June 2024 - Devel - Libvirt List Archives

[PATCH] qemu: add support for qemu switchover-ack

by Jon Kohler

Add plumbing for QEMU's switchover-ack migration capability, which helps lower the downtime during VFIO migrations. This capability is enabled by default as long as both the source and destination support it. Note: switchover-ack depends on the return path capability, so this may not be used when VIR_MIGRATE_TUNNELLED flag is set. Extensive details about the qemu switchover-ack implementation are available in the qemu series v6 cover letter [1] where the highlight is the extreme reduction in guest visible downtime. In addition to the original test results below, I saw a roughly ~20% reduction in downtime for VFIO VGPU devices at minimum. === Test results === The below table shows the downtime of two identical migrations. In the first migration swithcover ack is disabled and in the second it is enabled. The migrated VM is assigned with a mlx5 VFIO device which has 300MB of device data to be migrated. +----------------------+-----------------------+----------+ | Switchover ack | VFIO device data size | Downtime | +----------------------+-----------------------+----------+ | Disabled | 300MB | 1900ms | | Enabled | 300MB | 420ms | +----------------------+-----------------------+----------+ Switchover ack gives a roughly 4.5 times improvement in downtime. The 1480ms difference is time that is used for resource allocation for the VFIO device in the destination. Without switchover ack, this time is spent when the source VM is stopped and thus the downtime is much higher. With switchover ack, the time is spent when the source VM is still running. [1] https://patchwork.kernel.org/project/qemu-devel/cover/20230621111201.2972... Signed-off-by: Jon Kohler <jon(a)nutanix.com> Cc: Alex Williamson <alex.williamson(a)redhat.com> Cc: Avihai Horon <avihaih(a)nvidia.com> Cc: Markus Armbruster <armbru(a)redhat.com> Cc: Peter Xu <peterx(a)redhat.com> Cc: YangHang Liu <yanghliu(a)redhat.com> --- include/libvirt/libvirt-domain.h | 11 +++++++++++ src/libvirt-domain.c | 20 ++++++++++++++++++++ src/qemu/qemu_migration.h | 1 + src/qemu/qemu_migration_params.c | 8 +++++++- src/qemu/qemu_migration_params.h | 1 + 5 files changed, 40 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-domain.h b/include/libvirt/libvirt-domain.h index 2f5b01bbfe..9543629f30 100644 --- a/include/libvirt/libvirt-domain.h +++ b/include/libvirt/libvirt-domain.h @@ -1100,6 +1100,17 @@ typedef enum { * Since: 8.5.0 */ VIR_MIGRATE_ZEROCOPY = (1 << 20), + + /* Use switchover ack migration capability to reduce downtime on VFIO + * device migration. This prevents the source from stopping the VM and + * completing the migration until an ACK is received from the destination + * that it's OK to do so. Thus, a VFIO device can make sure that its + * initial bytes were sent and loaded in the destination before the + * source VM is stopped. + * + * Since: 10.5.0 + */ + VIR_MIGRATE_SWITCHOVER_ACK = (1 << 21), } virDomainMigrateFlags; diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 7c6b93963c..786fef317d 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -3822,6 +3822,10 @@ virDomainMigrate(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + VIR_REQUIRE_FLAG_GOTO(VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES, VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_INC, error); @@ -4021,6 +4025,10 @@ virDomainMigrate2(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + VIR_REQUIRE_FLAG_GOTO(VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES, VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_INC, error); @@ -4497,6 +4505,10 @@ virDomainMigrateToURI(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + if (virDomainMigrateUnmanagedCheckCompat(domain, flags) < 0) goto error; @@ -4577,6 +4589,10 @@ virDomainMigrateToURI2(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + if (virDomainMigrateUnmanagedCheckCompat(domain, flags) < 0) goto error; @@ -4656,6 +4672,10 @@ virDomainMigrateToURI3(virDomainPtr domain, VIR_MIGRATE_PARALLEL, error); + VIR_EXCLUSIVE_FLAGS_GOTO(VIR_MIGRATE_TUNNELLED, + VIR_MIGRATE_SWITCHOVER_ACK, + error); + if (virDomainMigrateUnmanagedCheckCompat(domain, flags) < 0) goto error; diff --git a/src/qemu/qemu_migration.h b/src/qemu/qemu_migration.h index ed62fd4a91..cd89e100e1 100644 --- a/src/qemu/qemu_migration.h +++ b/src/qemu/qemu_migration.h @@ -62,6 +62,7 @@ VIR_MIGRATE_NON_SHARED_SYNCHRONOUS_WRITES | \ VIR_MIGRATE_POSTCOPY_RESUME | \ VIR_MIGRATE_ZEROCOPY | \ + VIR_MIGRATE_SWITCHOVER_ACK | \ 0) /* All supported migration parameters and their types. */ diff --git a/src/qemu/qemu_migration_params.c b/src/qemu/qemu_migration_params.c index 48f8657f71..9593b6ba65 100644 --- a/src/qemu/qemu_migration_params.c +++ b/src/qemu/qemu_migration_params.c @@ -105,6 +105,7 @@ VIR_ENUM_IMPL(qemuMigrationCapability, "return-path", "zero-copy-send", "postcopy-preempt", + "switchover-ack", ); @@ -138,7 +139,7 @@ struct _qemuMigrationParamsAlwaysOnItem { typedef struct _qemuMigrationParamsFlagMapItem qemuMigrationParamsFlagMapItem; struct _qemuMigrationParamsFlagMapItem { /* Describes what to do with the capability if @flag is found. - * When se to QEMU_MIGRATION_FLAG_REQUIRED, the capability will be + * When set to QEMU_MIGRATION_FLAG_REQUIRED, the capability will be * enabled iff the specified migration flag is enabled. On the other hand * QEMU_MIGRATION_FLAG_FORBIDDEN will enable the capability as long as * the specified migration flag is not enabled. */ @@ -215,6 +216,11 @@ static const qemuMigrationParamsFlagMapItem qemuMigrationParamsFlagMap[] = { .flag = VIR_MIGRATE_ZEROCOPY, .cap = QEMU_MIGRATION_CAP_ZERO_COPY_SEND, .party = QEMU_MIGRATION_SOURCE}, + + {.match = QEMU_MIGRATION_FLAG_FORBIDDEN, + .flag = VIR_MIGRATE_TUNNELLED, + .cap = QEMU_MIGRATION_CAP_SWITCHOVER_ACK, + .party = QEMU_MIGRATION_SOURCE | QEMU_MIGRATION_DESTINATION}, }; /* Translation from VIR_MIGRATE_PARAM_* typed parameters to diff --git a/src/qemu/qemu_migration_params.h b/src/qemu/qemu_migration_params.h index 91bc6792cd..df67f1fb92 100644 --- a/src/qemu/qemu_migration_params.h +++ b/src/qemu/qemu_migration_params.h @@ -41,6 +41,7 @@ typedef enum { QEMU_MIGRATION_CAP_RETURN_PATH, QEMU_MIGRATION_CAP_ZERO_COPY_SEND, QEMU_MIGRATION_CAP_POSTCOPY_PREEMPT, + QEMU_MIGRATION_CAP_SWITCHOVER_ACK, QEMU_MIGRATION_CAP_LAST } qemuMigrationCapability; -- 2.43.0

