June 2024 - Devel - Libvirt List Archives

[PATCH] qemuDomainDiskChangeSupported: Fill in missing check

by Adam Julis

Any modification of iothreads attribute is prohibit, the original setup must be identical with updated version of xml. Resolves: https://issues.redhat.com/browse/RHEL-23607 Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- src/qemu/qemu_domain.c | 47 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 1a90311ca5..6d7b939a31 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -8484,6 +8484,53 @@ qemuDomainDiskChangeSupported(virDomainDiskDef *disk, CHECK_EQ(discard, "discard", true); CHECK_EQ(iothread, "iothread", true); + /* check if new or original disk contains iothreads information + * if yes, they must be identical, any changes are prohibit*/ + + if (!!disk->iothreads != !!orig_disk->iothreads) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, + _("cannot modify field '%1$s' of the disk"), + "iothreads"); + return false; + } + + if (disk->iothreads && orig_disk->iothreads) { + GSList *n, *m; + + m = disk->iothreads; + + for (n = orig_disk->iothreads; n; n = n->next) { + size_t i; + virDomainDiskIothreadDef *n_data = (virDomainDiskIothreadDef *) n->data; + virDomainDiskIothreadDef *m_data = (virDomainDiskIothreadDef *) m->data; + + if (n_data->id != m_data->id || n_data->nqueues != m_data->nqueues) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, + _("cannot modify field '%1$s' of the disk"), + "iothreads"); + return false; + } + + for (i = 0; i < n_data->nqueues; i++) { + if (n_data->queues[i] != m_data->queues[i]) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, + _("cannot modify field '%1$s' of the disk"), + "iothreads"); + return false; + } + } + + m = m->next; + + if (!m && n->next) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, + _("cannot modify field '%1$s' of the disk"), + "iothreads"); + return false; + } + } + } + CHECK_STREQ_NULLABLE(domain_name, "backenddomain"); -- 2.45.2

4 months, 1 week

1
0
0 / 0

[libvirt RFC PATCH 0/2] qemu: do not use deprecated options for new virtiofsd

by Ján Tomko

Depends on https://gitlab.com/virtio-fs/virtiofsd/-/merge_requests/231 Ján Tomko (2): qemu: fill capabilities for virtiofsd qemu: do not use deprecated options for new virtiofsd src/conf/domain_conf.h | 1 + src/qemu/qemu_vhost_user.c | 59 +++++++++++++++++++++++++ src/qemu/qemu_vhost_user.h | 12 ++++++ src/qemu/qemu_virtiofs.c | 88 ++++++++++++++++++++++++++------------ 4 files changed, 132 insertions(+), 28 deletions(-) -- 2.45.2

