMP</a></h5> <p> Protocol ID: <code>icmp</code> - <br> + <br/> Note: The chain parameter is ignored for this type of traffic and should either be omitted or set to <code>root</code>. </p> @@ -857,13 +857,13 @@ </tr> </table> <p> - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoMisc">IGMP, ESP, AH, UDPLITE, 'ALL'</a></h5> <p> Protocol ID: <code>igmp</code>, <code>esp</code>, <code>ah</code>, <code>udplite</code>, <code>all</code> - <br> + <br/> Note: The chain parameter is ignored for this type of traffic and should either be omitted or set to <code>root</code>. </p> @@ -946,14 +946,14 @@ </tr> </table> <p> - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoTCP-ipv6">TCP/UDP/SCTP over IPV6</a></h5> <p> Protocol ID: <code>tcp-ipv6</code>, <code>udp-ipv6</code>, <code>sctp-ipv6</code> - <br> + <br/> Note: The chain parameter is ignored for this type of traffic and should either be omitted or set to <code>root</code>. </p> @@ -1042,14 +1042,14 @@ </tr> </table> <p> - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoICMPv6">ICMPv6</a></h5> <p> Protocol ID: <code>icmpv6</code> - <br> + <br/> Note: The chain parameter is ignored for this type of traffic and should either be omitted or set to <code>root</code>. </p> @@ -1128,13 +1128,13 @@ </tr> </table> <p> - <br><br> + <br/><br/> </p> <h5><a name="nwfelemsRulesProtoMiscv6">IGMP, ESP, AH, UDPLITE, 'ALL' over IPv6</a></h5> <p> Protocol ID: <code>igmp-ipv6</code>, <code>esp-ipv6</code>, <code>ah-ipv6</code>, <code>udplite-ipv6</code>, <code>all-ipv6</code> - <br> + <br/> Note: The chain parameter is ignored for this type of traffic and should either be omitted or set to <code>root</code>. </p> @@ -1202,7 +1202,7 @@ </tr> </table> <p> - <br><br> + <br/><br/> </p> <h3><a name="nwfelemsRulesAdv">Advanced Filter Configuration Topics</a></h3> @@ -1227,7 +1227,7 @@ port 80 on an attacker site, then the attacker will not be able to initiate a connection from TCP port 80 back towards the VM. By default the connection state match that enables connection tracking - and then enforcement of directionality of traffic is turned on. <br> + and then enforcement of directionality of traffic is turned on. <br/> The following shows an example XML fragement where this feature has been turned off for incoming connections to TCP port 12345. </p> @@ -1277,14 +1277,14 @@ </pre> <p> Note that the rule for the limit has to logically appear - before the rule for accepting the traffic.<br> + before the rule for accepting the traffic.<br/> An additional rule for letting DNS traffic to port 22 go out the VM has been added to avoid ssh sessions not getting established for reasons related to DNS lookup failures by the ssh daemon. Leaving this rule out may otherwise lead to fun-filled debugging joy (symptom: ssh client seems to hang while trying to connect). - <br><br> + <br/><br/> Lot of care must be taken with timeouts related to tracking of traffic. An ICMP ping that the user may have terminated inside the VM may have a long @@ -1299,7 +1299,7 @@ <p> sets the ICMP connection tracking timeout to 3 seconds. The effect of this is that once one ping is terminated, another - one can start after 3 seconds.<br> + one can start after 3 seconds.<br/> Further, we want to point out that a client that for whatever reason has not properly closed a TCP connection may cause a connection to be held open for a longer period of time, @@ -1323,7 +1323,7 @@ with life-cycle support for network filters. All commands related to the network filtering subsystem start with the prefix <code>nwfilter</code>. The following commands are available: - <p> + </p> <ul> <li>nwfilter-list : list UUIDs and names of all network filters</li> <li>nwfilter-define : define a new network filter or update an existing one</li> @@ -1398,7 +1398,7 @@ the protocols very well that you want to be