On 06/14/2011 10:46 AM, Daniel P. Berrange wrote:
The LXC driver networking uses veth device pairs. These can
be easily hooked into the network filtering code.
* src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter
New in v2:
- Add missing hooks for automatic rebuild of filters for
online guests
---
src/lxc/lxc_driver.c | 40 ++++++++++++++++++++++++++++++++++++++--
1 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 9ef75f5..e8ad3f0 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -52,7 +52,7 @@
#include "hooks.h"
#include "files.h"
#include "fdstream.h"
-
+#include "domain_nwfilter.h"
#define VIR_FROM_THIS VIR_FROM_LXC
@@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,
vethDelete(vm->def->nets[i]->ifname);
}
+ virDomainConfVMNWFilterTeardown(vm);
+
if (driver->cgroup&&
virCgroupForDomain(driver->cgroup, vm->def->name,&cgroup, 0) == 0)
{
virCgroupRemove(cgroup);
@@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr conn,
if (vethInterfaceUpOrDown(parentVeth, 1)< 0)
goto error_exit;
+
+ if (def->nets[i]->filter&&
+ virDomainConfNWFilterInstantiate(conn, def->nets[i])< 0)
+ goto error_exit;
}
rc = 0;
@@ -1642,8 +1648,10 @@ cleanup:
vethDelete(veths[i]);
VIR_FREE(veths[i]);
}
- if (rc != 0)
+ if (rc != 0) {
VIR_FORCE_CLOSE(priv->monitor);
+ virDomainConfVMNWFilterTeardown(vm);
+ }
VIR_FORCE_CLOSE(parentTty);
VIR_FORCE_CLOSE(handshakefds[0]);
VIR_FORCE_CLOSE(handshakefds[1]);
@@ -2842,6 +2850,33 @@ cleanup:
return ret;
}
+static int
+lxcVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
+ virHashIterator iter, void *data)
+{
+ virHashForEach(lxc_driver->domains.objs, iter, data);
+
+ return 0;
+}
+
+static void
+lxcVMDriverLock(void)
+{
+ lxcDriverLock(lxc_driver);
+}
+
+static void
+lxcVMDriverUnlock(void)
+{
+ lxcDriverUnlock(lxc_driver);
+}
+
+static virNWFilterCallbackDriver lxcCallbackDriver = {
+ .name = "LXC",
+ .vmFilterRebuild = lxcVMFilterRebuild,
+ .vmDriverLock = lxcVMDriverLock,
+ .vmDriverUnlock = lxcVMDriverUnlock,
+};
/* Function Tables */
static virDriver lxcDriver = {
@@ -2911,5 +2946,6 @@ int lxcRegister(void)
{
virRegisterDriver(&lxcDriver);
virRegisterStateDriver(&lxcStateDriver);
+ virNWFilterRegisterCallbackDriver(&lxcCallbackDriver);
return 0;
}
ACK.
Looks good. Unfortunately I cannot test it since I don't have LXC on any
of my machines...
Stefan