July 2013 - Devel - Libvirt List Archives

[libvirt] [PATCH v4 00/10] Add user namespace support for libvirt lxc

by Gao feng

This patchset try to add userns support for libvirt lxc. Since userns is nearly completed in linux-3.9, the old kernel doesn't support userns, I add some New XML elements to let people decide if enable userns.The userns is enabled only when user configure the XML. The format of user namespace related XML file like below: <idmap> <uid start='0' target='1000' count='10'> <gid start='0' target='1000' count='10'> </idmap> it means the user in container (which uid:gid is 0:0) will be mapped to the user in host (uid:gid is 1000:1000), count is used to form an u/gid range: The users in container which uid in [start, start + count -1] will be mapped. You can have multiple lines to map differnet id ranges, caution, you must make sure the root user of container has been mapped. This patchset also does the below jobs. 1, Because the uninit userns has no right to create devices, we should create devices for container on host. 2, Changes the owner of fuse and tty device. Change from v3: 1, fix some bugs that Daniel pointed out 2, reorder the patchset,introduce virLXCControllerChown first. 3, rebase Change from v2: 1, Mount tmpfs on /stateDir/domain.dev 2, Create devices under /stateDir/doamin.dev/ 3, Mount Move the /.oldroot/stateDir/doamin.dev/ on the /dev/ of container 4, Enhance the configuration, disallow the semi configuration Gao feng (10): LXC: Introduce New XML element for user namespace LXC: enable user namespace only when user set the uidmap LXC: sort the uidmap/gidmap of domain LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID LXC: Creating devices for container on host side LXC: controller: change the owner of tty devices to the root user of container LXC: controller: change the owner of /dev to the root user of container LXC: controller: change the owner of devices created on host LXC: controller: change the owner of /dev/pts and ptmx to the root of container LXC: fuse: Change files owner to the root user of container docs/formatdomain.html.in | 23 +++++ docs/schemas/domaincommon.rng | 31 ++++++ src/conf/domain_conf.c | 115 +++++++++++++++++++++ src/conf/domain_conf.h | 22 ++++ src/lxc/lxc_container.c | 173 +++++++++++++++++-------------- src/lxc/lxc_controller.c | 235 ++++++++++++++++++++++++++++++++++++++++-- src/lxc/lxc_fuse.c | 4 + 7 files changed, 516 insertions(+), 87 deletions(-) -- 1.8.1.4

11 years, 4 months

2
25
0 / 0

[libvirt] [PATCH] Ignore failure to mount SELinux filesystem in container

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> User namespaces will deny the ability to mount the SELinux filesystem. This is harmless for libvirt's LXC needs, so the error can be ignored. Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com> --- src/lxc/lxc_container.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index d9734b5..b37300b 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -741,6 +741,12 @@ static int lxcContainerMountBasicFS(void) VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s", srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts); if (mount(srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts) < 0) { +#if WITH_SELINUX + if (STREQ(mnts[i].src, SELINUX_MOUNT) && + (errno == EINVAL || errno == EPERM)) + continue; +#endif + virReportSystemError(errno, _("Failed to mount %s on %s type %s flags=%x opts=%s"), srcpath, mnts[i].dst, NULLSTR(mnts[i].type), -- 1.8.1.4

11 years, 4 months

2
1
0 / 0

[libvirt] [PATCH] qemu: don't use deprecated -no-kvm-pit-reinjection

by Ján Tomko

Since qemu-kvm 1.1 [1] '-no-kvm-pit-reinjection' has been deprecated in favor of '-global kvm-pit.lost_tick_policy=discard' In upstream qemu since 1.3 [2]. https://bugzilla.redhat.com/show_bug.cgi?id=978719 [1] http://git.kernel.org/cgit/virt/kvm/qemu-kvm.git/commit/?id=4e4fa39 [2] http://git.qemu.org/?p=qemu.git;a=commitdiff;h=c21fb4f --- src/qemu/qemu_capabilities.c | 12 ++++++++++-- src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 5 ++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c index 969b001..c6df463 100644 --- a/src/qemu/qemu_capabilities.c +++ b/src/qemu/qemu_capabilities.c @@ -233,6 +233,7 @@ VIR_ENUM_IMPL(virQEMUCaps, QEMU_CAPS_LAST, "mlock", "vnc-share-policy", /* 150 */ + "kvm-pit-property", ); struct _virQEMUCaps { @@ -2468,13 +2469,12 @@ virQEMUCapsInitArchQMPBasic(virQEMUCapsPtr qemuCaps, /* * Currently only x86_64 and i686 support PCI-multibus, - * -no-acpi and -no-kvm-pit-reinjection. + * -no-acpi */ if (qemuCaps->arch == VIR_ARCH_X86_64 || qemuCaps->arch == VIR_ARCH_I686) { virQEMUCapsSet(qemuCaps, QEMU_CAPS_PCI_MULTIBUS); virQEMUCapsSet(qemuCaps, QEMU_CAPS_NO_ACPI); - virQEMUCapsSet(qemuCaps, QEMU_CAPS_NO_KVM_PIT); } ret = 0; @@ -2640,6 +2640,14 @@ virQEMUCapsInitQMP(virQEMUCapsPtr qemuCaps, if (virQEMUCapsProbeQMPCommandLine(qemuCaps, mon) < 0) goto cleanup; + /* -global kvm-pit.lost_tick_policy=discard */ + if ((qemuCaps->arch == VIR_ARCH_X86_64 || + qemuCaps->arch == VIR_ARCH_I686) && + (qemuCaps->version >= 1003000 || + virQEMUCapsGet(qemuCaps, QEMU_CAPS_KVM))) { + virQEMUCapsSet(qemuCaps, QEMU_CAPS_KVM_PIT_PROPERTY); + } + ret = 0; cleanup: diff --git a/src/qemu/qemu_capabilities.h b/src/qemu/qemu_capabilities.h index 7088747..c64f648 100644 --- a/src/qemu/qemu_capabilities.h +++ b/src/qemu/qemu_capabilities.h @@ -189,6 +189,7 @@ enum virQEMUCapsFlags { QEMU_CAPS_DRIVE_DISCARD = 148, /* -drive discard=off(ignore)|on(unmap) */ QEMU_CAPS_MLOCK = 149, /* -realtime mlock=on|off */ QEMU_CAPS_VNC_SHARE_POLICY = 150, /* set display sharing policy */ + QEMU_CAPS_KVM_PIT_PROPERTY = 151, /* -global kvm-pit.lost_tick_policy */ QEMU_CAPS_LAST, /* this must always be the last item */ }; diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index ba93233..a678666 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7024,7 +7024,10 @@ qemuBuildCommandLine(virConnectPtr conn, case VIR_DOMAIN_TIMER_TICKPOLICY_DELAY: /* delay is the default if we don't have kernel (-no-kvm-pit), otherwise, the default is catchup. */ - if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_NO_KVM_PIT)) + if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_KVM_PIT_PROPERTY)) + virCommandAddArgList(cmd, "-global", + "kvm-pit.lost_tick_policy=discard", NULL); + else if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_NO_KVM_PIT)) virCommandAddArg(cmd, "-no-kvm-pit-reinjection"); break; case VIR_DOMAIN_TIMER_TICKPOLICY_CATCHUP: -- 1.8.1.5