9 months, 3 weeks

4
8
0 / 0

[PATCH] network: add more firewall test cases

by Laine Stump

This patch adds some previously missing test cases that test for proper firewall rule creation when the following are included in the network definition: * <forward dev='blah'> * no forward element (an "isolated" network) * nat port range when only ipv4 is nat-ed * nat port range when both ipv4 & ipv6 are nated Signed-off-by: Laine Stump <laine(a)redhat.com> --- If you ack this, please also push it, as I'm on vacation and only sporadically connected. .../forward-dev-linux.iptables | 154 +++++++ .../forward-dev-linux.nftables | 158 +++++++ tests/networkxml2firewalldata/forward-dev.xml | 10 + .../isolated-linux.iptables | 159 ++++++++ .../isolated-linux.nftables | 64 +++ tests/networkxml2firewalldata/isolated.xml | 15 + .../nat-port-range-ipv6-linux.iptables | 317 ++++++++++++++ .../nat-port-range-ipv6-linux.nftables | 386 ++++++++++++++++++ .../nat-port-range-ipv6.xml | 20 + .../nat-port-range-linux.iptables | 283 +++++++++++++ .../nat-port-range-linux.nftables | 314 ++++++++++++++ .../nat-port-range.xml | 20 + tests/networkxml2firewalltest.c | 5 + 13 files changed, 1905 insertions(+) create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.iptables create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.nftables create mode 100644 tests/networkxml2firewalldata/forward-dev.xml create mode 100644 tests/networkxml2firewalldata/isolated-linux.iptables create mode 100644 tests/networkxml2firewalldata/isolated-linux.nftables create mode 100644 tests/networkxml2firewalldata/isolated.xml create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6.xml create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.iptables create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.nftables create mode 100644 tests/networkxml2firewalldata/nat-port-range.xml diff --git a/tests/networkxml2firewalldata/forward-dev-linux.iptables b/tests/networkxml2firewalldata/forward-dev-linux.iptables new file mode 100644 index 0000000000..bc483c4512 --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev-linux.iptables @@ -0,0 +1,154 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--out-interface enp0s7 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--in-interface enp0s7 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--out-interface enp0s7 \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--out-interface enp0s7 \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/forward-dev-linux.nftables b/tests/networkxml2firewalldata/forward-dev-linux.nftables new file mode 100644 index 0000000000..8badb74beb --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev-linux.nftables @@ -0,0 +1,158 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +oifname \ +enp0s7 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +iifname \ +enp0s7 \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +oifname \ +enp0s7 \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +oifname \ +enp0s7 \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/forward-dev.xml b/tests/networkxml2firewalldata/forward-dev.xml new file mode 100644 index 0000000000..8e49d3984d --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev.xml @@ -0,0 +1,10 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward mode='nat' dev='enp0s7'/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/isolated-linux.iptables b/tests/networkxml2firewalldata/isolated-linux.iptables new file mode 100644 index 0000000000..135189ce41 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated-linux.iptables @@ -0,0 +1,159 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/isolated-linux.nftables b/tests/networkxml2firewalldata/isolated-linux.nftables new file mode 100644 index 0000000000..d1b4dac178 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated-linux.nftables @@ -0,0 +1,64 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/isolated.xml b/tests/networkxml2firewalldata/isolated.xml new file mode 100644 index 0000000000..0e3bed10d1 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated.xml @@ -0,0 +1,15 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip address="192.168.128.1" netmask="255.255.255.0"/> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" > + <dhcp> + <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables new file mode 100644 index 0000000000..c2e845cc4f --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables @@ -0,0 +1,317 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.128.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.128.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p udp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p tcp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p udp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 500-1000 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p tcp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 500-1000 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +--destination ff02::/16 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables new file mode 100644 index 0000000000..ceaed6fa40 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables @@ -0,0 +1,386 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.128.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6.xml b/tests/networkxml2firewalldata/nat-port-range-ipv6.xml new file mode 100644 index 0000000000..9a70764fa0 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6.xml @@ -0,0 +1,20 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward mode='nat'> + <nat ipv6='yes'> + <port start='500' end='1000'/> + </nat> + </forward> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip address="192.168.128.1" netmask="255.255.255.0"/> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" > + <dhcp> + <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-linux.iptables new file mode 100644 index 0000000000..8e5c2c8193 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-linux.iptables @@ -0,0 +1,283 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.128.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.128.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p udp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p tcp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-linux.nftables new file mode 100644 index 0000000000..1dc37a26ec --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-linux.nftables @@ -0,0 +1,314 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.128.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oif \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-port-range.xml b/tests/networkxml2firewalldata/nat-port-range.xml new file mode 100644 index 0000000000..81b29d3b72 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range.xml @@ -0,0 +1,20 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward mode='nat'> + <nat> + <port start='500' end='1000'/> + </nat> + </forward> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip address="192.168.128.1" netmask="255.255.255.0"/> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" > + <dhcp> + <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index 4cabe39d1d..f7b87ff798 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -198,6 +198,11 @@ mymain(void) DO_TEST("nat-ipv6"); DO_TEST("nat-ipv6-masquerade"); DO_TEST("route-default"); + DO_TEST("forward-dev"); + DO_TEST("isolated"); + DO_TEST("forward-dev"); + DO_TEST("nat-port-range"); + DO_TEST("nat-port-range-ipv6"); return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } -- 2.45.2

9 months, 3 weeks

2
1
0 / 0

[PATCH] tests: fix broken nftables test data so that individual tests are successful

