[libvirt] [PATCH] docs: Use gender-neutral pronoun in hacking.html.in
by Christophe Fergeau
Use 'they' instead of 'he'.
---
docs/hacking.html.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/hacking.html.in b/docs/hacking.html.in
index 32ebd8e..a73b1e0 100644
--- a/docs/hacking.html.in
+++ b/docs/hacking.html.in
@@ -65,7 +65,7 @@
review your patch set. One should avoid sending patches as attachments,
but rather send them in email body along with commit message. If a
developer is sending another version of the patch (e.g. to address
- review comments), he is advised to note differences to previous
+ review comments), they are advised to note differences to previous
versions after the <code>---</code> line in the patch so that it helps
reviewers but doesn't become part of git history. Moreover, such patch
needs to be prefixed correctly with
--
2.1.0
9 years, 11 months
[libvirt] [RFC] broken migration by VGA memory patch series
by Pavel Hrdina
Hi all,
The recent patch series that finally start using vram attribute for QEMU
video devices and also introduced new vgamem attribute breaks migration
from older libvirts to the currently developed version.
_Situation before patches:_
The libvirt's XML configuration for VGA device has attribute "vram" but
we ignore the value and don't pass anything to QEMU, that sets the VGA
ram size to it's default 16MB.
_Sitoation after patches:_
The libvirt's XML configuration for VGA device has attribute "vram" and
we honor that value and pass it to QEMU, that takes the value and uses
it.
The migration issue is for the case where you will set with old libvirt
different walue than the default 9MB or 16MB in the XML configuration,
because the new libvirt will take the 9MB and round it to the next power
of 2 which is 16MB.
old libvirt guest ===> migration ===> new libvirt guest
GUEST_1 GUEST_1
vram="9182" vram="16384"
vgamem_mb=16 vgamem_mb=16
GUEST_2 GUEST_2
vram="65536" vram="65536"
vgamem_mb=16 vgamem_mb=64
As you can see the migration will fail because we will start using
"vram" attribute and because of that the memory for VGA device will be
different.
The least painful solution of this issue is probable to an extra element
in the migration cookie and if this element is missing we will not
*pass* the "vram" value to QEMU process so we don't break the migration.
This issue also applies to manage-save or save.
I would like to get some ideas or comments whether we want to fix the
migration from old libvirt or no.
Pavel
9 years, 11 months
[libvirt] [PATCH 0/2] Exit from virsh when disconnected due to keepalive
by Martin Kletzander
When the connection in virsh got disconnected due to keepalive, virsh
was trying to reconnect. Adding the REASON_KEEPALIVE to the list of
disconnect reasons after virsh should not reconnect (patch 1/1) was
not enough because our rpc code was rewriting those and that needs to
be fixed too (patch 2/2).
Martin Kletzander (2):
rpc: Report proper close reason
virsh: Really disconnect on keepalive timeout
src/rpc/virnetclient.c | 7 +++++--
tools/virsh.c | 13 +++++++++----
2 files changed, 14 insertions(+), 6 deletions(-)
--
2.1.3
9 years, 11 months
[libvirt] [PATCH v2 0/2] virsh: Don't wait for reconnection when it's unnecessary
by Martin Kletzander
Before when disconnected due to keepalive timeout:
$ virsh -k1 -K1 list
2014-12-01 10:58:42.725+0000: 1643: info : libvirt version: 1.2.11
2014-12-01 10:58:42.725+0000: 1643: warning : virKeepAliveTimerInternal:143 : No response from client 0x7fa8b7c46f70 after 1 keepalive messages in 2 seconds
2014-12-01 10:58:42.725+0000: 1644: warning : virKeepAliveTimerInternal:143 : No response from client 0x7fa8b7c46f70 after 1 keepalive messages in 2 seconds
error: Failed to list domains
* virsh hangs here until reconnected or killed, if reconnected:
error: internal error: received hangup / error event on socket
After (the same scenario):
$ virsh -k1 -K1 list
error: Failed to list domains
error: internal error: No response from client 0x7ff0e9545f70 after 1 keepalive messages in 2 seconds
* virsh doesn't hang :)
Martin Kletzander (2):
rpc: Report proper close reason for keepalive disconnections
virsh: Don't reconnect after the command when disconnected
src/rpc/virkeepalive.c | 11 ++++++-----
src/rpc/virnetclient.c | 1 +
tools/virsh.c | 3 ---
3 files changed, 7 insertions(+), 8 deletions(-)
--
2.1.3
9 years, 11 months
[libvirt] [PATCH] storage: Fix printing/casting of uid_t/gid_t
by Peter Krempa
Other parts of libvirt use "%u" for formatting uid/gid and typecast to
unsigned int. Storage driver used the signed variant.