filtering on so that no further traffic than what you want can pass and that in fact the traffic you want to allow does pass. - <br><br> + <br/><br/> The network filtering subsystem is currently only available on Linux hosts and only works for Qemu and KVM type of virtual machines. On Linux @@ -1412,19 +1412,19 @@ <li>arp, rarp</li> <li>ip</li> <li>ipv6</li> - </uL> + </ul> <p> All other protocols over IPv4 are supported using iptables, those over IPv6 are implemented using ip6tables. - <br><br> + <br/><br/> On a Linux host, all traffic filtering instantiated by libvirt's network filter subsystem first passes through the filtering support implemented by ebtables and only then through iptables or ip6tables filters. If a filter tree has rules with the protocols <code>mac</code>, <code>arp</code>, <code>rarp</code>, <code>ip</code>, or <code>ipv6</code> ebtables rules will automatically be instantiated. - <br> + <br/> The role of the <code>chain</code> attribute in the network filter XML is that internally a new user-defined ebtables table is created that then for example receives all <code>arp</code> traffic coming @@ -1435,7 +1435,7 @@ placed into filters specifying this chain. This type of branching into user-defined tables is only supported with filtering on the ebtables layer. - <br> + <br/> As an example, it is possible to filter on UDP traffic by source and destination ports using the <code>ip</code> protocol filter and specifying attributes for the @@ -1467,7 +1467,7 @@ The requirement to prevent spoofing is fulfilled by the existing <code>clean-traffic</code> network filter, thus we will reference this filter from our custom filter. - <br> + <br/> To enable traffic for TCP ports 22 and 80 we will add 2 rules to enable this type of traffic. To allow the VM to send ping traffic we will add a rule for ICMP traffic. For simplicity reasons @@ -1523,7 +1523,7 @@ per-interface basis and the rules are evaluated based on the knowledge about which (tap) interface has sent or will receive the packet rather than what their source or destination IP address may be. - <br><br> + <br/><br/> An XML fragment for a possible network interface description inside the domain XML of the <code>test</code> VM could then look like this: </p> @@ -1568,7 +1568,7 @@ <li>allows the VM to send ping traffic from an interface but not let the VM be pinged on the interface</li> <li>allows the VM to do DNS lookups (UDP towards port 53)</li> - <li>enable an ftp server (in active mode) to be run inside the VM + <li>enable an ftp server (in active mode) to be run inside the VM</li> </ul> <p> The additional requirement of allowing an ftp server to be run inside @@ -1577,7 +1577,7 @@ outgoing tcp connection originating from the VM's TCP port 20 back to the ftp client (ftp active mode). There are several ways of how this filter can be written and we present 2 solutions. - <br><br> + <br/><br/> The 1st solution makes use of the <code>state</code> attribute of the TCP protocol that gives us a hook into the connection tracking framework of the Linux host. For the VM-initiated ftp data connection @@ -1752,13 +1752,13 @@ to be using. Different IP addresses in use by multiple interfaces of a VM (one IP address each) will be independently detected. - <br><br> + <br/><br/> Once a VM's IP address has been detected, its IP network traffic may be locked to that address, if for example IP address spoofing is prevented by one of its filters. In that case the user of the VM will not be able to change the IP address on the interface inside the VM, which would be considered IP address spoofing. - <br><br> + <br/><br/> In case a VM is resumed after suspension or migrated, IP address detection will be restarted. </p> @@ -1776,7 +1776,7 @@ outside the scope of libvirt to ensure that referenced filters on the source system are equivalent