by Laine Stump

When the chain names and table name used by the nftables firewall backend were changed in commit 958aa7f274904eb8e4678a43eac845044f0dcc38, I forgot to change the test data file base.nftables, which has the extra "list" and "add chain/table" commands that are generated for the first test case of networkxml2firewalltest.c. When the full set of tests is run, the first test will be an iptables test case, so those extra commands won't be added to any of the nftables cases, and so the data in base.nftables never matches, and the tests are all successful. However, if the test are limited with, e.g. VIR_TEST_RANGE=2 (test #2 will be the nftables version of the 1st test case), then the commands to add nftables table/chains *will* be generated in the test output, and so the test will fail. Because I was only running the entire test series after the initial commits of nftables tests, I didn't notice this. Until now. base.nftables has now been updated to reflect the current names for chains/table, and running individual test cases is once again successful. Fixes: 958aa7f274904eb8e4678a43eac845044f0dcc38 Signed-off-by: Laine Stump <laine(a)redhat.com> --- tests/networkxml2firewalldata/base.nftables | 202 ++++---------------- 1 file changed, 42 insertions(+), 160 deletions(-) diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables index 4f1f475a85..a064318739 100644 --- a/tests/networkxml2firewalldata/base.nftables +++ b/tests/networkxml2firewalldata/base.nftables @@ -2,255 +2,137 @@ nft \ list \ table \ ip \ -libvirt +libvirt_network nft \ add \ table \ ip \ -libvirt +libvirt_network nft \ add \ chain \ ip \ -libvirt \ -INPUT \ -'{ type filter hook input priority 0; policy accept; }' -nft \ -add \ -chain \ -ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ '{ type filter hook forward priority 0; policy accept; }' nft \ add \ chain \ ip \ -libvirt \ -OUTPUT \ -'{ type filter hook output priority 0; policy accept; }' -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_INP -nft \ -insert \ -rule \ -ip \ -libvirt \ -INPUT \ -counter \ -jump \ -LIBVIRT_INP -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_OUT -nft \ -insert \ -rule \ -ip \ -libvirt \ -OUTPUT \ -counter \ -jump \ -LIBVIRT_OUT -nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_FWO +libvirt_network \ +guest_output nft \ insert \ rule \ ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWO +guest_output nft \ add \ chain \ ip \ -libvirt \ -LIBVIRT_FWI +libvirt_network \ +guest_input nft \ insert \ rule \ ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWI +guest_input nft \ add \ chain \ ip \ -libvirt \ -LIBVIRT_FWX +libvirt_network \ +guest_cross nft \ insert \ rule \ ip \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWX +guest_cross nft \ add \ chain \ ip \ -libvirt \ -POSTROUTING \ +libvirt_network \ +guest_nat \ '{ type nat hook postrouting priority 100; policy accept; }' nft \ -add \ -chain \ -ip \ -libvirt \ -LIBVIRT_PRT -nft \ -insert \ -rule \ -ip \ -libvirt \ -POSTROUTING \ -counter \ -jump \ -LIBVIRT_PRT -nft \ list \ table \ ip6 \ -libvirt +libvirt_network nft \ add \ table \ ip6 \ -libvirt +libvirt_network nft \ add \ chain \ ip6 \ -libvirt \ -INPUT \ -'{ type filter hook input priority 0; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ '{ type filter hook forward priority 0; policy accept; }' nft \ add \ chain \ ip6 \ -libvirt \ -OUTPUT \ -'{ type filter hook output priority 0; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_INP -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -INPUT \ -counter \ -jump \ -LIBVIRT_INP -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_OUT -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -OUTPUT \ -counter \ -jump \ -LIBVIRT_OUT -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_FWO +libvirt_network \ +guest_output nft \ insert \ rule \ ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWO +guest_output nft \ add \ chain \ ip6 \ -libvirt \ -LIBVIRT_FWI +libvirt_network \ +guest_input nft \ insert \ rule \ ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWI +guest_input nft \ add \ chain \ ip6 \ -libvirt \ -LIBVIRT_FWX +libvirt_network \ +guest_cross nft \ insert \ rule \ ip6 \ -libvirt \ -FORWARD \ +libvirt_network \ +forward \ counter \ jump \ -LIBVIRT_FWX +guest_cross nft \ add \ chain \ ip6 \ -libvirt \ -POSTROUTING \ +libvirt_network \ +guest_nat \ '{ type nat hook postrouting priority 100; policy accept; }' -nft \ -add \ -chain \ -ip6 \ -libvirt \ -LIBVIRT_PRT -nft \ -insert \ -rule \ -ip6 \ -libvirt \ -POSTROUTING \ -counter \ -jump \ -LIBVIRT_PRT -- 2.45.2

9 months, 3 weeks

3
3
0 / 0

[PATCH] qemuDomainDiskChangeSupported: Fill in missing check

by Adam Julis

The attribute 'discard_no_unref' is not allowed to be changed while the virtual machine is running. Resolves: https://issues.redhat.com/browse/RHEL-37542 Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- src/qemu/qemu_domain.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 2c8f5b1aad..1a90311ca5 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -8459,6 +8459,7 @@ qemuDomainDiskChangeSupported(virDomainDiskDef *disk, CHECK_EQ(ioeventfd, "ioeventfd", true); CHECK_EQ(event_idx, "event_idx", true); CHECK_EQ(copy_on_read, "copy_on_read", true); + CHECK_EQ(discard_no_unref, "discard_no_unref", true); /* "snapshot" is a libvirt internal field and thus can be changed */ /* startupPolicy is allowed to be updated. Therefore not checked here. */ CHECK_EQ(transient, "transient", true); -- 2.45.2

