April 2010 - Devel - libvirt List Archives

[libvirt] [PATCH 0/3] Add dnsmasq module (v2)
by Satoru SATOH 28 Apr '10

28 Apr '10

The following series of patches is a prototype implementation of dnsmasq module. It implements an idea to save dhcp hosts' macaddr vs. ipaddr mappings to static file and make dnsmasq loading it with "--dhcp-hostsfile" option, originally suggested by Dan-san, and can address the problem that too many "--dhcp-host" args hitting ARG_MAX limit I reported last year [1]. This is a updated version reflecting some advices from Jim-san [2] and Eric-san [3]. [1] https://www.redhat.com/archives/libvir-list/2009-October/msg00216.html [2] https://www.redhat.com/archives/libvir-list/2010-April/msg00849.html [3] https://www.redhat.com/archives/libvir-list/2010-April/msg00850.html - satoru

4 15

[libvirt] [PATCH] nwfilter: allow to mix filterrefs and rules in the schema
by Stefan Berger 28 Apr '10

28 Apr '10

So far the references to other filters needed to appear before filtering rules. With the below patch they can now appear in any order. Also I forgot to add a couple of 'rarp's. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- docs/schemas/nwfilter.rng | 472 +++++++++++++++++++++++----------------------- 1 file changed, 237 insertions(+), 235 deletions(-) Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -6,249 +6,249 @@ <define name="filter"> <element name="filter"> <ref name="filter-node-attributes"/> + <optional> + <element name="uuid"> + <ref name="UUID"/> + </element> + </optional> <zeroOrMore> <choice> <element name="filterref"> <ref name="filterref-node-attributes"/> </element> - <element name="uuid"> - <ref name="UUID"/> + <element name="rule"> + <ref name="rule-node-attributes"/> + <optional> + <zeroOrMore> + <element name="mac"> + <ref name="match-attribute"/> + <ref name="common-l2-attributes"/> + <ref name="mac-attributes"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="arp"> + <ref name="match-attribute"/> + <ref name="common-l2-attributes"/> + <ref name="arp-attributes"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="rarp"> + <ref name="match-attribute"/> + <ref name="common-l2-attributes"/> + <ref name="arp-attributes"/>  + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="ip"> + <ref name="match-attribute"/> + <ref name="common-l2-attributes"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-port-attributes"/> + <ref name="ip-attributes"/> + <ref name="dscp-attribute"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="ipv6"> + <ref name="match-attribute"/> + <ref name="common-l2-attributes"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-port-attributes"/> + <ref name="ip-attributes"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="tcp"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-port-attributes"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="udp"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-port-attributes"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="sctp"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-port-attributes"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="icmp"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + <ref name="icmp-attributes"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="igmp"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="all"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="esp"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="ah"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="udplite"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ip-attributes-p1"/> + <ref name="common-ip-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="tcp-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-port-attributes"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="udp-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-port-attributes"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="sctp-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-port-attributes"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="icmpv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + <ref name="icmp-attributes"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="all-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="esp-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="ah-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> + <element name="udplite-ipv6"> + <ref name="match-attribute"/> + <ref name="srcmac-attribute"/> + <ref name="common-ipv6-attributes-p1"/> + <ref name="common-ipv6-attributes-p2"/> + </element> + </zeroOrMore> + </optional> </element> </choice> </zeroOrMore> - <zeroOrMore> - <element name="rule"> - <ref name="rule-node-attributes"/> - <optional> - <zeroOrMore> - <element name="mac"> - <ref name="match-attribute"/> - <ref name="common-l2-attributes"/> - <ref name="mac-attributes"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="arp"> - <ref name="match-attribute"/> - <ref name="common-l2-attributes"/> - <ref name="arp-attributes"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="rarp"> - <ref name="match-attribute"/> - <ref name="common-l2-attributes"/> - <ref name="arp-attributes"/>  - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="ip"> - <ref name="match-attribute"/> - <ref name="common-l2-attributes"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-port-attributes"/> - <ref name="ip-attributes"/> - <ref name="dscp-attribute"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="ipv6"> - <ref name="match-attribute"/> - <ref name="common-l2-attributes"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-port-attributes"/> - <ref name="ip-attributes"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="tcp"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-port-attributes"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="udp"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-port-attributes"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="sctp"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-port-attributes"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="icmp"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - <ref name="icmp-attributes"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="igmp"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="all"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="esp"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="ah"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="udplite"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ip-attributes-p1"/> - <ref name="common-ip-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="tcp-ipv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-port-attributes"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="udp-ipv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-port-attributes"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="sctp-ipv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-port-attributes"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="icmpv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - <ref name="icmp-attributes"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="all-ipv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="esp-ipv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="ah-ipv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - <optional> - <zeroOrMore> - <element name="udplite-ipv6"> - <ref name="match-attribute"/> - <ref name="srcmac-attribute"/> - <ref name="common-ipv6-attributes-p1"/> - <ref name="common-ipv6-attributes-p2"/> - </element> - </zeroOrMore> - </optional> - </element> - </zeroOrMore> </element> </define> @@ -263,6 +263,7 @@ <choice> <value>root</value> <value>arp</value> + <value>rarp</value> <value>ipv4</value> <value>ipv6</value> </choice> @@ -690,6 +691,7 @@ <choice> <value>arp</value> + <value>rarp</value> <value>ipv4</value> <value>ipv6</value> </choice>