---
src/storage/storage_driver.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 7f4de19..24b54f4 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -2797,7 +2797,8 @@ virStorageFileChown(virStorageSourcePtr src,
return -2;
}
- VIR_DEBUG("chown of storage file %p to %d:%d", src, uid, gid);
+ VIR_DEBUG("chown of storage file %p to %u:%u",
+ src, (unsigned int)uid, (unsigned int)gid);
return src->drv->backend->storageFileChown(src, uid, gid);
}
@@ -2819,9 +2820,9 @@ virStorageFileGetMetadataRecurse(virStorageSourcePtr src,
virStorageSourcePtr backingStore = NULL;
int backingFormat;
- VIR_DEBUG("path=%s format=%d uid=%d gid=%d probe=%d",
+ VIR_DEBUG("path=%s format=%d uid=%d gid=%u probe=%u",
src->path, src->format,
- (int)uid, (int)gid, allow_probe);
+ (unsigned int)uid, (unsigned int)gid, allow_probe);
/* exit if we can't load information about the current image */
if (!virStorageFileSupportsBackingChainTraversal(src))
@@ -2834,13 +2835,15 @@ virStorageFileGetMetadataRecurse(virStorageSourcePtr src,
if (src == parent) {
virReportSystemError(errno,
_("Cannot access storage file '%s' "
- "(as uid:%d, gid:%d)"),
- src->path, (int)uid, (int)gid);
+ "(as uid:%u, gid:%u)"),
+ src->path, (unsigned int)uid,
+ (unsigned int)gid);
} else {
virReportSystemError(errno,
_("Cannot access backing file '%s' "
- "of storage file '%s' (as uid:%d, gid:%d)"),
- src->path, parent->path, (int)uid, (int)gid);
+ "of storage file '%s' (as uid:%u, gid:%u)"),
+ src->path, parent->path,
+ (unsigned int)uid, (unsigned int)gid);
}
goto cleanup;
@@ -2934,8 +2937,8 @@ virStorageFileGetMetadata(virStorageSourcePtr src,
bool allow_probe,
bool report_broken)
{
- VIR_DEBUG("path=%s format=%d uid=%d gid=%d probe=%d, report_broken=%d",
- src->path, src->format, (int)uid, (int)gid,
+ VIR_DEBUG("path=%s format=%d uid=%u gid=%u probe=%d, report_broken=%d",
+ src->path, src->format, (unsigned int)uid, (unsigned int)gid,
allow_probe, report_broken);
virHashTablePtr cycle = NULL;
--
2.1.0
9 years, 11 months
[libvirt] [PATCH] nwfilter: Add support for icmpv6 filtering
by Stefan Berger
Make use of the ebtables functionality to be able to filter certain
parameters of icmpv6 packets. Extend the XML parser for icmpv6 types,
type ranges, codes, and code ranges. Extend the nwfilter documentation,
schema, and test cases.
Being able to filter icmpv6 types and codes helps extending the DHCP
snooper for IPv6 and filtering at least some parameters of IPv6's NDP
(Neighbor Discovery Protocol) packets. However, the filtering will not
be as good as the filtering of ARP packets since we cannot check on IP
addresses in the payload of the NDP packets.