4 months, 1 week

1
2
0 / 0

[PATCH 0/8] Expose SEV-SNP in domcaps and virt-host-validate

by Michal Privoznik

This is a promised follow up to: https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/7... Michal Prívozník (8): libvirt_private.syms: Export virDomainLaunchSecurity enum handlers qemuxmlconftest; Explicitly enable QEMU_CAPS_SEV_SNP_GUEST for "launch-security-sev-snp" qemu_capabilities: Probe SEV capabilities even for QEMU_CAPS_SEV_SNP_GUEST domcaps: Report launchSecurity qemu: Fill launchSecurity in domaincaps qemu_validate: Use domaincaps to validate supported launchSecurity type virt-host-validate: Move AMD SEV into a separate func virt-host-validate: Detect SEV-ES and SEV-SNP docs/formatdomaincaps.rst | 10 +++ src/conf/domain_capabilities.c | 14 ++++ src/conf/domain_capabilities.h | 9 ++ src/conf/schemas/domaincaps.rng | 10 +++ src/libvirt_private.syms | 2 + src/qemu/qemu_capabilities.c | 24 +++++- src/qemu/qemu_capabilities.h | 3 + src/qemu/qemu_validate.c | 29 +++---- .../domaincapsdata/qemu_4.2.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_4.2.0-tcg.x86_64.xml | 3 + .../qemu_4.2.0-virt.aarch64.xml | 3 + tests/domaincapsdata/qemu_4.2.0.aarch64.xml | 3 + tests/domaincapsdata/qemu_4.2.0.ppc64.xml | 3 + tests/domaincapsdata/qemu_4.2.0.s390x.xml | 3 + tests/domaincapsdata/qemu_4.2.0.x86_64.xml | 3 + .../domaincapsdata/qemu_5.0.0-q35.x86_64.xml | 3 + .../qemu_5.0.0-tcg-virt.riscv64.xml | 3 + .../domaincapsdata/qemu_5.0.0-tcg.x86_64.xml | 3 + .../qemu_5.0.0-virt.aarch64.xml | 3 + .../qemu_5.0.0-virt.riscv64.xml | 3 + tests/domaincapsdata/qemu_5.0.0.aarch64.xml | 3 + tests/domaincapsdata/qemu_5.0.0.ppc64.xml | 3 + tests/domaincapsdata/qemu_5.0.0.x86_64.xml | 3 + .../domaincapsdata/qemu_5.1.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_5.1.0-tcg.x86_64.xml | 3 + tests/domaincapsdata/qemu_5.1.0.sparc.xml | 3 + tests/domaincapsdata/qemu_5.1.0.x86_64.xml | 3 + .../domaincapsdata/qemu_5.2.0-q35.x86_64.xml | 3 + .../qemu_5.2.0-tcg-virt.riscv64.xml | 3 + .../domaincapsdata/qemu_5.2.0-tcg.x86_64.xml | 3 + .../qemu_5.2.0-virt.aarch64.xml | 3 + .../qemu_5.2.0-virt.riscv64.xml | 3 + tests/domaincapsdata/qemu_5.2.0.aarch64.xml | 3 + tests/domaincapsdata/qemu_5.2.0.ppc64.xml | 3 + tests/domaincapsdata/qemu_5.2.0.s390x.xml | 3 + tests/domaincapsdata/qemu_5.2.0.x86_64.xml | 3 + .../domaincapsdata/qemu_6.0.0-q35.x86_64.xml | 5 ++ .../domaincapsdata/qemu_6.0.0-tcg.x86_64.xml | 5 ++ .../qemu_6.0.0-virt.aarch64.xml | 3 + tests/domaincapsdata/qemu_6.0.0.aarch64.xml | 3 + tests/domaincapsdata/qemu_6.0.0.s390x.xml | 5 ++ tests/domaincapsdata/qemu_6.0.0.x86_64.xml | 5 ++ .../domaincapsdata/qemu_6.1.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_6.1.0-tcg.x86_64.xml | 3 + tests/domaincapsdata/qemu_6.1.0.x86_64.xml | 3 + .../domaincapsdata/qemu_6.2.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_6.2.0-tcg.x86_64.xml | 3 + .../qemu_6.2.0-virt.aarch64.xml | 3 + tests/domaincapsdata/qemu_6.2.0.aarch64.xml | 3 + tests/domaincapsdata/qemu_6.2.0.ppc64.xml | 3 + tests/domaincapsdata/qemu_6.2.0.x86_64.xml | 3 + .../qemu_7.0.0-hvf.aarch64+hvf.xml | 3 + .../domaincapsdata/qemu_7.0.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_7.0.0-tcg.x86_64.xml | 3 + .../qemu_7.0.0-virt.aarch64.xml | 3 + tests/domaincapsdata/qemu_7.0.0.aarch64.xml | 3 + tests/domaincapsdata/qemu_7.0.0.ppc64.xml | 3 + tests/domaincapsdata/qemu_7.0.0.x86_64.xml | 3 + .../domaincapsdata/qemu_7.1.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_7.1.0-tcg.x86_64.xml | 3 + tests/domaincapsdata/qemu_7.1.0.ppc64.xml | 3 + tests/domaincapsdata/qemu_7.1.0.x86_64.xml | 3 + .../qemu_7.2.0-hvf.x86_64+hvf.xml | 3 + .../domaincapsdata/qemu_7.2.0-q35.x86_64.xml | 3 + .../qemu_7.2.0-tcg.x86_64+hvf.xml | 3 + .../domaincapsdata/qemu_7.2.0-tcg.x86_64.xml | 3 + tests/domaincapsdata/qemu_7.2.0.ppc.xml | 3 + tests/domaincapsdata/qemu_7.2.0.x86_64.xml | 3 + .../domaincapsdata/qemu_8.0.0-q35.x86_64.xml | 3 + .../qemu_8.0.0-tcg-virt.riscv64.xml | 3 + .../domaincapsdata/qemu_8.0.0-tcg.x86_64.xml | 3 + .../qemu_8.0.0-virt.riscv64.xml | 3 + tests/domaincapsdata/qemu_8.0.0.x86_64.xml | 3 + .../domaincapsdata/qemu_8.1.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_8.1.0-tcg.x86_64.xml | 3 + tests/domaincapsdata/qemu_8.1.0.s390x.xml | 5 ++ tests/domaincapsdata/qemu_8.1.0.x86_64.xml | 3 + .../domaincapsdata/qemu_8.2.0-q35.x86_64.xml | 3 + .../qemu_8.2.0-tcg-virt.loongarch64.xml | 3 + .../domaincapsdata/qemu_8.2.0-tcg.x86_64.xml | 3 + .../qemu_8.2.0-virt.aarch64.xml | 3 + .../qemu_8.2.0-virt.loongarch64.xml | 3 + tests/domaincapsdata/qemu_8.2.0.aarch64.xml | 3 + tests/domaincapsdata/qemu_8.2.0.armv7l.xml | 3 + tests/domaincapsdata/qemu_8.2.0.s390x.xml | 5 ++ tests/domaincapsdata/qemu_8.2.0.x86_64.xml | 3 + .../domaincapsdata/qemu_9.0.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_9.0.0-tcg.x86_64.xml | 3 + tests/domaincapsdata/qemu_9.0.0.x86_64.xml | 3 + .../domaincapsdata/qemu_9.1.0-q35.x86_64.xml | 3 + .../domaincapsdata/qemu_9.1.0-tcg.x86_64.xml | 3 + tests/domaincapsdata/qemu_9.1.0.x86_64.xml | 3 + .../caps_9.1.0_x86_64.xml | 1 - tests/qemuxmlconftest.c | 6 +- tools/virt-host-validate-common.c | 83 ++++++++++++++----- 95 files changed, 413 insertions(+), 42 deletions(-) -- 2.44.2