to those on the target system and vice versa. - <br><br> + <br/><br/> Migration must occur between libvirt insallations of version 0.8.1 or later in order not to lose the network traffic filters associated with an interface. diff --git a/docs/formatstorageencryption.html.in b/docs/formatstorageencryption.html.in index 0e5dcee..9557a22 100644 --- a/docs/formatstorageencryption.html.in +++ b/docs/formatstorageencryption.html.in @@ -30,7 +30,7 @@ by the particular volume format and driver, automatically generate a secret value at the time of volume creation, and store it using the specified <code>uuid</code>. - <p> + </p> <h3><a name="StorageEncryptionDefault">"default" format</a></h3> <p> <code><encryption type="default"/></code> can be specified only diff --git a/docs/internals.html.in b/docs/internals.html.in index 6fa2de3..5689998 100644 --- a/docs/internals.html.in +++ b/docs/internals.html.in @@ -9,9 +9,9 @@ </p> <ul> - <li>Introduction to basic rules and guidelines for <a href="hacking.html">hacking<a> + <li>Introduction to basic rules and guidelines for <a href="hacking.html">hacking</a> on libvirt code</li> - <li>Guide to adding <a href="api_extension.html">public APIs<a></li> + <li>Guide to adding <a href="api_extension.html">public APIs</a></li> <li>Approach for <a href="internals/command.html">spawning commands</a> from libvirt driver code</li> </ul> diff --git a/docs/logging.html.in b/docs/logging.html.in index 44171de..ebacdac 100644 --- a/docs/logging.html.in +++ b/docs/logging.html.in @@ -82,7 +82,7 @@ <a name="log_daemon">Logging in the daemon</a> </h3> <p>Similarly the daemon logging behaviour can be tuned using 3 config - variables, stored in the configuration file: + variables, stored in the configuration file:</p> <ul> <li>log_level: accepts the following values: <ul> @@ -128,7 +128,7 @@ <p>Multiple filters can be defined in a single string, they just need to be separated by spaces, e.g: <code>"3:remote 4:event"</code> to only get warning or errors from the remote layer and only errors from the event - layer.<p> + layer.</p> <p>If you specify a log priority in a filter that is below the default log priority level, messages that match that filter will still be logged, while others will not. In order to see those messages, you must also have diff --git a/docs/windows.html.in b/docs/windows.html.in index 4011cc3..8e0af7c 100644 --- a/docs/windows.html.in +++ b/docs/windows.html.in @@ -30,7 +30,7 @@ and untested Python bindings. </p> - <h3><a name="caveats">Caveats</h3> + <h3><a name="caveats">Caveats</a></h3> <ul> <li> @@ -47,7 +47,7 @@ </li> </ul> - <h3><a name="knowninstallerprobs">Existing problems with this installer we know about</a> + <h3><a name="knowninstallerprobs">Existing problems with this installer we know about</a></h3> <p> These are problems we know about, and need to be fixed in subsequent @@ -72,7 +72,7 @@ </ul> - <h2><a name="conntypes">Connection types</h2> + <h2><a name="conntypes">Connection types</a></h2> <p> These connection types are known to work: @@ -114,7 +114,7 @@ be used in security sensitive environments.</b> </p> - <h2><a name="esx">Connecting to VMware ESX/vSphere</h2> + <h2><a name="esx">Connecting to VMware ESX/vSphere</a></h2> <p> Details on the capabilities, certificates, and connection string @@ -124,7 +124,7 @@ <a href="http://libvirt.org/drvesx.html">http://libvirt.org/drvesx.html</a> - <h2><a name="tlscerts">TLS Certificates</h2> + <h2><a name="tlscerts">TLS Certificates</a></h2> <p> TLS certificates need to have been created and placed in the correct @@ -184,7 +184,7 @@ <li>C:\Users\someuser\AppData\Roaming\libvirt\pki\libvirt\private\clientkey.pem</li> </ul> - <h2><a name="feedback">Feedback</h2> + <h2><a name="feedback">Feedback</a></h2> <p> Feedback and suggestions on changes to make and what else to include -- 1.7.4

