[libvirt] [PATCH v2] Add V6LOCAL nwfilter parameter.
Currently, adding any sort of IPv6 nwfilter rules is rather difficult.
There are no standard rules, and you end up doing a lot of things by
hand. This patch makes the $V6LOCAL variable available within nwfilter
nules. This is the generated from the interface's mac address using
the modified EUI-64 format, which matches what the guest should be
using.
This is part of what information is needed to correctly filter guest
IPv6 traffic. Since this changes with the MAC address, it is
significantly easier if libvirt populates it (rather then requiring the
user to enter it).
As an example, an interface with a MAC address of "12:34:45:46:23:41"
would have a V6LOCAL value of "fe80::1034:45ff:fe46:2341"
---
docs/formatnwfilter.html.in | 11 ++++++++---
src/conf/nwfilter_params.h | 1 +
src/nwfilter/nwfilter_gentech_driver.c | 25 +++++++++++++++++++++++++
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 45b97f7..4f10884 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -239,9 +239,9 @@
<h3><a name="nwfconceptsvars">Usage of variables in
filters</a></h3>
<p>
- Two variables names have so far been reserved for usage by the
- network traffic filtering subsystem: <code>MAC</code> and
- <code>IP</code>.
+ Three variables names have so far been reserved for usage by the
+ network traffic filtering subsystem: <code>MAC</code>,
+ <code>IP</code>, and <code>V6LOCAL</code> (since 1.2.4).
<br/><br/>
<code>MAC</code> is the MAC address of the
network interface. A filtering rule that references this variable
@@ -251,6 +251,11 @@
parameter similar to the IP parameter above, it is discouraged
since libvirt knows what MAC address an interface will be using.
<br/><br/>
+ <code>V6LOCAL</code> is the computed IPv6 link-local address.
+ This is based on the MAC address of the interface. As an example,
+ a MAC address of <code>12:34:45:46:23:41</code> would result in a
+ link local address of <code>fe80::1034:45ff:fe46:2341</code>.
+ <br/><br/>
The parameter <code>IP</code> represents the IP address
that the operating system inside the virtual machine is expected
to use on the given interface. The <code>IP</code> parameter
diff --git a/src/conf/nwfilter_params.h b/src/conf/nwfilter_params.h
index 5e9777b..f61250f 100644
--- a/src/conf/nwfilter_params.h
+++ b/src/conf/nwfilter_params.h
@@ -98,6 +98,7 @@ bool virNWFilterHashTableEqual(virNWFilterHashTablePtr a,
# define NWFILTER_VARNAME_IP "IP"
# define NWFILTER_VARNAME_MAC "MAC"
+# define NWFILTER_VARNAME_V6LOCAL "V6LOCAL"
# define NWFILTER_VARNAME_CTRL_IP_LEARNING "CTRL_IP_LEARNING"
# define NWFILTER_VARNAME_DHCPSERVER "DHCPSERVER"
diff --git a/src/nwfilter/nwfilter_gentech_driver.c
b/src/nwfilter/nwfilter_gentech_driver.c
index 1ce5e70..c58df1c 100644
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -45,6 +45,7 @@ VIR_LOG_INIT("nwfilter.nwfilter_gentech_driver");
#define NWFILTER_STD_VAR_MAC NWFILTER_VARNAME_MAC
#define NWFILTER_STD_VAR_IP NWFILTER_VARNAME_IP
+#define NWFILTER_STD_VAR_V6LOCAL NWFILTER_VARNAME_V6LOCAL
#define NWFILTER_DFLT_LEARN "any"
@@ -163,6 +164,30 @@ virNWFilterVarHashmapAddStdValues(virNWFilterHashTablePtr table,
"%s", _("Could not add variable 'MAC'
to hashmap"));
return -1;
}
+
+ virMacAddr parsedMac;
+ if (virMacAddrParse(macaddr, &parsedMac) == 0) {
+ parsedMac.addr[0] ^= 2;
+
+ char euiMacAddr[26];
+ snprintf(euiMacAddr, sizeof(euiMacAddr),
+ "fe80::%02x%02x:%02xff:fe%02x:%02x%02x", parsedMac.addr[0],
+ parsedMac.addr[1], parsedMac.addr[2], parsedMac.addr[3],
+ parsedMac.addr[4], parsedMac.addr[5]);
+
+ val = virNWFilterVarValueCreateSimpleCopyValue(euiMacAddr);
+ if (!val)
+ return -1;
+
+ if (virHashAddEntry(table->hashTable,
+ NWFILTER_STD_VAR_V6LOCAL,
+ val) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("Could not add variable
'V6LOCAL' "
+ "to hashmap"));
+ return -1;
+ }
+ }
}
if (ipaddr) {
--
1.7.1