9 months, 3 weeks

2
1
0 / 0

[PATCH 00/10] Sync cpu features with qemu

by Tim Wiederhake

This brings libvirt in sync qith qemu commit 02d9c38236cf8c9826e5c5be61780c4444cb4ae0. Tim Wiederhake (10): cpu_map: Add missing feature "fred" cpu_map: Add missing feature "lkgs" cpu_map: Add missing feature "wrmsrns" cpu_map: Add missing feature "lam" cpu_map: Add missing feature "overflow-recov" cpu_map: Add missing feature "succor" cpu_map: Add missing feature "rfds-no" cpu_map: Add missing feature "rfds-clear" cpu_map: Add missing feature "vmx-nested-exception" cpu_map: Ignore feature "kvm-asyncpf-vmexit" src/cpu_map/sync_qemu_features_i386.py | 1 + src/cpu_map/x86_features.xml | 29 +++++++++++++++++++ ...86_64-cpuid-EPYC-7502-32-Core-disabled.xml | 2 +- .../x86_64-cpuid-EPYC-7502-32-Core-guest.xml | 2 ++ .../x86_64-cpuid-EPYC-7502-32-Core-host.xml | 2 ++ ...86_64-cpuid-EPYC-7601-32-Core-disabled.xml | 2 +- .../x86_64-cpuid-EPYC-7601-32-Core-guest.xml | 2 ++ .../x86_64-cpuid-EPYC-7601-32-Core-host.xml | 2 ++ ...-cpuid-EPYC-7601-32-Core-ibpb-disabled.xml | 2 +- ..._64-cpuid-EPYC-7601-32-Core-ibpb-guest.xml | 2 ++ ...6_64-cpuid-EPYC-7601-32-Core-ibpb-host.xml | 2 ++ ...-cpuid-Hygon-C86-7185-32-core-disabled.xml | 2 +- ..._64-cpuid-Hygon-C86-7185-32-core-guest.xml | 2 ++ ...6_64-cpuid-Hygon-C86-7185-32-core-host.xml | 2 ++ ...puid-Ryzen-7-1800X-Eight-Core-disabled.xml | 2 +- ...4-cpuid-Ryzen-7-1800X-Eight-Core-guest.xml | 2 ++ ...64-cpuid-Ryzen-7-1800X-Eight-Core-host.xml | 2 ++ ...4-cpuid-Ryzen-9-3900X-12-Core-disabled.xml | 2 +- ...6_64-cpuid-Ryzen-9-3900X-12-Core-guest.xml | 2 ++ ...86_64-cpuid-Ryzen-9-3900X-12-Core-host.xml | 2 ++ .../domaincapsdata/qemu_9.1.0-q35.x86_64.xml | 3 ++ tests/domaincapsdata/qemu_9.1.0.x86_64.xml | 3 ++ ...host-model-fallback-kvm.x86_64-latest.args | 2 +- ...cpu-host-model-features.x86_64-latest.args | 2 +- .../cpu-host-model-kvm.x86_64-latest.args | 2 +- ...st-model-nofallback-kvm.x86_64-latest.args | 2 +- 26 files changed, 70 insertions(+), 10 deletions(-) -- 2.43.0

