Re: [PATCH V2] libxl: Reject VM config referencing nwfilters
On Thu, Sep 12, 2024 at 16:04:44 -0600, Jim Fehlig via Devel wrote:
The Xen libxl driver does not support nwfilter. Introduce a
deviceValidateCallback function with a check for nwfilters, returning
VIR_ERR_CONFIG_UNSUPPORTED if any are found. Also fail to start any
existing VMs referencing nwfilters.
Drivers generally ignore unrecognized XML configuration, but ignoring
a user's request to filter VM network traffic can be viewed as a
security issue.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
This is a V2 of patch2 from this series
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/QD...
I've pushed patch1. Personally I'm fine leaving it at that, but I
made it this far so might as well give patch2 another attempt :-).
There's still the open question whether the same should be done for
the other hypervisor drivers that do not support nwfilters.
Changes in V2:
Use deviceValidateCallback instead of devicesPostParseCallback
Reject use of nwfilters at VM start
src/libxl/libxl_conf.c | 7 +++++++
src/libxl/libxl_domain.c | 18 ++++++++++++++++++
2 files changed, 25 insertions(+)
diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c
index 62e1be6672..bf5d925a20 100644
--- a/src/libxl/libxl_conf.c
+++ b/src/libxl/libxl_conf.c
@@ -1279,6 +1279,13 @@ libxlMakeNic(virDomainDef *def,
* x_nics[i].mtu = 1492;
*/
+ if (l_nic->filter) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("filterref is not supported in %1$s"),
+ virDomainVirtTypeToString(def->virtType));
+ return -1;
+ }
As noted in my reply to the other thread, rather than adding this
duplicated check you should simply ensure that the validate
infrastructure is called at the startup time of any VM as we do in the
qemu driver.
Calling:
if (virDomainDefValidate(vm->def, 0, driver->xmlopt, qemuCaps) < 0)
return -1;
in a code path that all VM startup takes should do the trick. I'm not
sure though what the libxl driver passes as the opaque data for the
validation callbacks though.