Signed-off-by: Stefan Berger stefanb(a)linux.vnet.ibm.com
---
docs/formatnwfilter.html.in | 20 +++++++
docs/schemas/nwfilter.rng | 26 +++++++++
src/conf/nwfilter_conf.c | 26 +++++++++
src/conf/nwfilter_conf.h | 4 ++
src/nwfilter/nwfilter_ebiptables_driver.c | 80 ++++++++++++++++++++++++++
tests/nwfilterxml2firewalldata/ipv6-linux.args | 16 ++++++
tests/nwfilterxml2firewalldata/ipv6.xml | 38 ++++++++++++
tests/nwfilterxml2xmlin/ipv6-test.xml | 38 ++++++++++++
tests/nwfilterxml2xmlout/ipv6-test.xml | 12 ++++
9 files changed, 260 insertions(+)
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 073b852..7c0dd5b 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -1197,6 +1197,26 @@
<td>End of range of valid destination ports; requires <code>protocol</code></td>
</tr>
<tr>
+ <td>type<span class="since">(Since 1.x.y)</span></td>
+ <td>UINT8</td>
+ <td>ICMPv6 type; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
+ </tr>
+ <tr>
+ <td>typeend<span class="since">(Since 1.x.y)</span></td>
+ <td>UINT8</td>
+ <td>ICMPv6 type end of range; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
+ </tr>
+ <tr>
+ <td>code<span class="since">(Since 1.x.y)</span></td>
+ <td>UINT8</td>
+ <td>ICMPv6 code; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
+ </tr>
+ <tr>
+ <td>code<span class="since">(Since 1.x.y)</span></td>
+ <td>UINT8</td>
+ <td>ICMPv6 code end of range; requires <code>protocol</code> to be set to <code>icmpv6</code></td>
+ </tr>
+ <tr>
<td>comment <span class="since">(Since 0.8.5)</span></td>
<td>STRING</td>
<td>text with max. 256 characters</td>
diff --git a/docs/schemas/nwfilter.rng b/docs/schemas/nwfilter.rng
index 2b54fd5..9df39c0 100644
--- a/docs/schemas/nwfilter.rng
+++ b/docs/schemas/nwfilter.rng
@@ -90,6 +90,7 @@
<ref name="common-ipv6-attributes-p1"/>
<ref name="common-port-attributes"/>
<ref name="ip-attributes"/>
+ <ref name="icmp-attribute-ranges"/>
<ref name="comment-attribute"/>
</element>
</zeroOrMore>
@@ -588,6 +589,31 @@
</interleave>
</define>
+ <define name="icmp-attribute-ranges">
+ <interleave>
+ <optional>
+ <attribute name="type">
+ <ref name="uint8range"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="typeend">
+ <ref name="uint8range"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="code">
+ <ref name="uint8range"/>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name="codeend">
+ <ref name="uint8range"/>
+ </attribute>
+ </optional>
+ </interleave>
+ </define>
+
<define name="mac-attributes">
<interleave>
<optional>
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index 074d745..0108dbe 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -1445,6 +1445,26 @@ static const virXMLAttr2Struct ipv6Attributes[] = {
.datatype = DATATYPE_UINT16 | DATATYPE_UINT16_HEX,
.dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.portData.dataDstPortEnd),
},
+ {
+ .name = "type",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeStart),
+ },
+ {
+ .name = "typeend",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPTypeEnd),
+ },
+ {
+ .name = "code",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeStart),
+ },
+ {
+ .name = "codeend",
+ .datatype = DATATYPE_UINT8 | DATATYPE_UINT8_HEX,
+ .dataIdx = offsetof(virNWFilterRuleDef, p.ipv6HdrFilter.dataICMPCodeEnd),
+ },
COMMENT_PROP_IPHDR(ipv6HdrFilter),
{
.name = NULL,
@@ -2219,6 +2239,12 @@ virNWFilterRuleDefFixup(virNWFilterRuleDefPtr rule)
rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr);
COPY_NEG_SIGN(rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask,
rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr);
+ COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPTypeend,
+ rule->p.icmpHdrFilter.dataICMPType);
+ COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPCode,
+ rule->p.icmpHdrFilter.dataICMPType);
+ COPY_NEG_SIGN(rule->p.icmpHdrFilter.dataICMPCodeend,
+ rule->p.icmpHdrFilter.dataICMPType);
virNWFilterRuleDefFixupIPSet(&rule->p.ipv6HdrFilter.ipHdr);
break;
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index f81df60..6e68ecc 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -265,6 +265,10 @@ struct _ipv6HdrFilterDef {
ethHdrDataDef ethHdr;
ipHdrDataDef ipHdr;
portDataDef portData;
+ nwItemDesc dataICMPTypeStart;
+ nwItemDesc dataICMPTypeEnd;
+ nwItemDesc dataICMPCodeStart;
+ nwItemDesc dataICMPCodeEnd;
};
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 377b59b..d7a94ee 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1826,6 +1826,7 @@ ebtablesCreateRuleInstance(virFirewallPtr fw,
bool hasMask = false;
virFirewallRulePtr fwrule;
int ret = -1;
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
if (STREQ(chainSuffix,
virNWFilterChainSuffixTypeToString(
@@ -2342,6 +2343,83 @@ ebtablesCreateRuleInstance(virFirewallPtr fw,
virFirewallRuleAddArg(fw, fwrule, number);
}
}
+
+ if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart) ||
+ HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd) ||
+ HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeStart) ||
+ HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd) ) {
+ bool lo = false;
+ char *r;
+
+ virFirewallRuleAddArg(fw, fwrule,
+ "--ip6-icmp-type");
+
+ if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) {
+ if (printDataType(vars,
+ number, sizeof(number),
+ &rule->p.ipv6HdrFilter.dataICMPTypeStart) < 0)
+ goto cleanup;
+ lo = true;
+ } else {
+ ignore_value(virStrcpyStatic(number, "0"));
+ }
+
+ virBufferStrcat(&buf, number, ":", NULL);
+
+ if HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeEnd) {
+ if (printDataType(vars,
+ numberalt, sizeof(numberalt),
+ &rule->p.ipv6HdrFilter.dataICMPTypeEnd) < 0)
+ goto cleanup;
+ } else {
+ if (lo)
+ ignore_value(virStrcpyStatic(numberalt, number));
+ else
+ ignore_value(virStrcpyStatic(numberalt, "255"));
+ }
+
+ virBufferStrcat(&buf, numberalt, "/", NULL);
+
+ lo = false;
+
+ if HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeStart) {
+ if (printDataType(vars,
+ number, sizeof(number),
+ &rule->p.ipv6HdrFilter.dataICMPCodeStart) < 0)
+ goto cleanup;
+ lo = true;
+ } else {
+ ignore_value(virStrcpyStatic(number, "0"));
+ }
+
+ virBufferStrcat(&buf, number, ":", NULL);
+
+ if HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeEnd) {
+ if (printDataType(vars,
+ numberalt, sizeof(numberalt),
+ &rule->p.ipv6HdrFilter.dataICMPCodeEnd) < 0)
+ goto cleanup;
+ } else {
+ if (lo)
+ ignore_value(virStrcpyStatic(numberalt, number));
+ else
+ ignore_value(virStrcpyStatic(numberalt, "255"));
+ }
+
+ virBufferStrcat(&buf, numberalt, NULL);
+
+ if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart))
+ virFirewallRuleAddArg(fw, fwrule, "!");
+
+ if (virBufferCheckError(&buf) < 0)
+ goto cleanup;
+
+ r = virBufferContentAndReset(&buf);
+
+ virFirewallRuleAddArg(fw, fwrule, r);
+
+ VIR_FREE(r);
+ }
break;
case VIR_NWFILTER_RULE_PROTOCOL_NONE:
@@ -2376,6 +2454,8 @@ ebtablesCreateRuleInstance(virFirewallPtr fw,
ret = 0;
cleanup:
+ virBufferFreeAndReset(&buf);
+
return ret;
}
diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args b/tests/nwfilterxml2firewalldata/ipv6-linux.args
index a42566c..735f663 100644
--- a/tests/nwfilterxml2firewalldata/ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args