9 months, 3 weeks

2
11
0 / 0

[PATCH] vmx: Accept more serial variations

by Martin Kletzander

Commit 23c47944882b added parsing of serial ports connected to vspc, but the VM can also have a network serial port with an empty filename or no filename at all. Parse these the same way, as a <serial type='null'>. Resolves: https://issues.redhat.com/browse/RHEL-32182 Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com> --- src/vmx/vmx.c | 2 +- tests/vmx2xmldata/esx-in-the-wild-13.vmx | 4 ++++ tests/vmx2xmldata/esx-in-the-wild-13.xml | 3 +++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/vmx/vmx.c b/src/vmx/vmx.c index d90b41d2ad14..d082a0766010 100644 --- a/src/vmx/vmx.c +++ b/src/vmx/vmx.c @@ -3065,7 +3065,7 @@ virVMXParseSerial(virVMXContext *ctx, virConf *conf, int port, (*def)->target.port = port; (*def)->source->type = VIR_DOMAIN_CHR_TYPE_PIPE; (*def)->source->data.file.path = g_steal_pointer(&fileName); - } else if (STRCASEEQ(fileType, "network") && vspc) { + } else if (STRCASEEQ(fileType, "network") && (vspc || !fileName || STREQ(fileName, ""))) { (*def)->target.port = port; (*def)->source->type = VIR_DOMAIN_CHR_TYPE_NULL; } else if (STRCASEEQ(fileType, "network")) { diff --git a/tests/vmx2xmldata/esx-in-the-wild-13.vmx b/tests/vmx2xmldata/esx-in-the-wild-13.vmx index 1016acab28d8..d67e01814e93 100644 --- a/tests/vmx2xmldata/esx-in-the-wild-13.vmx +++ b/tests/vmx2xmldata/esx-in-the-wild-13.vmx @@ -29,6 +29,10 @@ serial0.fileName = "ZmVybmV0IGdBQUFBQUJrdFotaW8yclpkRXR6N3dBcDdyYkFMaWFUMVd4RENJ serial0.vspc = "telnets://10.28.100.26:18979#thumbprint=18:F5:79:E5:73:A5:22:83:C0:57:B9:B4:FA:CE:60:19:F1:12:F5:7B" serial0.yieldOnMsrRead = "TRUE" serial0.present = "TRUE" +serial1.fileType = "network" +serial1.fileName = "" +serial1.yieldOnMsrRead = "TRUE" +serial1.present = "TRUE" displayName = "Test-Mig-VM-1 (01ce57d0-4e20-41a5-8b6c-bcbf49a032ec)" annotation = "name:Test-Mig-VM-1|0Auserid:962314ba515c48388a0e95c0961709ff|0Ausername:admin|0Aprojectid:b06b5f77b6bb442f85b1c67cff980ef9|0Aprojectname:MIS|0Aflavor:name:mig-test-flavor|0Aflavor:memory_mb:1024|0Aflavor:vcpus:1|0Aflavor:ephemeral_gb:0|0Aflavor:root_gb:10|0Aflavor:swap:0|0Aimageid:8b90d6fa-20ab-4adf-8015-aad3dddb246c|0Apackage:20.6.2|0A" guestOS = "other-64" diff --git a/tests/vmx2xmldata/esx-in-the-wild-13.xml b/tests/vmx2xmldata/esx-in-the-wild-13.xml index 552c9a2a1a26..e6ef947d501f 100644 --- a/tests/vmx2xmldata/esx-in-the-wild-13.xml +++ b/tests/vmx2xmldata/esx-in-the-wild-13.xml @@ -43,6 +43,9 @@ package:20.6.2 <serial type='null'> <target port='0'/> </serial> + <serial type='null'> + <target port='1'/> + </serial> <console type='null'> <target type='serial' port='0'/> </console> -- 2.45.1

10 months

3
2
0 / 0

[PATCH 0/4] nodedev: adjust handling DASDs

by Boris Fiuczynski

Adjusting how DASDs are handled as recently ID_* tags are also included in the udev information which causes the problems reported by https://issues.redhat.com/browse/RHEL-39497 Removing the filtering of offline ccw devices as these devices are available in the system and also are used to set them online again. The state information is made available in the ccw capability as an optional state element. Boris Fiuczynski (4): nodedev: refactor storage type fixup nodedev: improve DASD detection nodedev: prevent invalid DASD node object creation nodedev: add ccw device state and remove fencing src/conf/node_device_conf.c | 24 +++++++++++++ src/conf/node_device_conf.h | 11 ++++++ src/conf/schemas/nodedev.rng | 8 +++++ src/node_device/node_device_udev.c | 56 +++++++++++++++++++++++++----- 4 files changed, 90 insertions(+), 9 deletions(-) -- 2.45.0