11 years, 4 months

2
2
0 / 0

[libvirt] [PATCHv2] docs: Document hypervisor drivers that support certain timer models

by Peter Krempa

Not every timer model is supported with each hypervisor. Explicitly mention the driver supporting each timer model. --- Notes: Version 2: - corrected the support of HPET (xen, libxl, qemu) and KVMCLOCK (just qemu) timers docs/formatdomain.html.in | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index cc4c5ea..47d91ab 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -1310,8 +1310,10 @@ <dt><code>name</code></dt> <dd> The <code>name</code> attribute selects which timer is - being modified, and can be one of "platform", "hpet", - "kvmclock", "pit", "rtc", or "tsc". + being modified, and can be one of + "platform" (currently unsupported), + "hpet" (libxl, xen, qemu), "kvmclock" (qemu), + "pit" (qemu), "rtc" (qemu), or "tsc" (libxl). </dd> <dt><code>track</code></dt> <dd> -- 1.8.2.1

11 years, 4 months

2
2
0 / 0

[libvirt] [PATCH 0/2] BlockPivot issues

by Ján Tomko

https://bugzilla.redhat.com/show_bug.cgi?id=977678 Ján Tomko (2): qemu: fix return value of qemuDomainBlockPivot on errors blockjob: make PIVOT and ASYNC flags mutually exclusive src/qemu/qemu_driver.c | 15 +++++++++++---- tools/virsh-domain.c | 9 ++++++--- 2 files changed, 17 insertions(+), 7 deletions(-) -- 1.8.1.5

11 years, 4 months

3
8
0 / 0

[libvirt] Biweekly upstream qemu-kvm test report - July 1st, 2013

by chandrashekar shastri

Adding Libvirt list. Thanks, Shastri -------- Original Message -------- Subject: Biweekly upstream qemu-kvm test report - July 1st, 2013 Date: Mon, 01 Jul 2013 19:45:32 +0530 From: chandrashekar shastri <cshastri(a)linux.vnet.ibm.com> To: qemu-devel(a)nongnu.org, ltc-kvm(a)lists.linux.ibm.com, virt-test-devel(a)redhat.com Hi, Please find the status of the upstream testing: Kernel : 3.10.0-rc5+ Qemu : 1.5.50 Libvirt : 1.0.6 Total number of bugs filed : 6 Bugs filed in this week : 5 Qemu Bugs in Launchpad : 1) 1192499 - virsh migration copy-storage-all fails with "Unable to read from monitor: Connection reset by peer" 2) 1192847 - NMI watchdog fails to increment the NMI counter in /proc/interrupts 3) 1195170 - cpu hot-add doesn't work with upstream qemu 1.5.50 Libvirt Bugs Redhat Bugzilla: 1) 979260 - cpu hot-add doesn't work with upstream libvirt 1.0.6 + qemu 1.5.50 2) 979360 - Libvirt fails to Bootstrap fails for local gnulib with 1.0. Features tested in this week: 1. NMI Watchdog 2. Live Migration (with and without shared Storage) 3. CPU hotplug 4. QMP with latest qemu Features that will be taken up in the next cycle: 1. Chardev hotplug 2. VirtIO-scsi 3. Virt Guest Suspend Hibernate Thanks, Shastri

11 years, 4 months

1
0
0 / 0

[libvirt] [PATCH] build: configure must not affect tarball contents

by Eric Blake

On mingw, configure sets the name of the lxc symfile to libvirt_lxc.defs rather than libvirt_lxc.syms. But tarballs must be arch-independent, regardless of the configure options used for the tree where we ran 'make dist'. This led to the following failure in autobuild.sh: CCLD libvirt-lxc.la CCLD libvirt-qemu.la /usr/lib64/gcc/i686-w64-mingw32/4.7.2/../../../../i686-w64-mingw32/bin/ld: cannot find libvirt_lxc.def: No such file or directory collect2: error: ld returned 1 exit status make[3]: *** [libvirt-lxc.la] Error 1 make[3]: *** Waiting for unfinished jobs.... We were already doing the right thing with libvirt_qemu.syms. * src/Makefile.am (EXTRA_DIST): Don't ship a built file which depends on configure for its final name. Signed-off-by: Eric Blake <eblake(a)redhat.com> --- Pushing under the build-breaker rule. src/Makefile.am | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Makefile.am b/src/Makefile.am index 042bcba..1a64855 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1861,7 +1861,6 @@ libvirt_lxc_la_LDFLAGS = \ $(NULL) libvirt_lxc_la_CFLAGS = $(AM_CFLAGS) libvirt_lxc_la_LIBADD = libvirt.la $(CYGWIN_EXTRA_LIBADD) -EXTRA_DIST += $(LIBVIRT_LXC_SYMBOL_FILE) lockdriverdir = $(libdir)/libvirt/lock-driver lockdriver_LTLIBRARIES = -- 1.8.1.4