@@ -18,3 +18,19 @@ ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 --ip6-protocol 18 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 --ip6-protocol 18 -j ACCEPT
+ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:11/10:11 -j ACCEPT
+ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:11/10:11 -j ACCEPT
+ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/10:10 -j ACCEPT
+ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/10:10 -j ACCEPT
+ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 0:255/10:10 -j ACCEPT
+ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 0:255/10:10 -j ACCEPT
+ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \
+--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/0:255 -j ACCEPT
+ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \
+--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/0:255 -j ACCEPT
diff --git a/tests/nwfilterxml2firewalldata/ipv6.xml b/tests/nwfilterxml2firewalldata/ipv6.xml
index 9f67bea..2400958 100644
--- a/tests/nwfilterxml2firewalldata/ipv6.xml
+++ b/tests/nwfilterxml2firewalldata/ipv6.xml
@@ -40,4 +40,42 @@
/>
</rule>
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ type='1' typeend='11'
+ code='10' codeend='11'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ type='1'
+ code='10'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ code='10'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ type='1'
+ />
+ </rule>
+
</filter>
diff --git a/tests/nwfilterxml2xmlin/ipv6-test.xml b/tests/nwfilterxml2xmlin/ipv6-test.xml
index 556796f..2daa3b9 100644
--- a/tests/nwfilterxml2xmlin/ipv6-test.xml
+++ b/tests/nwfilterxml2xmlin/ipv6-test.xml
@@ -40,4 +40,42 @@
/>
</rule>
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ type='1' typeend='11'
+ code='10' codeend='11'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ type='1'
+ code='10'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ code='10'
+ />
+ </rule>
+
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128'
+ dstipaddr='a:b:c::'
+ dstipmask='ffff:ffff:ffff:ffff:8000::'
+ protocol='icmpv6'
+ type='1'
+ />
+ </rule>
+
</filter>
diff --git a/tests/nwfilterxml2xmlout/ipv6-test.xml b/tests/nwfilterxml2xmlout/ipv6-test.xml
index fcc5c0d..ce9dd06 100644
--- a/tests/nwfilterxml2xmlout/ipv6-test.xml
+++ b/tests/nwfilterxml2xmlout/ipv6-test.xml
@@ -12,4 +12,16 @@
<rule action='accept' direction='inout' priority='500'>
<ipv6 srcipaddr='1::2' srcipmask='128' dstipaddr='a:b:c::' dstipmask='65' protocol='18'/>
</rule>
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128' dstipaddr='a:b:c::' dstipmask='65' protocol='icmpv6' type='1' typeend='11' code='10' codeend='11'/>
+ </rule>
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128' dstipaddr='a:b:c::' dstipmask='65' protocol='icmpv6' type='1' code='10'/>
+ </rule>
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128' dstipaddr='a:b:c::' dstipmask='65' protocol='icmpv6' code='10'/>
+ </rule>
+ <rule action='accept' direction='inout'>
+ <ipv6 srcipaddr='1::2' srcipmask='128' dstipaddr='a:b:c::' dstipmask='65' protocol='icmpv6' type='1'/>
+ </rule>
</filter>
--
1.9.3
9 years, 11 months
[libvirt] [PATCH] Update LIBVIRT_CHECK_LIB and LIBVIRT_CHECK_LIB_ALT to use pkg-config
by Pavel Hrdina
For example on FreeBSD the "yajl" library is located at "/usr/local/lib"
and it's not in default LIBS and therefore the configure fails that
"yajl" not installed.
We can use the "PKG_CHECK_MODULES" to get the correct library path in
case the library provides pkg-config file definition, otherwise the old
approach is used.