10 months

3
11
0 / 0

[RFC PATCH 0/1] support deprecated-props from query-cpu-model-expansion

by Collin Walling

Overview ======== QEMU will soon support reporting an optional array of deprecated features for an expanded CPU model via the query-cpu-model-expansion command. The intended use of this data is to make it easier for a user to define a CPU model with features flagged as deprecated set to disabled, thus rendering the guest migratable to future hardware that will out-right drop support for said features. Attached to this cover letter is only half of the bigger picture. I've updated the CPU model expansion ABI to parse the new array (if it's available) and store the result in a string list within the qemuMonitorCPUModelInfo struct. I also propose an approach on how to store/retrieve the list of deprecated features in the qemuCaps cache file. All feedback on this patch is certainly welcome. Please note: I do not provide any updates to the respective qemuCaps tests right now. The main goal of this post is to discuss the other half of the design: reporting and enabling a CPU model with deprecated features disabled. I believe the ideal solution involves a way for the user to easily configure their guest with this new data. Two ideas I currently have are outlined below. Other approaches are encouraged. Notes ===== - In my example below, I am running on a z14.2 machine. - The features that are flagged as deprecated for this model are: bpb, csske, cte, te. - The discussion regarding the QEMU changes can be found here: https://mail.gnu.org/archive/html/qemu-devel/2024-04/msg04605.html Example of Desired Changes ========================== Here is what I'd like the resulting guest's transient XML to look like for the <cpu> section (I have trimmed the features list for brevity): ... <cpu mode='custom' match='exact' check='partial'> <model fallback='forbid'>z14.2-base</model> <feature policy='require' name='aen'/> <feature policy='require' name='cmmnt'/> <feature policy='require' name='aefsi'/> ... <feature policy='disable' name='cte'/> *** <feature policy='require' name='ais'/> <feature policy='disable' name='bpb'/> *** <feature policy='require' name='ctop'/> <feature policy='require' name='gs'/> <feature policy='require' name='ppa15'/> <feature policy='require' name='zpci'/> <feature policy='require' name='sea_esop2'/> <feature policy='disable' name='te'/> *** <feature policy='require' name='cmm'/> <feature policy='disable' name='csske'/> *** </cpu> ... Ideas ===== New Host CPU Model ------------------ Create a new CPU model that is a mirror of the host CPU model with deprecated features turned off. Let's call this model "host-recommended". A user may define this model in the guest XML as they would any other CPU model: <cpu mode='host-recommended' check='partial'/> Just as how host-model works, anything defined nested in the <cpu> tag will be ignored. This model could potentially be listed in the domcapabilities output after the host-model: <cpu> <mode name='host-passthrough' supported='yes'> ... </mode> ... <mode name='host-model' supported='yes'> ... </mode> <mode name='host-recommended' supported='yes'> ... <feature policy='disable' name='cte'/> <feature policy='require' name='ais'/> <feature policy='disable' name='bpb'/> <feature policy='require' name='ctop'/> <feature policy='require' name='gs'/> <feature policy='require' name='ppa15'/> <feature policy='require' name='zpci'/> <feature policy='require' name='sea_esop2'/> <feature policy='disable' name='te'/> <feature policy='require' name='cmm'/> <feature policy='disable' name='csske'/> </cpu> New Nested Element Under <cpu> ------------------------------ Create a new optional XML element nested under the <cpu> tag that may be used to disable deprecated features. This approach is more explicit compared to creating a new CPU model, and allows the user to disable these features when defining a specific model other than host-model. Here is an example of what the guest's defined XML for the CPU could look like: <cpu mode='host-model' check='partial'> <deprecated_features>off</deprecated_features> </cpu> However, a conflict arises with this approach: parameter priority. It would need to be discussed what the expected behavior should be if a user defines a guest with both a mode to disable deprecated features and any deprecated features listed with the 'require' policy, e.g.: <cpu mode='custom' match='exact' check='partial'> <model fallback='allow'>z13.2-base</model>  <deprecated_features>off</deprecated_features> <feature policy='require' name='csske'/> </cpu> Another conflict is setting this option to "on" would have no effect on the CPU model (I can't think of a reason why someone would want to explicitly enable these features). This may not communicate well to the user. To report these features, a <deprecatedProperties> tag could be added to the domcapabilities output using the same format I use in my proposed patch for the qemu capabilities file: <cpu> <mode name='host-passthrough' supported='yes'> ... </mode> ... <mode name='host-model' supported='yes'> ... </mode> <deprecatedProperties> <property name='bpb'/> <property name='te'/> <property name='cte'/> <property name='csske'/> </deprecatedProperties> </cpu> Please let me know your thoughts. Once an approach is agreed upon, I will begin development. Collin Walling (1): qemu: monitor: parse deprecated-props from query-cpu-model-expansion response src/qemu/qemu_capabilities.c | 30 ++++++++++++++++++++++++++++++ src/qemu/qemu_monitor.h | 2 ++ src/qemu/qemu_monitor_json.c | 29 ++++++++++++++++++++++++----- 3 files changed, 56 insertions(+), 5 deletions(-) -- 2.43.0