2 2

[libvirt] [PATCH 00/10]: Add arbitrary qemu command-line and monitor commands
by Chris Lalancette 28 Apr '10

28 Apr '10

As we discussed previously, here is the patch series to add the ability to specify arbitrary qemu command-line parameters and environment variables, and also give arbitrary monitor commands to a guest. Because these extra arguments have a good shot at confusing libvirt, the use of them is not supported, but left available for advanced users and developers. They are also in a separate library and have a separate on-the-wire protocol. There is one bug left that I have not yet been able to fix. Because of the complicated way that virsh parses command-line arguments, it is not possible to pass through spaces and quotes when using the qemu-monitor-command. Unfortunately, the qemu monitor commands (and in particular when using QMP) depend heavily on quoting and spacing, so using virsh to send through command-lines is difficult. I'll have to think about how to better resolve this issue, but it should not hold up the rest of the series. Thanks to Dan Berrange for his review already, and to DV for the Relax NG schema changes.

4 33

[libvirt] [PATCH 0/5]: Add a API for query domain disk sizing info
by Daniel P. Berrange 28 Apr '10

28 Apr '10

This is somewhat late for the 0.8.1 release, but this is a rather critical API for some of the use cases of RHEV. It introduces a new API against a virDomainPtr to allow the direct querying of the size of guest block devices. This is modelled on the virStorageVol API for getting size, so I'm pretty confident on the design and impl here.

3 15

[libvirt] [PATCH] qemudDomainCreate: correct a slightly misdirected goto
by Jim Meyering 27 Apr '10

27 Apr '10

I was looking at other uses of qemuDomainObjEndJob and saw this: >From f8ccc44e7890c1b2ae2ebc266ca5d6215fe9c80d Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering(a)redhat.com> Date: Tue, 27 Apr 2010 22:16:02 +0200 Subject: [PATCH] qemudDomainCreate: correct a slightly misdirected goto * src/qemu/qemu_driver.c (qemudDomainCreate): Goto cleanup, not "endjob", since we know "vm" is already NULL. No semantic change. --- src/qemu/qemu_driver.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index e1b1af3..2daf038 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -4033,35 +4033,35 @@ static virDomainPtr qemudDomainCreate(virConnectPtr conn, const char *xml, goto cleanup; if (!(vm = virDomainAssignDef(driver->caps, &driver->domains, def, false))) goto cleanup; def = NULL; if (qemuDomainObjBeginJobWithDriver(driver, vm) < 0) goto cleanup; /* XXXX free the 'vm' we created ? */ if (qemudStartVMDaemon(conn, driver, vm, NULL, -1) < 0) { if (qemuDomainObjEndJob(vm) > 0) virDomainRemoveInactive(&driver->domains, vm); vm = NULL; - goto endjob; + goto cleanup; } event = virDomainEventNewFromObj(vm, VIR_DOMAIN_EVENT_STARTED, VIR_DOMAIN_EVENT_STARTED_BOOTED); dom = virGetDomain(conn, vm->def->name, vm->def->uuid); if (dom) dom->id = vm->def->id; endjob: if (vm && qemuDomainObjEndJob(vm) == 0) vm = NULL; cleanup: virDomainDefFree(def); if (vm) -- 1.7.1.328.g9993c