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
m4/virt-lib.m4 | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/m4/virt-lib.m4 b/m4/virt-lib.m4
index 75b9b1d..2401034 100644
--- a/m4/virt-lib.m4
+++ b/m4/virt-lib.m4
@@ -78,6 +78,8 @@ AC_DEFUN([LIBVIRT_CHECK_LIB],[
if test "x$with_var" != "xyes" && test "x$with_var" != "xcheck" ; then
cflags_var="-I$with_var/include"
libs_var="-L$with_var/lib"
+ else
+ PKG_CHECK_MODULES(check_name, library_name, [], [true])
fi
CFLAGS="$CFLAGS $cflags_var"
LIBS="$LIBS $libs_var"
@@ -211,6 +213,8 @@ AC_DEFUN([LIBVIRT_CHECK_LIB_ALT],[
if test "x$with_var" != "xyes" && test "x$with_var" != "xcheck" ; then
cflags_var="-I$with_var/include"
libs_var="-L$with_var/lib"
+ else
+ PKG_CHECK_MODULES(check_name, library_name, [], [true])
fi
CFLAGS="$CFLAGS $cflags_var"
LIBS="$LIBS $libs_var"
--
2.0.4
9 years, 11 months
[libvirt] snapshot-create-as doesn't always work across libvirtd restarts
by Eric Blake
I just found out the hard way that we have a bug in snapshot-create-as,
when I corrupted a guest. I was testing with an offline domain:
# virsh dumpxml win64 |grep -C1 driver
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/sda4'/>
# virsh snapshot-create-as win64 --disk-only --diskspec
hda,file=/var/lib/libvirt/images/win64.qcow2 --no-metadata
Domain snapshot 1417850911 created
# virsh dumpxml win64 |grep -C1 driver
<disk type='block' device='disk'>
<driver name='qemu' type='qcow2'/>
<source dev='/var/lib/libvirt/images/win64.qcow2'/>
# systemctl restart libvirtd
# virsh dumpxml win64 |grep -C1 driver
<disk type='block' device='disk'>
<driver name='qemu' type='raw'/>
<source dev='/dev/sda4'/>
Even though we don't want to save the snapshot metadata, we DO need to
save the XML change. Otherwise, the restarted libvirtd sees the wrong
disk as the source; worse, if the user started the guest before
restarting libvirtd, they run the risk of accidentally reverting to the
pre-snapshot state and losing all changes they made in the meantime,
perhaps even getting their guest filesystem into an inconsistent state.
I'm out of time to get to a root cause or fix before next week, but
wanted to report it now. I'm not sure if --no-metadata is essential to
reproducing the bug, or if it happens in all cases.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
9 years, 11 months
[libvirt] [PATCHv3 2/2] security: Add a new func use stat to get process DAC label
by Luyao Huang
When use qemuProcessAttach to attach a qemu process, cannot
get a right DAC label. Add a new func to get process label
via stat func. Do not remove virDomainDefGetSecurityLabelDef
before try to use stat to get process DAC label, because
There are some other func call virSecurityDACGetProcessLabel.
v2 add support freeBSD.
v3 use snprintf instead of VirAsprintf and move the error
settings in virSecurityDACGetProcessLabelInternal.