4 months, 1 week

3
12
0 / 0

[PATCH 0/2] qemu_command: Enable sev-guest.legacy-vm-type when possible

by Michal Privoznik

*** IMPORTANT *** There's a competing patch sent to qemu-devel which when merged renders these patches unnecessary: https://mail.gnu.org/archive/html/qemu-devel/2024-06/msg02776.html But I accumulated this change whilst working on previous patches that enabled SEV SNP and figured might as well send them if QEMU patch doesn't make it in time for our release. Michal Prívozník (2): qemu_capabilities: Introduce QEMU_CAPS_SEV_GUEST_LEGACY_VM_TYPE qemu_command: Enable sev-guest.legacy-vm-type when possible src/qemu/qemu_capabilities.c | 2 ++ src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 9 +++++++++ tests/qemucapabilitiesdata/caps_9.1.0_x86_64.xml | 1 + .../launch-security-sev-direct.x86_64-latest.args | 2 +- 5 files changed, 14 insertions(+), 1 deletion(-) -- 2.44.2

4 months, 1 week

1
2
0 / 0

[PATCH v2] qemu_block: Validate number of hosts for iSCSI disk device

by Rayhan Faizel

An iSCSI device with zero hosts will result in a segmentation fault. This patch adds a check for the number of hosts, which must be one in the case of iSCSI. Minimal reproducing XML: <domain type='qemu'> <name>MyGuest</name> <uuid>4dea22b3-1d52-d8f3-2516-782e98ab3fa0</uuid> <os> <type arch='x86_64'>hvm</type> </os> <memory>4096</memory> <devices> <disk type='network'> <source name='dummy' protocol='iscsi'/> <target dev='vda'/> </disk> </devices> </domain> Signed-off-by: Rayhan Faizel <rayhan.faizel(a)gmail.com> --- This crashing XML was detected by the WIP fuzzer which is being developed as part of Google Summer of Code 2024. [Changes in v2] - Added testcase for iSCSI disk definitions with zero hosts src/qemu/qemu_block.c | 6 ++++ ...iscsi-zero-hosts-invalid.x86_64-latest.err | 1 + ...iscsi-zero-hosts-invalid.x86_64-latest.xml | 35 +++++++++++++++++++ .../disk-network-iscsi-zero-hosts-invalid.xml | 27 ++++++++++++++ tests/qemuxmlconftest.c | 2 ++ 5 files changed, 71 insertions(+) create mode 100644 tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.err create mode 100644 tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.xml create mode 100644 tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.xml diff --git a/src/qemu/qemu_block.c b/src/qemu/qemu_block.c index 738b72d7ea..d6cdf521c4 100644 --- a/src/qemu/qemu_block.c +++ b/src/qemu/qemu_block.c @@ -602,6 +602,12 @@ qemuBlockStorageSourceGetISCSIProps(virStorageSource *src, * } */ + if (src->nhosts != 1) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("iSCSI protocol accepts only one host")); + return NULL; + } + target = g_strdup(src->path); /* Separate the target and lun */ diff --git a/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.err b/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.err new file mode 100644 index 0000000000..ec66bebf22 --- /dev/null +++ b/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.err @@ -0,0 +1 @@ +internal error: iSCSI protocol accepts only one host diff --git a/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.xml b/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.xml new file mode 100644 index 0000000000..ad556180ab --- /dev/null +++ b/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.x86_64-latest.xml @@ -0,0 +1,35 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <cpu mode='custom' match='exact' check='none'> + <model fallback='forbid'>qemu64</model> + </cpu> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <driver name='qemu' type='raw'/> + <source protocol='iscsi' name='iqn.1992-01.com.example:storage/1'/> + <target dev='vda' bus='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> + </disk> + <controller type='usb' index='0' model='piix3-uhci'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x2'/> + </controller> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <audio id='1' type='none'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.xml b/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.xml new file mode 100644 index 0000000000..6369f01644 --- /dev/null +++ b/tests/qemuxmlconfdata/disk-network-iscsi-zero-hosts-invalid.xml @@ -0,0 +1,27 @@ +<domain type='qemu'> + <name>QEMUGuest1</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64' machine='pc'>hvm</type> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-system-x86_64</emulator> + <disk type='network' device='disk'> + <source protocol='iscsi' name='iqn.1992-01.com.example:storage/1'/> + <target dev='vda' bus='virtio'/> + </disk> + <controller type='usb' index='0'/> + <controller type='pci' index='0' model='pci-root'/> + <input type='mouse' bus='ps2'/> + <input type='keyboard' bus='ps2'/> + <memballoon model='none'/> + </devices> +</domain> diff --git a/tests/qemuxmlconftest.c b/tests/qemuxmlconftest.c index 2842b44b3e..0c71db1f22 100644 --- a/tests/qemuxmlconftest.c +++ b/tests/qemuxmlconftest.c @@ -2987,6 +2987,8 @@ mymain(void) DO_TEST_CAPS_LATEST("net-usb") DO_TEST_CAPS_LATEST("sound-device-virtio") + DO_TEST_CAPS_LATEST_FAILURE("disk-network-iscsi-zero-hosts-invalid") + /* check that all input files were actually used here */ if (testConfXMLCheck(existingTestCases) < 0) ret = -1; -- 2.34.1

