Re: [libvirt] [PATCH 2/2] add MAC address based port filtering to qemu

Tuesday, 3 November 2009

On Tue, Oct 27, 2009 at 12:36:14PM +0100, Gerhard Stenzel wrote:
...
 This patch adds MAC address based port filtering to the qemu driver.

 Signed-off-by: Gerhard Stenzel <gerhard.stenzel(a)de.ibm.com&gt; [...]
...
 +networkAddEbtablesRules(struct qemud_driver *driver) {
 +    int err;
 +
 +    /* Set forward policy to DROP */
 +    if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) {
 +        virReportSystemError(NULL, err,
 +                             _("failed to add ebtables rule to set default policy
to drop on '%s'"),
 +                             __FILE__);
 +        return err; 
 I changed the indentation a bit to fit into 80 columns
[...]
...
 @@ -318,6 +319,22 @@ int qemudLoadDriverConfig(struct qemud_driver
*driver,
           }
       }

 +    p = virConfGetValue (conf, "mac_filter");
 +    CHECK_TYPE ("mac_filter", VIR_CONF_LONG);
 +    if (p) {
 +        driver->macFilter = p->l;
 +        if (!(driver->ebtables = ebtablesContextNew("qemu"))) {
 +            driver->macFilter = 0;
 +            virReportSystemError(NULL, errno,
 +                                 _("failed to enable mac filter in in
'%s'"), __FILE__); 
  same in a couple of place in that module too

...
 @@ -2176,6 +2177,21 @@ static void
qemudShutdownVMDaemon(virConnectPtr conn,

      VIR_DEBUG(_("Shutting down VM '%s'\n"), vm->def->name);

 +    if (driver->macFilter) {
 +        int i;
 +        virDomainDefPtr def = vm->def;
 +        for (i = 0 ; i < def->nnets ; i++) {
 +            virDomainNetDefPtr net = def->nets[i];
 +            if (net->ifname == NULL)
 +                continue;
 +            if ((errno = networkDisallowMacOnPort(conn, driver, net->ifname,
net->mac))) {
 +                virReportSystemError(conn, errno,
 +                                     _("failed to remove ebtables rule to allow MAC
address on  '%s'"),
 +                                     net->ifname);
 +            }
 +        }
 +    }
 +
      if (virKillProcess(vm->pid, 0) == 0 &&
          virKillProcess(vm->pid, SIGTERM) < 0)
          virReportSystemError(conn, errno, 
  again a bit of formatting btut nothing to add otherwise.

I have applied this patch too and I pushed both, thanks !

  We just need to look at the spec file dependancy (should be added I
think) and clear up potential issues in saving :-)

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel(a)veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH 2/2] add MAC address based port filtering to qemu