2 1

[libvirt] using clang
by Jim Meyering 27 Apr '10

27 Apr '10

Some people have expressed an interest in setting up a libvirt autobuilder using clang. If you do that, be aware that you'll see an ugly looking NULL-deref problem when using the clang that comes with F12 or F13, but if you're using a new enough version (rawhide), it's gone. The offending code is in qemu_monitor.c around line 377 and involves the CMSG_* macros: 365 memset(&msg, 0, sizeof(msg)); 366 367 iov[0].iov_base = (void *)data; 368 iov[0].iov_len = len; 369 370 msg.msg_iov = iov; 371 msg.msg_iovlen = 1; 372 373 msg.msg_control = control; 374 msg.msg_controllen = sizeof(control); 375 376 cmsg = CMSG_FIRSTHDR(&msg)((size_t) (&msg)->msg_controllen >= sizeof (struct cmsghdr ) ? (struct cmsghdr *) (&msg)->msg_control : (struct cmsghdr *) 0); *** 2 Null pointer value stored to 'cmsg' 377 cmsg->cmsg_len = CMSG_LEN(sizeof(int))((((sizeof (struct cmsghdr)) + sizeof (size_t) - 1) & (size_t) ~(sizeof (size_t) - 1)) + (sizeof(int))); *** 3 Dereference of null pointer Presuming this code is actually exercised, it's obviously not dereferencing NULL, so it would be a false positive. I looked at a few usage examples and it seems like glibc's own tests do allocate more storage. If this code is *not* currently being used, we should model it after the glibc test code. ----------------------------------------- FYI, anyone can (and all developers should) run clang. It's simple, but does require a configure-from-scratch, so it's good to keep a separate Build like this: scan-build -o clang ./autogen.sh --enable-compile-warnings=maximum && scan-build -o clang make The "-o clang" tells it to put results in a new directory named "clang".

2 1

[libvirt] [PATCH] nwfilter: let qemu's after-migration packet pass
by Stefan Berger 27 Apr '10

27 Apr '10

Qemu currently sends an Ethernet packet with protocol id 0x835 once a VM was successfully migrated. The content of the packet looks like a gratuitous RARP, just with the wrong protocol ID, which should be 0x8035. I wrote some filters to let either one of the packets pass and am adapting the clean-traffic sample filter to use it. I am also doing some changes on the existing ARP filter which was lacking a test for source MAC address. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- examples/xml/nwfilter/Makefile.am | 5 ++++- examples/xml/nwfilter/clean-traffic.xml | 3 +++ examples/xml/nwfilter/no-arp-spoofing.xml | 13 ++++++++----- examples/xml/nwfilter/no-other-rarp-traffic.xml | 4 ++++ examples/xml/nwfilter/qemu-announce-self-rarp.xml | 14 ++++++++++++++ examples/xml/nwfilter/qemu-announce-self.xml | 13 +++++++++++++ 6 files changed, 46 insertions(+), 6 deletions(-) Index: libvirt-acl/examples/xml/nwfilter/Makefile.am =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/Makefile.am +++ libvirt-acl/examples/xml/nwfilter/Makefile.am @@ -11,7 +11,10 @@ FILTERS = \ no-ip-spoofing.xml \ no-mac-broadcast.xml \ no-mac-spoofing.xml \ - no-other-l2-traffic.xml + no-other-l2-traffic.xml \ + no-other-rarp-traffic.xml \ + qemu-announce-self.xml \ + qemu-announce-self-rarp.xml EXTRA_DIST=$(FILTERS) Index: libvirt-acl/examples/xml/nwfilter/qemu-announce-self-rarp.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/qemu-announce-self-rarp.xml @@ -0,0 +1,14 @@ +<filter name='qemu-announce-self-rarp' chain='rarp'> + <rule action='accept' direction='out' priority='500'> + <rarp opcode='Request_Reverse' + srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' + arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' + arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <rarp opcode='Request_Reverse' + dstmacaddr='ff:ff:ff:ff:ff:ff' + arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' + arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/> + </rule> +</filter> Index: libvirt-acl/examples/xml/nwfilter/clean-traffic.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/clean-traffic.xml +++ libvirt-acl/examples/xml/nwfilter/clean-traffic.xml @@ -14,4 +14,7 @@  <filterref filter='no-other-l2-traffic'/> +  + <filterref filter='qemu-announce-self'/> + </filter> Index: libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml =================================================================== --- libvirt-acl.orig/examples/xml/nwfilter/no-arp-spoofing.xml +++ libvirt-acl/examples/xml/nwfilter/no-arp-spoofing.xml @@ -1,27 +1,30 @@ <filter name='no-arp-spoofing' chain='arp'> <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid> + <rule action='drop' direction='out' priority='300' > + <mac match='no' srcmacaddr='$MAC'/> + </rule>   - <rule action='drop' direction='out' priority='400' > + <rule action='drop' direction='out' priority='350' > <arp match='no' arpsrcmacaddr='$MAC'/> </rule> <rule action='drop' direction='out' priority='400' > <arp match='no' arpsrcipaddr='$IP' /> </rule>  - <rule action='drop' direction='in' priority='400' > + <rule action='drop' direction='in' priority='450' > <arp match='no' arpdstmacaddr='$MAC'/> <arp opcode='reply'/> </rule> - <rule action='drop' direction='in' priority='400' > + <rule action='drop' direction='in' priority='500' > <arp match='no' arpdstipaddr='$IP' /> </rule>  - <rule action='accept' direction='inout' priority='500' > + <rule action='accept' direction='inout' priority='600' > <arp opcode='request'/> </rule> - <rule action='accept' direction='inout' priority='500' > + <rule action='accept' direction='inout' priority='650' > <arp opcode='reply'/> </rule>  Index: libvirt-acl/examples/xml/nwfilter/no-other-rarp-traffic.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/no-other-rarp-traffic.xml @@ -0,0 +1,4 @@ +<filter name='no-other-rarp-traffic' chain='rarp'> + <rule action='drop' direction='inout' priority='1000'/> +</filter> + Index: libvirt-acl/examples/xml/nwfilter/qemu-announce-self.xml =================================================================== --- /dev/null +++ libvirt-acl/examples/xml/nwfilter/qemu-announce-self.xml @@ -0,0 +1,13 @@ +<filter name='qemu-announce-self' chain='root'> +  +  + <rule action='accept' direction='out'> + <mac protocolid='0x835'/> + </rule> + +  + <filterref filter='qemu-announce-self-rarp'/> + <filterref filter='no-other-rarp-traffic'/> + +</filter>