4 months, 1 week

2
3
0 / 0

[PATCH v2] qemu: add support for qemu switchover-ack

by Jon Kohler

Add plumbing for QEMU's switchover-ack migration capability, which helps lower the downtime during VFIO migrations. This capability is enabled by default as long as both the source and destination support it. Note: switchover-ack depends on the return path capability, so this may not be used when VIR_MIGRATE_TUNNELLED flag is set. Extensive details about the qemu switchover-ack implementation are available in the qemu series v6 cover letter [1] where the highlight is the extreme reduction in guest visible downtime. In addition to the original test results below, I saw a roughly ~20% reduction in downtime for VFIO VGPU devices at minimum. === Test results === The below table shows the downtime of two identical migrations. In the first migration swithcover ack is disabled and in the second it is enabled. The migrated VM is assigned with a mlx5 VFIO device which has 300MB of device data to be migrated. +----------------------+-----------------------+----------+ | Switchover ack | VFIO device data size | Downtime | +----------------------+-----------------------+----------+ | Disabled | 300MB | 1900ms | | Enabled | 300MB | 420ms | +----------------------+-----------------------+----------+ Switchover ack gives a roughly 4.5 times improvement in downtime. The 1480ms difference is time that is used for resource allocation for the VFIO device in the destination. Without switchover ack, this time is spent when the source VM is stopped and thus the downtime is much higher. With switchover ack, the time is spent when the source VM is still running. [1] https://patchwork.kernel.org/project/qemu-devel/cover/20230621111201.2972... Signed-off-by: Jon Kohler <jon(a)nutanix.com> Cc: Alex Williamson <alex.williamson(a)redhat.com> Cc: Avihai Horon <avihaih(a)nvidia.com> Cc: Markus Armbruster <armbru(a)redhat.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: YangHang Liu <yanghliu(a)redhat.com> --- v1 - https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/2X... v1 -> v2: - Addressed comments to simplify approach (Daniel, Jiri) --- src/qemu/qemu_migration.h | 1 + src/qemu/qemu_migration_params.c | 8 +++++++- src/qemu/qemu_migration_params.h | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index ed62fd4a91..cd89e100e1 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -62,6 +62,7 @@ VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES | \ VIR_MIGRATE_POSTCOPY_RESUME | \ VIR_MIGRATE_ZEROCOPY | \ + VIR_MIGRATE_SWITCHOVER_ACK | \ 0) /* All supported migration parameters and their types. */ diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index 48f8657f71..9593b6ba65 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -105,6 +105,7 @@ VIR_ENUM_IMPL(qemuMigrationCapability, "return-path", "zero-copy-send", "postcopy-preempt", + "switchover-ack", ); @@ -138,7 +139,7 @@ struct _qemuMigrationParamsAlwaysOnItem { typedef struct _qemuMigrationParamsFlagMapItem qemuMigrationParamsFlagMapItem; struct _qemuMigrationParamsFlagMapItem { /* Describes what to do with the capability if @flag is found. - * When se to QEMU_MIGRATION_FLAG_REQUIRED, the capability will be + * When set to QEMU_MIGRATION_FLAG_REQUIRED, the capability will be * enabled iff the specified migration flag is enabled. On the other hand * QEMU_MIGRATION_FLAG_FORBIDDEN will enable the capability as long as * the specified migration flag is not enabled. */ @@ -215,6 +216,11 @@ static const qemuMigrationParamsFlagMapItem qemuMigrationParamsFlagMap[] = { .flag = VIR_MIGRATE_ZEROCOPY, .cap = QEMU_MIGRATION_CAP_ZERO_COPY_SEND, .party = QEMU_MIGRATION_SOURCE}, + + {.match = QEMU_MIGRATION_FLAG_FORBIDDEN, + .flag = VIR_MIGRATE_TUNNELLED, + .cap = QEMU_MIGRATION_CAP_SWITCHOVER_ACK, + .party = QEMU_MIGRATION_SOURCE | QEMU_MIGRATION_DESTINATION}, }; /* Translation from VIR_MIGRATE_PARAM_* typed parameters to diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_params.h index 91bc6792cd..df67f1fb92 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -41,6 +41,7 @@ typedef enum { QEMU_MIGRATION_CAP_RETURN_PATH, QEMU_MIGRATION_CAP_ZERO_COPY_SEND, QEMU_MIGRATION_CAP_POSTCOPY_PREEMPT, + QEMU_MIGRATION_CAP_SWITCHOVER_ACK, QEMU_MIGRATION_CAP_LAST } qemuMigrationCapability; -- 2.43.0