14 years

1
0
0 / 0

[libvirt] [PATCH] nwfilters: support for TCP flags evaluation

by Stefan Berger

This patch adds support for the evaluation of TCP flags in nwfilters. It adds documentation to the web page and extends the tests as well. Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com> --- docs/formatnwfilter.html.in | 10 ++ docs/schemas/nwfilter.rng | 16 ++++ src/conf/nwfilter_conf.c | 115 +++++++++++++++++++++++++++--- src/conf/nwfilter_conf.h | 9 ++ src/libvirt_private.syms | 1 src/nwfilter/nwfilter_ebiptables_driver.c | 9 ++ tests/nwfilterxml2xmlin/tcp-test.xml | 12 +++ tests/nwfilterxml2xmlout/tcp-test.xml | 12 +++ 8 files changed, 174 insertions(+), 10 deletions(-) Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -5,7 +5,8 @@ * Copyright (C) 2006-2011 Red Hat, Inc. * Copyright (C) 2006-2008 Daniel P. Berrange * - * Copyright (C) 2010 IBM Corporation + * Copyright (C) 2010-2011 IBM Corporation + * Copyright (C) 2010-2011 Stefan Berger * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -726,17 +727,23 @@ printStringItems(virBufferPtr buf, const int32_t flags, const char *sep) { unsigned int i, c = 0; - int32_t last_attr = 0; + int32_t mask = 0x1; - for (i = 0; int_map[i].val; i++) { - if (last_attr != int_map[i].attr && - flags & int_map[i].attr) { - if (c >= 1) - virBufferVSprintf(buf, "%s", sep); - virBufferVSprintf(buf, "%s", int_map[i].val); - c++; + while (mask) { + if ((mask & flags)) { + for (i = 0; int_map[i].val; i++) { + if (mask == int_map[i].attr) { + if (c >= 1) + virBufferVSprintf(buf, "%s", sep); + virBufferVSprintf(buf, "%s", int_map[i].val); + c++; + } + } + flags ^= mask; + if (!flags) + break; } - last_attr = int_map[i].attr; + mask <<= 1; } return 0; @@ -799,6 +806,87 @@ stateFormatter(virBufferPtr buf, } + +static const struct int_map tcpFlags[] = { + INTMAP_ENTRY(0x1 , "FIN"), + INTMAP_ENTRY(0x2 , "SYN"), + INTMAP_ENTRY(0x4 , "RST"), + INTMAP_ENTRY(0x8 , "PSH"), + INTMAP_ENTRY(0x10, "ACK"), + INTMAP_ENTRY(0x20, "URG"), + INTMAP_ENTRY(0x3F, "ALL"), + INTMAP_ENTRY(0x0 , "NONE"), + INTMAP_ENTRY_LAST +}; + + +static bool +tcpFlagsValidator(enum attrDatatype datatype ATTRIBUTE_UNUSED, union data *val, + virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED, + nwItemDesc *item) +{ + bool rc = false; + char *s_mask = val->c; + char *sep = strchr(val->c, '/'); + char *s_flags; + int32_t mask = 0, flags = 0; + + if (!sep) + return false; + + s_flags = sep + 1; + + *sep = '\0'; + + if (!parseStringItems(tcpFlags, s_mask , &mask , ',') && + !parseStringItems(tcpFlags, s_flags, &flags, ',')) { + item->u.tcpFlags.mask = mask & 0x3f; + item->u.tcpFlags.flags = flags & 0x3f; + rc = true; + } + + *sep = '/'; + + return rc; +} + + +static void +printTCPFlags(virBufferPtr buf, uint8_t flags) +{ + if (flags == 0) + virBufferAddLit(buf, "NONE"); + else if (flags == 0x3f) + virBufferAddLit(buf, "ALL"); + else + printStringItems(buf, tcpFlags, flags, ","); +} + + +void +virNWFilterPrintTCPFlags(virBufferPtr buf, + uint8_t mask, char sep, uint8_t flags) +{ + printTCPFlags(buf, mask); + virBufferAddChar(buf, sep); + printTCPFlags(buf, flags); +} + + +static bool +tcpFlagsFormatter(virBufferPtr buf, + virNWFilterRuleDefPtr nwf ATTRIBUTE_UNUSED, + nwItemDesc *item) +{ + virNWFilterPrintTCPFlags(buf, + item->u.tcpFlags.mask, + '/', + item->u.tcpFlags.flags); + + return true; +} + + #define COMMON_MAC_PROPS(STRUCT) \ {\ .name = SRCMACADDR,\ @@ -1104,6 +1192,13 @@ static const virXMLAttr2Struct tcpAttrib .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX, .dataIdx = offsetof(virNWFilterRuleDef, p.tcpHdrFilter.dataTCPOption), }, + { + .name = "flags", + .datatype = DATATYPE_STRING, + .dataIdx = offsetof(virNWFilterRuleDef, p.tcpHdrFilter.dataTCPFlags), + .validator = tcpFlagsValidator, + .formatter = tcpFlagsFormatter, + }, COMMENT_PROP_IPHDR(tcpHdrFilter), { .name = NULL, Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -122,6 +122,10 @@ struct _nwItemDesc { uint16_t u16; char protocolID[10]; char *string; + struct { + uint8_t mask; + uint8_t flags; + } tcpFlags; } u; }; @@ -242,6 +246,7 @@ struct _tcpHdrFilterDef { ipHdrDataDef ipHdr; portDataDef portData; nwItemDesc dataTCPOption; + nwItemDesc dataTCPFlags; }; @@ -667,6 +672,10 @@ void virNWFilterCallbackDriversLock(void void virNWFilterCallbackDriversUnlock(void); +void virNWFilterPrintTCPFlags(virBufferPtr buf, uint8_t mask, + char sep, uint8_t flags); + + VIR_ENUM_DECL(virNWFilterRuleAction); VIR_ENUM_DECL(virNWFilterRuleDirection); VIR_ENUM_DECL(virNWFilterRuleProtocol); Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1204,6 +1204,15 @@ _iptablesCreateRuleInstance(int directio &prefix)) goto err_exit; + if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPFlags)) { + virBufferVSprintf(&buf, " %s --tcp-flags ", + ENTRY_GET_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags)); + virNWFilterPrintTCPFlags(&buf, + rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask, + ' ', + rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags); + } + if (iptablesHandlePortData(&buf, vars, &rule->p.tcpHdrFilter.portData, Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -81,6 +81,7 @@ <ref name="common-port-attributes"/> <ref name="common-ip-attributes-p1"/> <ref name="common-ip-attributes-p2"/> + <ref name="tcp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> @@ -184,6 +185,7 @@ <ref name="common-port-attributes"/> <ref name="common-ipv6-attributes-p1"/> <ref name="common-ipv6-attributes-p2"/> + <ref name="tcp-attributes"/> <ref name="comment-attribute"/> </element> </zeroOrMore> @@ -606,6 +608,14 @@ </optional> </define> + <define name="tcp-attributes"> + <optional> + <attribute name="flags"> + <ref name="tcpflags-type"/> + </attribute> + </optional> + </define> +  <define name="UUID"> @@ -872,4 +882,10 @@ <param name="pattern">((NEW|ESTABLISHED|RELATED|INVALID)(,(NEW|ESTABLISHED|RELATED|INVALID))*|NONE)</param> </data> </define> + + <define name='tcpflags-type'> + <data type="string"> + <param name="pattern">((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)/((SYN|ACK|URG|PSH|FIN|RST)(,(SYN|ACK|URG|PSH|FIN|RST))*|ALL|NONE)</param> + </data> + </define> </grammar> Index: libvirt-acl/docs/formatnwfilter.html.in =================================================================== --- libvirt-acl.orig/docs/formatnwfilter.html.in +++ libvirt-acl/docs/formatnwfilter.html.in @@ -755,6 +755,11 @@ <td>STRING</td> <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td> </tr> + <tr> + <td>flags <span class="since">(Since 0.9.0)</span></td> + <td>STRING</td> + <td>TCP-only: format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL</td> + </tr> </table> <p> <br><br> @@ -1040,6 +1045,11 @@ <td>STRING</td> <td>comma separated list of NEW,ESTABLISHED,RELATED,INVALID or NONE</td> </tr> + <tr> + <td>flags <span class="since">(Since 0.8.5)</span></td> + <td>STRING</td> + <td>format of mask/flags with mask and flags each being a comma separated list of SYN,ACK,URG,PSH,FIN,RST or NONE or ALL</td> + </tr> </table> <p> <br><br> Index: libvirt-acl/src/libvirt_private.syms =================================================================== --- libvirt-acl.orig/src/libvirt_private.syms +++ libvirt-acl/src/libvirt_private.syms @@ -683,6 +683,7 @@ virNWFilterObjRemove; virNWFilterObjSaveDef; virNWFilterObjUnlock; virNWFilterPrintStateMatchFlags; +virNWFilterPrintTCPFlags; virNWFilterRegisterCallbackDriver; virNWFilterRuleActionTypeToString; virNWFilterRuleProtocolTypeToString; Index: libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlin/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml @@ -19,4 +19,16 @@ srcportstart='255' srcportend='256' dstportstart='65535' dstportend='65536'/> </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='SYN/ALL'/> + </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='SYN/SYN,ACK'/> + </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='RST/NONE'/> + </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='PSH/'/> + </rule> </filter> Index: libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlout/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml @@ -9,4 +9,16 @@ <rule action='accept' direction='in' priority='500' statematch='false'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/> </rule> + <rule action='accept' direction='in' priority='500'> + <tcp state='NONE' flags='SYN/ALL'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <tcp state='NONE' flags='SYN/SYN,ACK'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <tcp state='NONE' flags='RST/NONE'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <tcp state='NONE' flags='PSH/NONE'/> + </rule> </filter>

14 years

2
2
0 / 0

[libvirt] How many functions that can't be used within libvirt

by SanitYey o

Hello, I've tested some functions of libvirt don't work. Could some people give me a reasonable explanation about these functions? Why do these function don't work? Or if there is anything wrong of my understanding. 1.virsh # migrate 1 xen+ssh://root@172.16.201.183/Password: error: POST operation failed: xend_post: error from xen daemon: (xend.err "can't connect: (-2, 'Name or service not known')") 2.virsh # dommemstat 5error: Failed to get memory statistics for domain 5error: this function is not supported by the hypervisor: virDomainMemoryStats 3.virsh # dump 5 fileerror: Failed to core dump domain 5 to fileerror: POST operation failed: xend_post: error from xen daemon: (xend.err 'Too many values for live') 4.virsh # iface-list error: Failed to list active interfaceserror: this function is not supported by the hypervisor: virConnectNumOfInterfaces 5.virsh # vncdisplay 5:1 virsh # vncdisplay 41:0 6.virsh # snapshot-create 42 snapshot.xml error: Failed to create snapshot snapshot.xml for domain 42 7.NWFILTER functions Thank you very much!

14 years

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel April 2011