Signed-off-by: Luyao Huang <lhuang(a)redhat.com>
---
src/security/security_dac.c | 85 +++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 82 insertions(+), 3 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 85253af..8fd1e6e 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -22,6 +22,12 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <errno.h>
+
+#ifdef __FreeBSD__
+# include <sys/sysctl.h>
+# include <sys/user.h>
+#endif
#include "security_dac.h"
#include "virerror.h"
@@ -1236,17 +1242,90 @@ virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return 0;
}
+#ifdef __linux__
+static int
+virSecurityDACGetProcessLabelInternal(pid_t pid,
+ virSecurityLabelPtr seclabel)
+{
+ struct stat sb;
+ char *path = NULL;
+ int ret = -1;
+
+ VIR_INFO("Getting DAC user and group on process '%d'", pid);
+
+ if (virAsprintf(&path, "/proc/%d", (int) pid) < 0)
+ goto cleanup;
+
+ if (lstat(path, &sb) < 0) {
+ virReportSystemError(errno,
+ _("unable to get PID %d uid and gid via stat"),
+ pid);
+ goto cleanup;
+ }
+
+ snprintf(seclabel->label, VIR_SECURITY_LABEL_BUFLEN,
+ "+%u:+%u", (unsigned int) sb.st_uid, (unsigned int) sb.st_gid);
+ ret = 0;
+
+cleanup:
+ VIR_FREE(path);
+ return ret;
+}
+#elif defined(__FreeBSD__)
+static int
+virSecurityDACGetProcessLabelInternal(pid_t pid,
+ virSecurityLabelPtr seclabel)
+{
+ struct kinfo_proc p;
+ int mib[4];
+ size_t len = 4;
+
+ sysctlnametomib("kern.proc.pid", mib, &len);
+
+ len = sizeof(struct kinfo_proc);
+ mib[3] = pid;
+
+ if (sysctl(mib, 4, &p, &len, NULL, 0) < 0) {
+ virReportSystemError(errno,
+ _("unable to get PID %d uid and gid via sysctl"),
+ pid);
+ return -1;
+ }
+
+ snprintf(seclabel->label, VIR_SECURITY_LABEL_BUFLEN,
+ "+%u:+%u", (unsigned int) p.ki_ruid, (unsigned int) p.ki_rgid);
+
+ return 0;
+}
+#else
+static int
+virSecurityDACGetProcessLabelInternal(pid_t pid,
+ virSecurityLabelPtr seclabel)
+{
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED,
+ "Cannot get proccess DAC label for pid %d on this platform",
+ (int) pid);
+ return -1;
+}
+#endif
+
static int
virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def,
- pid_t pid ATTRIBUTE_UNUSED,
+ pid_t pid,
virSecurityLabelPtr seclabel)
{
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (!secdef || !seclabel)
- return -1;
+ if (secdef == NULL) {
+ VIR_DEBUG("missing label for DAC security "
+ "driver in domain %s", def->name);
+
+ if (virSecurityDACGetProcessLabelInternal(pid, seclabel) < 0)
+ return -1;
+ return 0;
+ }
if (secdef->label)
ignore_value(virStrcpy(seclabel->label, secdef->label,
--
1.8.3.1
9 years, 11 months
[libvirt] [PATCH] docs: network: fix some trivial typos in docs/formatnetwork.html
by Chen Fan
this patch fix some weird typos:
1. < hostdev> => <hostdev>
2. < type> => <type>
3. <virtualport > => <virtualport>
4. redundant comma
5. missing right-half bracket
Signed-off-by: Chen Fan <chen.fan.fnst(a)cn.fujitsu.com>
---
docs/formatnetwork.html.in | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index dc438ae..7bcf316 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -288,7 +288,7 @@
(Single Root I/O Virtualization) virtual function (VF)
devices can be assigned in this manner; to assign a
standard single-port PCI or PCIe ethernet card to a guest,
- use the traditional <code>< hostdev></code> device
+ use the traditional <code><hostdev></code> device
definition. <span class="since"> Since 0.10.0</span>
<p>
@@ -312,9 +312,9 @@
<p>Note that this "intelligent passthrough" of network
devices is very similar to the functionality of a
- standard <code>< hostdev></code> device, the
+ standard <code><hostdev></code> device, the
difference being that this method allows specifying a MAC
- address, vlan tag, and <code><virtualport ></code>
+ address, vlan tag, and <code><virtualport></code>
for the passed-through device. If these capabilities are
not required, if you have a standard single-port PCI,
PCIe, or USB network card that doesn't support SR-IOV (and
@@ -383,9 +383,9 @@
<span class="since">since 0.10.0</span> When using forward
mode 'hostdev', the interface pool is specified with a list
of <code><address></code> elements, each of which has
- <code>< type></code> (must always be <code>'pci'</code>,
+ <code><type></code> (must always be <code>'pci'</code>),
<code><domain></code>, <code><bus></code>,
- <code><slot></code>, and <code><function></code>
+ <code><slot></code>and <code><function></code>
attributes.
</p>
<pre>
--
1.9.3
9 years, 11 months