4 months, 1 week

2
1
0 / 0

[PATCH] qemu: Fix migration with disabled vmx-* CPU features

by Jiri Denemark

When starting a domain on a host which lacks a vmx-* CPU feature which is expected to be enabled by the CPU model specified in the domain XML, libvirt properly marks such feature as disabled in the active domain XML. But migrating the domain to a similar host which lacks the same vmx-* feature will fail with libvirt reporting the feature as missing. This is because of a bug in the hack ensuring backward compatibility libvirt running on the destination thinks the missing feature is expected to be enabled. https://issues.redhat.com/browse/RHEL-40899 Fixes: v10.1.0-85-g5fbfa5ab8a Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com> --- src/cpu/cpu_x86.c | 44 +++++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/src/cpu/cpu_x86.c b/src/cpu/cpu_x86.c index 7a70eed9e7..fcbce0ec46 100644 --- a/src/cpu/cpu_x86.c +++ b/src/cpu/cpu_x86.c @@ -3021,10 +3021,7 @@ virCPUx86UpdateLive(virCPUDef *cpu, if (!(map = virCPUx86GetMap())) return -1; - if (!(model = x86ModelFromCPU(cpu, map, -1))) - return -1; - - if (hostPassthrough && + if (!(model = x86ModelFromCPU(cpu, map, -1)) || !(modelDisabled = x86ModelFromCPU(cpu, map, VIR_CPU_FEATURE_DISABLE))) return -1; @@ -3037,12 +3034,19 @@ virCPUx86UpdateLive(virCPUDef *cpu, for (i = 0; i < map->nfeatures; i++) { virCPUx86Feature *feature = map->features[i]; virCPUFeaturePolicy expected = VIR_CPU_FEATURE_LAST; + bool explicit = false; + bool ignore = false; - if (x86DataIsSubset(&model->data, &feature->data)) + if (x86DataIsSubset(&model->data, &feature->data)) { + explicit = true; expected = VIR_CPU_FEATURE_REQUIRE; - else if (!hostPassthrough || - x86DataIsSubset(&modelDisabled->data, &feature->data)) + } else if (x86DataIsSubset(&modelDisabled->data, &feature->data)) { + explicit = true; + expected = VIR_CPU_FEATURE_DISABLE; + } else if (!hostPassthrough) { + /* implicitly disabled */ expected = VIR_CPU_FEATURE_DISABLE; + } if (x86DataIsSubset(&enabled, &feature->data) && x86DataIsSubset(&disabled, &feature->data)) { @@ -3052,30 +3056,36 @@ virCPUx86UpdateLive(virCPUDef *cpu, return -1; } + /* Features enabled or disabled by the hypervisor are ignored by + * check='full' in case they were added to the model later and not + * explicitly mentioned in the CPU definition. This matches how libvirt + * behaved before the features were added. + */ + if (!explicit && + g_strv_contains((const char **) model->addedFeatures, feature->name)) + ignore = true; + if (expected == VIR_CPU_FEATURE_DISABLE && x86DataIsSubset(&enabled, &feature->data)) { VIR_DEBUG("Feature '%s' enabled by the hypervisor", feature->name); - /* Extra features enabled by the hypervisor are ignored by - * check='full' in case they were added to the model later for - * backward compatibility with the older definition of the model. - */ - if (cpu->check == VIR_CPU_CHECK_FULL && - !g_strv_contains((const char **) model->addedFeatures, feature->name)) { + if (cpu->check == VIR_CPU_CHECK_FULL && !ignore) virBufferAsprintf(&bufAdded, "%s,", feature->name); - } else { + else virCPUDefUpdateFeature(cpu, feature->name, VIR_CPU_FEATURE_REQUIRE); - } } if (x86DataIsSubset(&disabled, &feature->data) || (expected == VIR_CPU_FEATURE_REQUIRE && !x86DataIsSubset(&enabled, &feature->data))) { VIR_DEBUG("Feature '%s' disabled by the hypervisor", feature->name); - if (cpu->check == VIR_CPU_CHECK_FULL) + + if (cpu->check == VIR_CPU_CHECK_FULL && !ignore) { virBufferAsprintf(&bufRemoved, "%s,", feature->name); - else + } else { virCPUDefUpdateFeature(cpu, feature->name, VIR_CPU_FEATURE_DISABLE); + x86DataSubtract(&disabled, &feature->data); + } } } -- 2.45.1