11 years, 4 months

1
0
0 / 0

[libvirt] [PATCH] build: avoid build failure without gnutls

by Eric Blake

Found while trying to cross-compile to mingw: CC libvirt_driver_remote_la-remote_driver.lo ../../src/remote/remote_driver.c: In function 'doRemoteOpen': ../../src/remote/remote_driver.c:487:23: error: variable 'verify' set but not used [-Werror=unused-but-set-variable] * src/remote/remote_driver.c (doRemoteOpen): Also ignore 'verify'. Signed-off-by: Eric Blake <eblake(a)redhat.com> --- Pushing under the build-breaker rule. I also had a report that libvirt fails to compile for mingw on Fedora 19; it looks like a gnulib submodule update will fix part of that issue, so I'm working on that now... https://lists.fedoraproject.org/pipermail/mingw/2013-June/007006.html http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=86725346 src/remote/remote_driver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 7a0c1f6..7f3e833 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -609,6 +609,7 @@ doRemoteOpen(virConnectPtr conn, priv->is_secure = 1; #else (void)sanity; + (void)verify; virReportError(VIR_ERR_INVALID_ARG, "%s", _("GNUTLS support not available in this build")); goto failed; -- 1.8.1.4

11 years, 4 months

1
0
0 / 0

[libvirt] [PATCH] Drop iptablesContext

by Roman Bogorodskiy

iptablesContext holds only 4 pairs of iptables (table, chain) and there's no need to pass it around. This is a first step towards separating bridge_driver.c in platform-specific parts. --- src/libvirt_private.syms | 2 - src/network/bridge_driver.c | 253 +++++++++++++++++-------------------------- src/util/viriptables.c | 257 +++++++++++--------------------------------- src/util/viriptables.h | 65 ++++------- 4 files changed, 183 insertions(+), 394 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 795e011..062c7fb 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1417,8 +1417,6 @@ iptablesAddForwardRejectOut; iptablesAddOutputFixUdpChecksum; iptablesAddTcpInput; iptablesAddUdpInput; -iptablesContextFree; -iptablesContextNew; iptablesRemoveForwardAllowCross; iptablesRemoveForwardAllowIn; iptablesRemoveForwardAllowOut; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 2cf49bb..062ec85 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -75,7 +75,6 @@ struct network_driver { virNetworkObjList networks; - iptablesContext *iptables; char *networkConfigDir; char *networkAutostartDir; char *stateDir; @@ -106,8 +105,7 @@ static int networkShutdownNetwork(struct network_driver *driver, static int networkStartNetworkVirtual(struct network_driver *driver, virNetworkObjPtr network); -static int networkShutdownNetworkVirtual(struct network_driver *driver, - virNetworkObjPtr network); +static int networkShutdownNetworkVirtual(virNetworkObjPtr network); static int networkStartNetworkExternal(struct network_driver *driver, virNetworkObjPtr network); @@ -420,10 +418,6 @@ networkStateInitialize(bool privileged, } } - if (!(driverState->iptables = iptablesContextNew())) { - goto out_of_memory; - } - /* if this fails now, it will be retried later with dnsmasqCapsRefresh() */ driverState->dnsmasqCaps = dnsmasqCapsNewFromBinary(DNSMASQ); @@ -531,9 +525,6 @@ networkStateCleanup(void) { VIR_FREE(driverState->dnsmasqStateDir); VIR_FREE(driverState->radvdStateDir); - if (driverState->iptables) - iptablesContextFree(driverState->iptables); - virObjectUnref(driverState->dnsmasqCaps); networkDriverUnlock(driverState); @@ -1544,8 +1535,7 @@ networkRefreshDaemons(struct network_driver *driver) } static int -networkAddMasqueradingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddMasqueradingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -1559,8 +1549,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* allow forwarding packets from the bridge interface */ - if (iptablesAddForwardAllowOut(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1573,8 +1562,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, /* allow forwarding packets to the bridge interface if they are * part of an existing connection */ - if (iptablesAddForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1608,8 +1596,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, */ /* First the generic masquerade rule for other protocols */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1626,8 +1613,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* UDP with a source port restriction */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1644,8 +1630,7 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } /* TCP with a source port restriction */ - if (iptablesAddForwardMasquerade(driver->iptables, - &ipdef->address, + if (iptablesAddForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, @@ -1664,30 +1649,26 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, return 0; masqerr5: - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "udp"); masqerr4: - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, NULL); masqerr3: - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf); masqerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1696,43 +1677,37 @@ networkAddMasqueradingIptablesRules(struct network_driver *driver, } static void -networkRemoveMasqueradingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveMasqueradingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); if (prefix >= 0) { - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "tcp"); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, "udp"); - iptablesRemoveForwardMasquerade(driver->iptables, - &ipdef->address, + iptablesRemoveForwardMasquerade(&ipdef->address, prefix, forwardIf, &network->def->forward.addr, &network->def->forward.port, NULL); - iptablesRemoveForwardAllowRelatedIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowRelatedIn(&ipdef->address, prefix, network->def->bridge, forwardIf); - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1740,8 +1715,7 @@ networkRemoveMasqueradingIptablesRules(struct network_driver *driver, } static int -networkAddRoutingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddRoutingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); @@ -1755,8 +1729,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, } /* allow routing packets from the bridge interface */ - if (iptablesAddForwardAllowOut(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1767,8 +1740,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, } /* allow routing packets to the bridge interface */ - if (iptablesAddForwardAllowIn(driver->iptables, - &ipdef->address, + if (iptablesAddForwardAllowIn(&ipdef->address, prefix, network->def->bridge, forwardIf) < 0) { @@ -1781,8 +1753,7 @@ networkAddRoutingIptablesRules(struct network_driver *driver, return 0; routeerr2: - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1791,22 +1762,19 @@ routeerr1: } static void -networkRemoveRoutingIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveRoutingIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { int prefix = virNetworkIpDefPrefix(ipdef); const char *forwardIf = virNetworkDefForwardIf(network->def, 0); if (prefix >= 0) { - iptablesRemoveForwardAllowIn(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowIn(&ipdef->address, prefix, network->def->bridge, forwardIf); - iptablesRemoveForwardAllowOut(driver->iptables, - &ipdef->address, + iptablesRemoveForwardAllowOut(&ipdef->address, prefix, network->def->bridge, forwardIf); @@ -1819,8 +1787,7 @@ networkRemoveRoutingIptablesRules(struct network_driver *driver, * If any IPv6 addresses are defined, then add the rules for regular operation. */ static int -networkAddGeneralIp6tablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddGeneralIp6tablesRules(virNetworkObjPtr network) { if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && @@ -1830,16 +1797,14 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, /* Catch all rules to block forwarding to/from bridges */ - if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectOut(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to block outbound traffic from '%s'"), network->def->bridge); goto err1; } - if (iptablesAddForwardRejectIn(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectIn(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to block inbound traffic to '%s'"), network->def->bridge); @@ -1847,8 +1812,7 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, } /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(driver->iptables, AF_INET6, - network->def->bridge) < 0) { + if (iptablesAddForwardAllowCross(AF_INET6, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow cross bridge traffic on '%s'"), network->def->bridge); @@ -1860,24 +1824,21 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, return 0; /* allow DNS over IPv6 */ - if (iptablesAddTcpInput(driver->iptables, AF_INET6, - network->def->bridge, 53) < 0) { + if (iptablesAddTcpInput(AF_INET6, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DNS requests from '%s'"), network->def->bridge); goto err4; } - if (iptablesAddUdpInput(driver->iptables, AF_INET6, - network->def->bridge, 53) < 0) { + if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DNS requests from '%s'"), network->def->bridge); goto err5; } - if (iptablesAddUdpInput(driver->iptables, AF_INET6, - network->def->bridge, 547) < 0) { + if (iptablesAddUdpInput(AF_INET6, network->def->bridge, 547) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add ip6tables rule to allow DHCP6 requests from '%s'"), network->def->bridge); @@ -1888,44 +1849,42 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver, /* unwind in reverse order from the point of failure */ err6: - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); err5: - iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); err4: - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); err3: - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); err2: - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); err1: return -1; } static void -networkRemoveGeneralIp6tablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveGeneralIp6tablesRules(virNetworkObjPtr network) { if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0) && !network->def->ipv6nogw) { return; } if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) { - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 547); - iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 53); - iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 547); + iptablesRemoveUdpInput(AF_INET6, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET6, network->def->bridge, 53); } /* the following rules are there if no IPv6 address has been defined * but network->def->ipv6nogw == true */ - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, network->def->bridge); - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET6, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET6, network->def->bridge); } static int -networkAddGeneralIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddGeneralIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipv4def; @@ -1941,16 +1900,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* allow DHCP requests through to dnsmasq */ - if (iptablesAddTcpInput(driver->iptables, AF_INET, - network->def->bridge, 67) < 0) { + if (iptablesAddTcpInput(AF_INET, network->def->bridge, 67) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); goto err1; } - if (iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 67) < 0) { + if (iptablesAddUdpInput(AF_INET, network->def->bridge, 67) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DHCP requests from '%s'"), network->def->bridge); @@ -1964,24 +1921,21 @@ networkAddGeneralIptablesRules(struct network_driver *driver, */ if (ipv4def && (ipv4def->nranges || ipv4def->nhosts) && - (iptablesAddOutputFixUdpChecksum(driver->iptables, - network->def->bridge, 68) < 0)) { + (iptablesAddOutputFixUdpChecksum(network->def->bridge, 68) < 0)) { VIR_WARN("Could not add rule to fixup DHCP response checksums " "on network '%s'.", network->def->name); VIR_WARN("May need to update iptables package & kernel to support CHECKSUM rule."); } /* allow DNS requests through to dnsmasq */ - if (iptablesAddTcpInput(driver->iptables, AF_INET, - network->def->bridge, 53) < 0) { + if (iptablesAddTcpInput(AF_INET, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); goto err3; } - if (iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 53) < 0) { + if (iptablesAddUdpInput(AF_INET, network->def->bridge, 53) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow DNS requests from '%s'"), network->def->bridge); @@ -1990,8 +1944,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* allow TFTP requests through to dnsmasq if necessary */ if (ipv4def && ipv4def->tftproot && - iptablesAddUdpInput(driver->iptables, AF_INET, - network->def->bridge, 69) < 0) { + iptablesAddUdpInput(AF_INET, network->def->bridge, 69) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow TFTP requests from '%s'"), network->def->bridge); @@ -2000,16 +1953,14 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* Catch all rules to block forwarding to/from bridges */ - if (iptablesAddForwardRejectOut(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectOut(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to block outbound traffic from '%s'"), network->def->bridge); goto err6; } - if (iptablesAddForwardRejectIn(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardRejectIn(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to block inbound traffic to '%s'"), network->def->bridge); @@ -2017,8 +1968,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, } /* Allow traffic between guests on the same bridge */ - if (iptablesAddForwardAllowCross(driver->iptables, AF_INET, - network->def->bridge) < 0) { + if (iptablesAddForwardAllowCross(AF_INET, network->def->bridge) < 0) { virReportError(VIR_ERR_SYSTEM_ERROR, _("failed to add iptables rule to allow cross bridge traffic on '%s'"), network->def->bridge); @@ -2026,7 +1976,7 @@ networkAddGeneralIptablesRules(struct network_driver *driver, } /* add IPv6 general rules, if needed */ - if (networkAddGeneralIp6tablesRules(driver, network) < 0) { + if (networkAddGeneralIp6tablesRules(network) < 0) { goto err9; } @@ -2034,35 +1984,34 @@ networkAddGeneralIptablesRules(struct network_driver *driver, /* unwind in reverse order from the point of failure */ err9: - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); err8: - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); err7: - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); err6: if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); } err5: - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); err4: - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); err3: - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); err2: - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); err1: return -1; } static void -networkRemoveGeneralIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveGeneralIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipv4def; - networkRemoveGeneralIp6tablesRules(driver, network); + networkRemoveGeneralIp6tablesRules(network); for (ii = 0; (ipv4def = virNetworkDefGetIpByIndex(network->def, AF_INET, ii)); @@ -2071,25 +2020,23 @@ networkRemoveGeneralIptablesRules(struct network_driver *driver, break; } - iptablesRemoveForwardAllowCross(driver->iptables, AF_INET, network->def->bridge); - iptablesRemoveForwardRejectIn(driver->iptables, AF_INET, network->def->bridge); - iptablesRemoveForwardRejectOut(driver->iptables, AF_INET, network->def->bridge); + iptablesRemoveForwardAllowCross(AF_INET, network->def->bridge); + iptablesRemoveForwardRejectIn(AF_INET, network->def->bridge); + iptablesRemoveForwardRejectOut(AF_INET, network->def->bridge); if (ipv4def && ipv4def->tftproot) { - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 69); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 69); } - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 53); - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 53); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 53); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 53); if (ipv4def && (ipv4def->nranges || ipv4def->nhosts)) { - iptablesRemoveOutputFixUdpChecksum(driver->iptables, - network->def->bridge, 68); + iptablesRemoveOutputFixUdpChecksum(network->def->bridge, 68); } - iptablesRemoveUdpInput(driver->iptables, AF_INET, network->def->bridge, 67); - iptablesRemoveTcpInput(driver->iptables, AF_INET, network->def->bridge, 67); + iptablesRemoveUdpInput(AF_INET, network->def->bridge, 67); + iptablesRemoveTcpInput(AF_INET, network->def->bridge, 67); } static int -networkAddIpSpecificIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkAddIpSpecificIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { /* NB: in the case of IPv6, routing rules are added when the @@ -2098,48 +2045,46 @@ networkAddIpSpecificIptablesRules(struct network_driver *driver, if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - return networkAddMasqueradingIptablesRules(driver, network, ipdef); + return networkAddMasqueradingIptablesRules(network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - return networkAddRoutingIptablesRules(driver, network, ipdef); + return networkAddRoutingIptablesRules(network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - return networkAddRoutingIptablesRules(driver, network, ipdef); + return networkAddRoutingIptablesRules(network, ipdef); } return 0; } static void -networkRemoveIpSpecificIptablesRules(struct network_driver *driver, - virNetworkObjPtr network, +networkRemoveIpSpecificIptablesRules(virNetworkObjPtr network, virNetworkIpDefPtr ipdef) { if (network->def->forward.type == VIR_NETWORK_FORWARD_NAT) { if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET)) - networkRemoveMasqueradingIptablesRules(driver, network, ipdef); + networkRemoveMasqueradingIptablesRules(network, ipdef); else if (VIR_SOCKET_ADDR_IS_FAMILY(&ipdef->address, AF_INET6)) - networkRemoveRoutingIptablesRules(driver, network, ipdef); + networkRemoveRoutingIptablesRules(network, ipdef); } else if (network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE) { - networkRemoveRoutingIptablesRules(driver, network, ipdef); + networkRemoveRoutingIptablesRules(network, ipdef); } } /* Add all rules for all ip addresses (and general rules) on a network */ static int -networkAddIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkAddIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipdef; virErrorPtr orig_error; /* Add "once per network" rules */ - if (networkAddGeneralIptablesRules(driver, network) < 0) + if (networkAddGeneralIptablesRules(network) < 0) return -1; for (ii = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); ii++) { /* Add address-specific iptables rules */ - if (networkAddIpSpecificIptablesRules(driver, network, ipdef) < 0) { + if (networkAddIpSpecificIptablesRules(network, ipdef) < 0) { goto err; } } @@ -2155,9 +2100,9 @@ err: */ while ((--ii >= 0) && (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii))) { - networkRemoveIpSpecificIptablesRules(driver, network, ipdef); + networkRemoveIpSpecificIptablesRules(network, ipdef); } - networkRemoveGeneralIptablesRules(driver, network); + networkRemoveGeneralIptablesRules(network); /* return the original error */ virSetError(orig_error); @@ -2167,8 +2112,7 @@ err: /* Remove all rules for all ip addresses (and general rules) on a network */ static void -networkRemoveIptablesRules(struct network_driver *driver, - virNetworkObjPtr network) +networkRemoveIptablesRules(virNetworkObjPtr network) { int ii; virNetworkIpDefPtr ipdef; @@ -2176,9 +2120,9 @@ networkRemoveIptablesRules(struct network_driver *driver, for (ii = 0; (ipdef = virNetworkDefGetIpByIndex(network->def, AF_UNSPEC, ii)); ii++) { - networkRemoveIpSpecificIptablesRules(driver, network, ipdef); + networkRemoveIpSpecificIptablesRules(network, ipdef); } - networkRemoveGeneralIptablesRules(driver, network); + networkRemoveGeneralIptablesRules(network); } static void @@ -2199,8 +2143,8 @@ networkReloadIptablesRules(struct network_driver *driver) /* Only the three L3 network types that are configured by libvirt * need to have iptables rules reloaded. */ - networkRemoveIptablesRules(driver, network); - if (networkAddIptablesRules(driver, network) < 0) { + networkRemoveIptablesRules(network); + if (networkAddIptablesRules(network) < 0) { /* failed to add but already logged */ } } @@ -2526,7 +2470,7 @@ networkStartNetworkVirtual(struct network_driver *driver, goto err1; /* Add "once per network" rules */ - if (networkAddIptablesRules(driver, network) < 0) + if (networkAddIptablesRules(network) < 0) goto err1; for (ii = 0; @@ -2619,7 +2563,7 @@ networkStartNetworkVirtual(struct network_driver *driver, err2: if (!save_err) save_err = virSaveLastError(); - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); err1: if (!save_err) @@ -2644,8 +2588,7 @@ networkStartNetworkVirtual(struct network_driver *driver, return -1; } -static int networkShutdownNetworkVirtual(struct network_driver *driver, - virNetworkObjPtr network) +static int networkShutdownNetworkVirtual(virNetworkObjPtr network) { virNetDevBandwidthClear(network->def->bridge); @@ -2677,7 +2620,7 @@ static int networkShutdownNetworkVirtual(struct network_driver *driver, ignore_value(virNetDevSetOnline(network->def->bridge, 0)); - networkRemoveIptablesRules(driver, network); + networkRemoveIptablesRules(network); ignore_value(virNetDevBridgeDelete(network->def->bridge)); @@ -2802,7 +2745,7 @@ static int networkShutdownNetwork(struct network_driver *driver, case VIR_NETWORK_FORWARD_NONE: case VIR_NETWORK_FORWARD_NAT: case VIR_NETWORK_FORWARD_ROUTE: - ret = networkShutdownNetworkVirtual(driver, network); + ret = networkShutdownNetworkVirtual(network); break; case VIR_NETWORK_FORWARD_BRIDGE: @@ -3490,8 +3433,8 @@ networkUpdate(virNetworkPtr net, network->def->forward.type == VIR_NETWORK_FORWARD_NAT || network->def->forward.type == VIR_NETWORK_FORWARD_ROUTE)) { /* these could affect the iptables rules */ - networkRemoveIptablesRules(driver, network); - if (networkAddIptablesRules(driver, network) < 0) + networkRemoveIptablesRules(network); + if (networkAddIptablesRules(network) < 0) goto cleanup; } diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 16fbe9c..63a8031 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -88,52 +88,8 @@ enum { REMOVE }; -typedef struct -{ - char *table; - char *chain; -} iptRules; - -struct _iptablesContext -{ - iptRules *input_filter; - iptRules *forward_filter; - iptRules *nat_postrouting; - iptRules *mangle_postrouting; -}; - -static void -iptRulesFree(iptRules *rules) -{ - VIR_FREE(rules->table); - VIR_FREE(rules->chain); - VIR_FREE(rules); -} - -static iptRules * -iptRulesNew(const char *table, - const char *chain) -{ - iptRules *rules; - - if (VIR_ALLOC(rules) < 0) - return NULL; - - if (VIR_STRDUP(rules->table, table) < 0) - goto error; - - if (VIR_STRDUP(rules->chain, chain) < 0) - goto error; - - return rules; - - error: - iptRulesFree(rules); - return NULL; -} - static virCommandPtr -iptablesCommandNew(iptRules *rules, int family, int action) +iptablesCommandNew(const char *table, const char *chain, int family, int action) { virCommandPtr cmd = NULL; #if HAVE_FIREWALLD @@ -150,9 +106,9 @@ iptablesCommandNew(iptRules *rules, int family, int action) ? IP6TABLES_PATH : IPTABLES_PATH); } - virCommandAddArgList(cmd, "--table", rules->table, + virCommandAddArgList(cmd, "--table", table, action == ADD ? "--insert" : "--delete", - rules->chain, NULL); + chain, NULL); return cmd; } @@ -166,14 +122,14 @@ iptablesCommandRunAndFree(virCommandPtr cmd) } static int ATTRIBUTE_SENTINEL -iptablesAddRemoveRule(iptRules *rules, int family, int action, +iptablesAddRemoveRule(const char *table, const char *chain, int family, int action, const char *arg, ...) { va_list args; virCommandPtr cmd = NULL; const char *s; - cmd = iptablesCommandNew(rules, family, action); + cmd = iptablesCommandNew(table, chain, family, action); virCommandAddArg(cmd, arg); va_start(args, arg); @@ -184,63 +140,8 @@ iptablesAddRemoveRule(iptRules *rules, int family, int action, return iptablesCommandRunAndFree(cmd); } -/** - * iptablesContextNew: - * - * Create a new IPtable context - * - * Returns a pointer to the new structure or NULL in case of error - */ -iptablesContext * -iptablesContextNew(void) -{ - iptablesContext *ctx; - - if (VIR_ALLOC(ctx) < 0) - return NULL; - - if (!(ctx->input_filter = iptRulesNew("filter", "INPUT"))) - goto error; - - if (!(ctx->forward_filter = iptRulesNew("filter", "FORWARD"))) - goto error; - - if (!(ctx->nat_postrouting = iptRulesNew("nat", "POSTROUTING"))) - goto error; - - if (!(ctx->mangle_postrouting = iptRulesNew("mangle", "POSTROUTING"))) - goto error; - - return ctx; - - error: - iptablesContextFree(ctx); - return NULL; -} - -/** - * iptablesContextFree: - * @ctx: pointer to the IP table context - * - * Free the resources associated with an IP table context - */ -void -iptablesContextFree(iptablesContext *ctx) -{ - if (ctx->input_filter) - iptRulesFree(ctx->input_filter); - if (ctx->forward_filter) - iptRulesFree(ctx->forward_filter); - if (ctx->nat_postrouting) - iptRulesFree(ctx->nat_postrouting); - if (ctx->mangle_postrouting) - iptRulesFree(ctx->mangle_postrouting); - VIR_FREE(ctx); -} - static int -iptablesInput(iptablesContext *ctx, - int family, +iptablesInput(int family, const char *iface, int port, int action, @@ -251,7 +152,7 @@ iptablesInput(iptablesContext *ctx, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule(ctx->input_filter, + return iptablesAddRemoveRule("filter", "INPUT", family, action, "--in-interface", iface, @@ -274,12 +175,11 @@ iptablesInput(iptablesContext *ctx, */ int -iptablesAddTcpInput(iptablesContext *ctx, - int family, +iptablesAddTcpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, ADD, 1); + return iptablesInput(family, iface, port, ADD, 1); } /** @@ -294,12 +194,11 @@ iptablesAddTcpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveTcpInput(iptablesContext *ctx, - int family, +iptablesRemoveTcpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, REMOVE, 1); + return iptablesInput(family, iface, port, REMOVE, 1); } /** @@ -315,12 +214,11 @@ iptablesRemoveTcpInput(iptablesContext *ctx, */ int -iptablesAddUdpInput(iptablesContext *ctx, - int family, +iptablesAddUdpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, ADD, 0); + return iptablesInput(family, iface, port, ADD, 0); } /** @@ -335,12 +233,11 @@ iptablesAddUdpInput(iptablesContext *ctx, * Returns 0 in case of success or an error code in case of error */ int -iptablesRemoveUdpInput(iptablesContext *ctx, - int family, +iptablesRemoveUdpInput(int family, const char *iface, int port) { - return iptablesInput(ctx, family, iface, port, REMOVE, 0); + return iptablesInput(family, iface, port, REMOVE, 0); } @@ -381,8 +278,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr, * to proceed to WAN */ static int -iptablesForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -395,7 +291,7 @@ iptablesForwardAllowOut(iptablesContext *ctx, if (!(networkstr = iptablesFormatNetwork(netaddr, prefix))) return -1; - cmd = iptablesCommandNew(ctx->forward_filter, + cmd = iptablesCommandNew("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action); virCommandAddArgList(cmd, @@ -426,13 +322,12 @@ iptablesForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, ADD); } /** @@ -449,13 +344,12 @@ iptablesAddForwardAllowOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowOut(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowOut(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowOut(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowOut(netaddr, prefix, iface, physdev, REMOVE); } @@ -463,8 +357,7 @@ iptablesRemoveForwardAllowOut(iptablesContext *ctx, * and associated with an existing connection */ static int -iptablesForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -477,7 +370,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, return -1; if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -488,7 +381,7 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -516,13 +409,12 @@ iptablesForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, ADD); } /** @@ -539,20 +431,18 @@ iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowRelatedIn(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowRelatedIn(netaddr, prefix, iface, physdev, REMOVE); } /* Allow all traffic destined to the bridge, with a valid network address */ static int -iptablesForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev, @@ -565,7 +455,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, return -1; if (physdev && physdev[0]) { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -574,7 +464,7 @@ iptablesForwardAllowIn(iptablesContext *ctx, "--jump", "ACCEPT", NULL); } else { - ret = iptablesAddRemoveRule(ctx->forward_filter, + ret = iptablesAddRemoveRule("filter", "FORWARD", VIR_SOCKET_ADDR_FAMILY(netaddr), action, "--destination", networkstr, @@ -600,13 +490,12 @@ iptablesForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, ADD); + return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, ADD); } /** @@ -623,13 +512,12 @@ iptablesAddForwardAllowIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowIn(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardAllowIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev) { - return iptablesForwardAllowIn(ctx, netaddr, prefix, iface, physdev, REMOVE); + return iptablesForwardAllowIn(netaddr, prefix, iface, physdev, REMOVE); } @@ -637,12 +525,11 @@ iptablesRemoveForwardAllowIn(iptablesContext *ctx, * with a valid network address */ static int -iptablesForwardAllowCross(iptablesContext *ctx, - int family, +iptablesForwardAllowCross(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--in-interface", iface, @@ -663,11 +550,10 @@ iptablesForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardAllowCross(iptablesContext *ctx, - int family, +iptablesAddForwardAllowCross(int family, const char *iface) { - return iptablesForwardAllowCross(ctx, family, iface, ADD); + return iptablesForwardAllowCross(family, iface, ADD); } /** @@ -682,11 +568,10 @@ iptablesAddForwardAllowCross(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardAllowCross(iptablesContext *ctx, - int family, +iptablesRemoveForwardAllowCross(int family, const char *iface) { - return iptablesForwardAllowCross(ctx, family, iface, REMOVE); + return iptablesForwardAllowCross(family, iface, REMOVE); } @@ -694,12 +579,11 @@ iptablesRemoveForwardAllowCross(iptablesContext *ctx, * ie the bridge is the in interface */ static int -iptablesForwardRejectOut(iptablesContext *ctx, - int family, +iptablesForwardRejectOut(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--in-interface", iface, @@ -718,11 +602,10 @@ iptablesForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectOut(iptablesContext *ctx, - int family, +iptablesAddForwardRejectOut(int family, const char *iface) { - return iptablesForwardRejectOut(ctx, family, iface, ADD); + return iptablesForwardRejectOut(family, iface, ADD); } /** @@ -736,11 +619,10 @@ iptablesAddForwardRejectOut(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectOut(iptablesContext *ctx, - int family, +iptablesRemoveForwardRejectOut(int family, const char *iface) { - return iptablesForwardRejectOut(ctx, family, iface, REMOVE); + return iptablesForwardRejectOut(family, iface, REMOVE); } @@ -750,12 +632,11 @@ iptablesRemoveForwardRejectOut(iptablesContext *ctx, * ie the bridge is the out interface */ static int -iptablesForwardRejectIn(iptablesContext *ctx, - int family, +iptablesForwardRejectIn(int family, const char *iface, int action) { - return iptablesAddRemoveRule(ctx->forward_filter, + return iptablesAddRemoveRule("filter", "FORWARD", family, action, "--out-interface", iface, @@ -774,11 +655,10 @@ iptablesForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardRejectIn(iptablesContext *ctx, - int family, +iptablesAddForwardRejectIn(int family, const char *iface) { - return iptablesForwardRejectIn(ctx, family, iface, ADD); + return iptablesForwardRejectIn(family, iface, ADD); } /** @@ -792,11 +672,10 @@ iptablesAddForwardRejectIn(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardRejectIn(iptablesContext *ctx, - int family, +iptablesRemoveForwardRejectIn(int family, const char *iface) { - return iptablesForwardRejectIn(ctx, family, iface, REMOVE); + return iptablesForwardRejectIn(family, iface, REMOVE); } @@ -804,8 +683,7 @@ iptablesRemoveForwardRejectIn(iptablesContext *ctx, * with the bridge */ static int -iptablesForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, @@ -841,7 +719,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, } } - cmd = iptablesCommandNew(ctx->nat_postrouting, AF_INET, action); + cmd = iptablesCommandNew("nat", "POSTROUTING", AF_INET, action); virCommandAddArgList(cmd, "--source", networkstr, NULL); if (protocol && protocol[0]) @@ -922,15 +800,14 @@ cleanup: * Returns 0 in case of success or an error code otherwise */ int -iptablesAddForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesAddForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, protocol, ADD); } @@ -948,22 +825,20 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, * Returns 0 in case of success or an error code otherwise */ int -iptablesRemoveForwardMasquerade(iptablesContext *ctx, - virSocketAddr *netaddr, +iptablesRemoveForwardMasquerade(virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol) { - return iptablesForwardMasquerade(ctx, netaddr, prefix, physdev, addr, port, + return iptablesForwardMasquerade(netaddr, prefix, physdev, addr, port, protocol, REMOVE); } static int -iptablesOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesOutputFixUdpChecksum(const char *iface, int port, int action) { @@ -972,7 +847,7 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx, snprintf(portstr, sizeof(portstr), "%d", port); portstr[sizeof(portstr) - 1] = '\0'; - return iptablesAddRemoveRule(ctx->mangle_postrouting, + return iptablesAddRemoveRule("mangle", "POSTROUTING", AF_INET, action, "--out-interface", iface, @@ -998,11 +873,10 @@ iptablesOutputFixUdpChecksum(iptablesContext *ctx, */ int -iptablesAddOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesAddOutputFixUdpChecksum(const char *iface, int port) { - return iptablesOutputFixUdpChecksum(ctx, iface, port, ADD); + return iptablesOutputFixUdpChecksum(iface, port, ADD); } /** @@ -1019,9 +893,8 @@ iptablesAddOutputFixUdpChecksum(iptablesContext *ctx, * return an error, which should be ignored) */ int -iptablesRemoveOutputFixUdpChecksum(iptablesContext *ctx, - const char *iface, +iptablesRemoveOutputFixUdpChecksum(const char *iface, int port) { - return iptablesOutputFixUdpChecksum(ctx, iface, port, REMOVE); + return iptablesOutputFixUdpChecksum(iface, port, REMOVE); } diff --git a/src/util/viriptables.h b/src/util/viriptables.h index b7ce59b..447f4a8 100644 --- a/src/util/viriptables.h +++ b/src/util/viriptables.h @@ -26,102 +26,77 @@ # include "virsocketaddr.h" -typedef struct _iptablesContext iptablesContext; - -iptablesContext *iptablesContextNew (void); -void iptablesContextFree (iptablesContext *ctx); - -int iptablesAddTcpInput (iptablesContext *ctx, - int family, +int iptablesAddTcpInput (int family, const char *iface, int port); -int iptablesRemoveTcpInput (iptablesContext *ctx, - int family, +int iptablesRemoveTcpInput (int family, const char *iface, int port); -int iptablesAddUdpInput (iptablesContext *ctx, - int family, +int iptablesAddUdpInput (int family, const char *iface, int port); -int iptablesRemoveUdpInput (iptablesContext *ctx, - int family, +int iptablesRemoveUdpInput (int family, const char *iface, int port); -int iptablesAddForwardAllowOut (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowOut (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowOut (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowOut (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowRelatedIn(virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowIn (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardAllowIn (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesRemoveForwardAllowIn (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardAllowIn (virSocketAddr *netaddr, unsigned int prefix, const char *iface, const char *physdev); -int iptablesAddForwardAllowCross (iptablesContext *ctx, - int family, +int iptablesAddForwardAllowCross (int family, const char *iface); -int iptablesRemoveForwardAllowCross (iptablesContext *ctx, - int family, +int iptablesRemoveForwardAllowCross (int family, const char *iface); -int iptablesAddForwardRejectOut (iptablesContext *ctx, - int family, +int iptablesAddForwardRejectOut (int family, const char *iface); -int iptablesRemoveForwardRejectOut (iptablesContext *ctx, - int family, +int iptablesRemoveForwardRejectOut (int family, const char *iface); -int iptablesAddForwardRejectIn (iptablesContext *ctx, - int family, +int iptablesAddForwardRejectIn (int family, const char *iface); -int iptablesRemoveForwardRejectIn (iptablesContext *ctx, - int family, +int iptablesRemoveForwardRejectIn (int family, const char *iface); -int iptablesAddForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesAddForwardMasquerade (virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol); -int iptablesRemoveForwardMasquerade (iptablesContext *ctx, - virSocketAddr *netaddr, +int iptablesRemoveForwardMasquerade (virSocketAddr *netaddr, unsigned int prefix, const char *physdev, virSocketAddrRangePtr addr, virPortRangePtr port, const char *protocol); -int iptablesAddOutputFixUdpChecksum (iptablesContext *ctx, - const char *iface, +int iptablesAddOutputFixUdpChecksum (const char *iface, int port); -int iptablesRemoveOutputFixUdpChecksum (iptablesContext *ctx, - const char *iface, +int iptablesRemoveOutputFixUdpChecksum (const char *iface, int port); #endif /* __QEMUD_IPTABLES_H__ */ -- 1.8.1.4

11 years, 4 months

3
3
0 / 0

[libvirt] [PATCH] qemu: indentation fix

by Ján Tomko

--- Pushed as trivial. src/qemu/qemu_command.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 4d70004..ba93233 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -7003,7 +7003,7 @@ qemuBuildCommandLine(virConnectPtr conn, virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("unsupported rtc tickpolicy '%s'"), virDomainTimerTickpolicyTypeToString(def->clock.timers[i]->tickpolicy)); - goto error; + goto error; } } else if (!virQEMUCapsGet(qemuCaps, QEMU_CAPS_RTC) && (def->clock.timers[i]->tickpolicy -- 1.8.1.5

11 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel July 2013