10 months

3
8
0 / 0

[PATCH] conf: Drop unused declaration

by Adam Julis

Remove unused declaration of the virDomainDiskFindByBusAndDst(). Signed-off-by: Adam Julis <ajulis(a)redhat.com> --- src/conf/domain_conf.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index a06f015444..cdab6ef2da 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -3558,10 +3558,6 @@ void virDomainDiskSetFormat(virDomainDiskDef *def, int format); virDomainControllerDef * virDomainDeviceFindSCSIController(const virDomainDef *def, const virDomainDeviceDriveAddress *addr); -virDomainDiskDef *virDomainDiskFindByBusAndDst(virDomainDef *def, - int bus, - char *dst); - virDomainControllerDef *virDomainControllerDefNew(virDomainControllerType type); void virDomainControllerDefFree(virDomainControllerDef *def); G_DEFINE_AUTOPTR_CLEANUP_FUNC(virDomainControllerDef, virDomainControllerDefFree); -- 2.45.0

10 months

2
1
0 / 0

[PATCH v2 00/20] node_dev_udev: use workerpool and improve nodedev events

by Marc Hartmayer

When an udev event occurs for a mediated device (mdev) the mdev config data requires an update via mdevctl as the udev event does not contain all config data. This update needs to occur immediately and to be finished before the libvirt nodedev event is issued to keep the API usage reliable. Changelog: v1->v2: + squashed old patches 3 and 17 (comments from Jonathon and Boris) + added r-b's from Jonathon and Boris + worked in comments from Jonathon to old patch 15 + added comment why only one worker can currently be used + added patch `node_device_udev: remove incorrect G_GNUC_UNUSED` RFCv1->v1: + removed some of my own s-o-b's that were accidentally inserted in the RFC + added r-b's from Boris and Jonathon + worked in comments from Boris and Jonathon, but I did not inline "nodeDeviceDefResetMdevActiveConfig" as I'm not sure whether this improves the readability + reworked patch "[RFC PATCH v1 11/15] node_device_udev: Use `stateShutdownPrepare` and `stateShutdownWait`" + reworked patch "node_device_udev: Use a worker pool for processing events and emitting nodedev event" + added patches: - node_device_udev: Move responsibility to release `(init|udev)Thread` to `udevEventDataDispose` - node_device_udev: Fix leak of mdevctlLock, udevThreadCond, and mdevCtlMonitor - node_device_udev: nodeStateShutdownPrepare: Disconnect the signals explicitly - node_device_udev: Pass the driver state as parameter in prepartion for the next commit - node_device_udev: Add support for `g_autoptr` to `udevEventData - node_device_udev: Pass the `udevEventData` via parameter and use refcounting Boris Fiuczynski (3): nodedev: fix mdev add udev event data handling nodedev: immediate update of active config on udev events nodedev: reset active config data on udev remove event Marc Hartmayer (17): node_device_udev: Set @def to NULL node_device_udev: Remove the timeout if the data is disposed node_device_udev: Test for mdevctlTimeout != -1 node_device_udev: Don't take `mdevctlLock` for `mdevctl list` and add comments about locking node_device_udev: Take lock if `driver->privateData` is modified node_device_udev: Add prefix `udev` for udev related data node_device_udev: Inline `udevRemoveOneDevice` node_device_udev: Move responsibility to release `(init|udev)Thread` to `udevEventDataDispose` node_device_udev: Fix leak of mdevctlLock, udevThreadCond, and mdevCtlMonitors node_device_udev: Introduce and use `stateShutdownPrepare` and `stateShutdownWait` node_device_udev: nodeStateShutdownPrepare: Disconnect the signals explicitly node_device_udev: Pass the driver state as parameter in preparation for the next commit node_device_udev: Use a worker pool for processing events and emitting nodedev event node_device_udev: Make the code easier to read node_device_udev: Add support for `g_autoptr` to `udevEventData` node_device_udev: Pass the `udevEventData` via parameter and use refcounting node_device_udev: remove incorrect G_GNUC_UNUSED src/node_device/node_device_driver.h | 5 +- src/util/virmdev.h | 4 + src/conf/node_device_conf.c | 10 +- src/node_device/node_device_driver.c | 28 +- src/node_device/node_device_udev.c | 516 ++++++++++++++++++--------- src/test/test_driver.c | 11 +- src/util/virmdev.c | 20 ++ src/libvirt_private.syms | 2 + 8 files changed, 398 insertions(+), 198 deletions(-) base-commit: c38720b337f74337ec94c0fe2e97a7c2c57188ae -- 2.34.1

10 months

3
27
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel June 2024