4 months, 1 week

2
1
0 / 0

[PATCH] qemu: add support for qemu switchover-ack

by Jon Kohler

Add plumbing for QEMU's switchover-ack migration capability, which helps lower the downtime during VFIO migrations. This capability is enabled by default as long as both the source and destination support it. Note: switchover-ack depends on the return path capability, so this may not be used when VIR_MIGRATE_TUNNELLED flag is set. Extensive details about the qemu switchover-ack implementation are available in the qemu series v6 cover letter [1] where the highlight is the extreme reduction in guest visible downtime. In addition to the original test results below, I saw a roughly ~20% reduction in downtime for VFIO VGPU devices at minimum. === Test results === The below table shows the downtime of two identical migrations. In the first migration swithcover ack is disabled and in the second it is enabled. The migrated VM is assigned with a mlx5 VFIO device which has 300MB of device data to be migrated. +----------------------+-----------------------+----------+ | Switchover ack | VFIO device data size | Downtime | +----------------------+-----------------------+----------+ | Disabled | 300MB | 1900ms | | Enabled | 300MB | 420ms | +----------------------+-----------------------+----------+ Switchover ack gives a roughly 4.5 times improvement in downtime. The 1480ms difference is time that is used for resource allocation for the VFIO device in the destination. Without switchover ack, this time is spent when the source VM is stopped and thus the downtime is much higher. With switchover ack, the time is spent when the source VM is still running. [1] https://patchwork.kernel.org/project/qemu-devel/cover/20230621111201.2972... Signed-off-by: Jon Kohler <jon(a)nutanix.com> Cc: Alex Williamson <alex.williamson(a)redhat.com> Cc: Avihai Horon <avihaih(a)nvidia.com> Cc: Markus Armbruster <armbru(a)redhat.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: YangHang Liu <yanghliu(a)redhat.com> --- include/libvirt/libvirt-domain.h | 11 +++++++++++ src/libvirt-domain.c | 20 ++++++++++++++++++++ src/qemu/qemu_migration.h | 1 + src/qemu/qemu_migration_params.c | 8 +++++++- src/qemu/qemu_migration_params.h | 1 + 5 files changed, 40 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h index 2f5b01bbfe..9543629f30 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1100,6 +1100,17 @@ typedef enum { * Since: 8.5.0 */ VIR_MIGRATE_ZEROCOPY = (1 << 20), + + /* Use switchover ack migration capability to reduce downtime on VFIO + * device migration. This prevents the source from stopping the VM and + * completing the migration until an ACK is received from the destination + * that it's OK to do so. Thus, a VFIO device can make sure that its + * initial bytes were sent and loaded in the destination before the + * source VM is stopped. + * + * Since: 10.5.0 + */ + VIR_MIGRATE_SWITCHOVER_ACK = (1 << 21), } virDomainMigrateFlags; diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 7c6b93963c..786fef317d 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -3822,6 +3822,10 @@ virDomainMigrate(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + VIR_REQUIRE_FLAG_GOTO(VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES, VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_INC, error); @@ -4021,6 +4025,10 @@ virDomainMigrate2(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + VIR_REQUIRE_FLAG_GOTO(VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES, VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_INC, error); @@ -4497,6 +4505,10 @@ virDomainMigrateToURI(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + if (virDomainMigrateUnmanagedCheckCompat(domain, flags) < 0) goto error; @@ -4577,6 +4589,10 @@ virDomainMigrateToURI2(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + if (virDomainMigrateUnmanagedCheckCompat(domain, flags) < 0) goto error; @@ -4656,6 +4672,10 @@ virDomainMigrateToURI3(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + if (virDomainMigrateUnmanagedCheckCompat(domain, flags) < 0) goto error; diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index ed62fd4a91..cd89e100e1 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -62,6 +62,7 @@ VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES | \ VIR_MIGRATE_POSTCOPY_RESUME | \ VIR_MIGRATE_ZEROCOPY | \ + VIR_MIGRATE_SWITCHOVER_ACK | \ 0) /* All supported migration parameters and their types. */ diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index 48f8657f71..9593b6ba65 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -105,6 +105,7 @@ VIR_ENUM_IMPL(qemuMigrationCapability, "return-path", "zero-copy-send", "postcopy-preempt", + "switchover-ack", ); @@ -138,7 +139,7 @@ struct _qemuMigrationParamsAlwaysOnItem { typedef struct _qemuMigrationParamsFlagMapItem qemuMigrationParamsFlagMapItem; struct _qemuMigrationParamsFlagMapItem { /* Describes what to do with the capability if @flag is found. - * When se to QEMU_MIGRATION_FLAG_REQUIRED, the capability will be + * When set to QEMU_MIGRATION_FLAG_REQUIRED, the capability will be * enabled iff the specified migration flag is enabled. On the other hand * QEMU_MIGRATION_FLAG_FORBIDDEN will enable the capability as long as * the specified migration flag is not enabled. */ @@ -215,6 +216,11 @@ static const qemuMigrationParamsFlagMapItem qemuMigrationParamsFlagMap[] = { .flag = VIR_MIGRATE_ZEROCOPY, .cap = QEMU_MIGRATION_CAP_ZERO_COPY_SEND, .party = QEMU_MIGRATION_SOURCE}, + + {.match = QEMU_MIGRATION_FLAG_FORBIDDEN, + .flag = VIR_MIGRATE_TUNNELLED, + .cap = QEMU_MIGRATION_CAP_SWITCHOVER_ACK, + .party = QEMU_MIGRATION_SOURCE | QEMU_MIGRATION_DESTINATION}, }; /* Translation from VIR_MIGRATE_PARAM_* typed parameters to diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_params.h index 91bc6792cd..df67f1fb92 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -41,6 +41,7 @@ typedef enum { QEMU_MIGRATION_CAP_RETURN_PATH, QEMU_MIGRATION_CAP_ZERO_COPY_SEND, QEMU_MIGRATION_CAP_POSTCOPY_PREEMPT, + QEMU_MIGRATION_CAP_SWITCHOVER_ACK, QEMU_MIGRATION_CAP_LAST } qemuMigrationCapability; -- 2.43.0

4 months, 1 week

4
8
0 / 0

[PATCH] network: add more firewall test cases

by Laine Stump

This patch adds some previously missing test cases that test for proper firewall rule creation when the following are included in the network definition: * <forward dev='blah'> * no forward element (an "isolated" network) * nat port range when only ipv4 is nat-ed * nat port range when both ipv4 & ipv6 are nated Signed-off-by: Laine Stump <laine(a)redhat.com> --- If you ack this, please also push it, as I'm on vacation and only sporadically connected. .../forward-dev-linux.iptables | 154 +++++++ .../forward-dev-linux.nftables | 158 +++++++ tests/networkxml2firewalldata/forward-dev.xml | 10 + .../isolated-linux.iptables | 159 ++++++++ .../isolated-linux.nftables | 64 +++ tests/networkxml2firewalldata/isolated.xml | 15 + .../nat-port-range-ipv6-linux.iptables | 317 ++++++++++++++ .../nat-port-range-ipv6-linux.nftables | 386 ++++++++++++++++++ .../nat-port-range-ipv6.xml | 20 + .../nat-port-range-linux.iptables | 283 +++++++++++++ .../nat-port-range-linux.nftables | 314 ++++++++++++++ .../nat-port-range.xml | 20 + tests/networkxml2firewalltest.c | 5 + 13 files changed, 1905 insertions(+) create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.iptables create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.nftables create mode 100644 tests/networkxml2firewalldata/forward-dev.xml create mode 100644 tests/networkxml2firewalldata/isolated-linux.iptables create mode 100644 tests/networkxml2firewalldata/isolated-linux.nftables create mode 100644 tests/networkxml2firewalldata/isolated.xml create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6.xml create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.iptables create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.nftables create mode 100644 tests/networkxml2firewalldata/nat-port-range.xml diff --git a/tests/networkxml2firewalldata/forward-dev-linux.iptables b/tests/networkxml2firewalldata/forward-dev-linux.iptables new file mode 100644 index 0000000000..bc483c4512 --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev-linux.iptables @@ -0,0 +1,154 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--out-interface enp0s7 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--in-interface enp0s7 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--out-interface enp0s7 \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--out-interface enp0s7 \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/forward-dev-linux.nftables b/tests/networkxml2firewalldata/forward-dev-linux.nftables new file mode 100644 index 0000000000..8badb74beb --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev-linux.nftables @@ -0,0 +1,158 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +oifname \ +enp0s7 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +iifname \ +enp0s7 \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +oifname \ +enp0s7 \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +oifname \ +enp0s7 \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/forward-dev.xml b/tests/networkxml2firewalldata/forward-dev.xml new file mode 100644 index 0000000000..8e49d3984d --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev.xml @@ -0,0 +1,10 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward mode='nat' dev='enp0s7'/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/isolated-linux.iptables b/tests/networkxml2firewalldata/isolated-linux.iptables new file mode 100644 index 0000000000..135189ce41 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated-linux.iptables @@ -0,0 +1,159 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/isolated-linux.nftables b/tests/networkxml2firewalldata/isolated-linux.nftables new file mode 100644 index 0000000000..d1b4dac178 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated-linux.nftables @@ -0,0 +1,64 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/isolated.xml b/tests/networkxml2firewalldata/isolated.xml new file mode 100644 index 0000000000..0e3bed10d1 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated.xml @@ -0,0 +1,15 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip address="192.168.128.1" netmask="255.255.255.0"/> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" > + <dhcp> + <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables new file mode 100644 index 0000000000..c2e845cc4f --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables @@ -0,0 +1,317 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.128.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.128.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p udp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p tcp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p udp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 500-1000 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p tcp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 500-1000 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +--destination ff02::/16 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables new file mode 100644 index 0000000000..ceaed6fa40 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables @@ -0,0 +1,386 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.128.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6.xml b/tests/networkxml2firewalldata/nat-port-range-ipv6.xml new file mode 100644 index 0000000000..9a70764fa0 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6.xml @@ -0,0 +1,20 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward mode='nat'> + <nat ipv6='yes'> + <port start='500' end='1000'/> + </nat> + </forward> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip address="192.168.128.1" netmask="255.255.255.0"/> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" > + <dhcp> + <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-linux.iptables new file mode 100644 index 0000000000..8e5c2c8193 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-linux.iptables @@ -0,0 +1,283 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.128.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.128.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p udp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p tcp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-linux.nftables new file mode 100644 index 0000000000..1dc37a26ec --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-linux.nftables @@ -0,0 +1,314 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.128.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oif \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-port-range.xml b/tests/networkxml2firewalldata/nat-port-range.xml new file mode 100644 index 0000000000..81b29d3b72 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range.xml @@ -0,0 +1,20 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward mode='nat'> + <nat> + <port start='500' end='1000'/> + </nat> + </forward> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip address="192.168.128.1" netmask="255.255.255.0"/> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" > + <dhcp> + <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index 4cabe39d1d..f7b87ff798 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -198,6 +198,11 @@ mymain(void) DO_TEST("nat-ipv6"); DO_TEST("nat-ipv6-masquerade"); DO_TEST("route-default"); + DO_TEST("forward-dev"); + DO_TEST("isolated"); + DO_TEST("forward-dev"); + DO_TEST("nat-port-range"); + DO_TEST("nat-port-range-ipv6"); return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } -- 2.45.2

4 months, 1 week

2
1
0 / 0

[PATCH] tests: fix broken nftables test data so that individual tests are successful

by Laine Stump

When the chain names and table name used by the nftables firewall backend were changed in commit 958aa7f274904eb8e4678a43eac845044f0dcc38, I forgot to change the test data file base.nftables, which has the extra "list" and "add chain/table" commands that are generated for the first test case of networkxml2firewalltest.c. When the full set of tests is run, the first test will be an iptables test case, so those extra commands won't be added to any of the nftables cases, and so the data in base.nftables never matches, and the tests are all successful. However, if the test are limited with, e.g. VIR_TEST_RANGE=2 (test #2 will be the nftables version of the 1st test case), then the commands to add nftables table/chains *will* be generated in the test output, and so the test will fail. Because I was only running the entire test series after the initial commits of nftables tests, I didn't notice this. Until now. base.nftables has now been updated to reflect the current names for chains/table, and running individual test cases is once again successful. Fixes: 958aa7f274904eb8e4678a43eac845044f0dcc38 Signed-off-by: Laine Stump <laine(a)redhat.com> --- tests/networkxml2firewalldata/base.nftables | 202 ++++---------------- 1 file changed, 42 insertions(+), 160 deletions(-) diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables index 4f1f475a85..a064318739 100644 --- a/tests/networkxml2firewalldata/base.nftables +++ b/tests/networkxml2firewalldata/base.nftables @@ -2,255 +2,137 @@ nft \ list \ table \ ip \ -libvirt +libvirt_network nft \ add \ table \ ip \ -libvirt +libvirt_network nft \ add \ chain \ ip \ -libvirt \ -INPUT \ -'{ type filter hook input priority 0; policy accept; }' -nft \ -add \ -chain \ -ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ '{ type filter hook forward priority 0; policy accept; }' nft \ add \ chain \ ip \ -libvirt \ -OUTPUT \ -'{ type filter hook output priority 0; policy accept; }' -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_INP -nft \ -insert \ -rule \ -ip \ -libvirt \ -INPUT \ -counter \ -jump \ -LIBVIRT_INP -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_OUT -nft \ -insert \ -rule \ -ip \ -libvirt \ -OUTPUT \ -counter \ -jump \ -LIBVIRT_OUT -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_FWO +libvirt_network \ +guest_output nft \ insert \ rule \ ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWO +guest_output nft \ add \ chain \ ip \ -libvirt \ -LIBVIRT_FWI +libvirt_network \ +guest_input nft \ insert \ rule \ ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWI +guest_input nft \ add \ chain \ ip \ -libvirt \ -LIBVIRT_FWX +libvirt_network \ +guest_cross nft \ insert \ rule \ ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWX +guest_cross nft \ add \ chain \ ip \ -libvirt \ -POSTROUTING \ +libvirt_network \ +guest_nat \ '{ type nat hook postrouting priority 100; policy accept; }' nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_PRT -nft \ -insert \ -rule \ -ip \ -libvirt \ -POSTROUTING \ -counter \ -jump \ -LIBVIRT_PRT -nft \ list \ table \ ip6 \ -libvirt +libvirt_network nft \ add \ table \ ip6 \ -libvirt +libvirt_network nft \ add \ chain \ ip6 \ -libvirt \ -INPUT \ -'{ type filter hook input priority 0; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ '{ type filter hook forward priority 0; policy accept; }' nft \ add \ chain \ ip6 \ -libvirt \ -OUTPUT \ -'{ type filter hook output priority 0; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_INP -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -INPUT \ -counter \ -jump \ -LIBVIRT_INP -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_OUT -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -OUTPUT \ -counter \ -jump \ -LIBVIRT_OUT -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_FWO +libvirt_network \ +guest_output nft \ insert \ rule \ ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWO +guest_output nft \ add \ chain \ ip6 \ -libvirt \ -LIBVIRT_FWI +libvirt_network \ +guest_input nft \ insert \ rule \ ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWI +guest_input nft \ add \ chain \ ip6 \ -libvirt \ -LIBVIRT_FWX +libvirt_network \ +guest_cross nft \ insert \ rule \ ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWX +guest_cross nft \ add \ chain \ ip6 \ -libvirt \ -POSTROUTING \ +libvirt_network \ +guest_nat \ '{ type nat hook postrouting priority 100; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_PRT -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -POSTROUTING \ -counter \ -jump \ -LIBVIRT_PRT -- 2.45.2

4 months, 1 week

3
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel June 2024