2 2

[libvirt] [PATCH 0/8]: Snapshot fixes
by Chris Lalancette 27 Apr '10

27 Apr '10

Hello, This series of patches fixes up a number of problems discovered while testing the snapshot code. Descriptions of the fixes are in the individual patches. Please review. Thanks, Chris Lalancette

3 24

[libvirt] nwfilter: add test case for RARP protocol
by Stefan Berger 27 Apr '10

27 Apr '10

This patch adds a test case for the RARP protocol. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- tests/nwfilterxml2xmlin/rarp-test.xml | 33 +++++++++++++++++++++++++++++++++ tests/nwfilterxml2xmlout/rarp-test.xml | 18 ++++++++++++++++++ tests/nwfilterxml2xmltest.c | 1 + 3 files changed, 52 insertions(+) Index: libvirt-acl/tests/nwfilterxml2xmlin/rarp-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlin/rarp-test.xml @@ -0,0 +1,33 @@ +<filter name='testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='rarp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmlout/rarp-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlout/rarp-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' hwtype='12' protocoltype='34' opcode='Request' arpsrcmacaddr='01:02:03:04:05:06' arpdstmacaddr='0a:0b:0c:0d:0e:0f'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='255' protocoltype='255' opcode='Request'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='256' protocoltype='256' opcode='11'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='65535' protocoltype='65535' opcode='65535'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff'/> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmltest.c =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmltest.c +++ libvirt-acl/tests/nwfilterxml2xmltest.c @@ -90,6 +90,7 @@ mymain(int argc, char **argv) DO_TEST("mac-test"); DO_TEST("arp-test"); + DO_TEST("rarp-test"); DO_TEST("ip-test"); DO_TEST("ipv6-test");

2 1

[libvirt] [PATCH] nwfilter: add support for RAPR protocol
by Stefan Berger 27 Apr '10

27 Apr '10

This patch adds support for the RARP protocol. This may be needed due to qemu sending out a RARP packet (at least that's what it seems to want to do even though the protocol id is wrong) when migration finishes and we'd need a rule to let the packets pass. Unfortunately my installation of ebtables does not understand -p RARP and also seems to otherwise depend on strings in /etc/ethertype translated to protocol identifiers. Therefore I need to pass -p 0x8035 for RARP. To generally get rid of the dependency of that file I switch all so far supported protocols to use their protocol identifier in the -p parameter rather than the string. I am also extending the schema. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- docs/schemas/nwfilter.rng | 9 ++ src/conf/nwfilter_conf.c | 29 ++----- src/conf/nwfilter_conf.h | 22 +++++- src/nwfilter/nwfilter_ebiptables_driver.c | 109 ++++++++++++++++++------------ 4 files changed, 106 insertions(+), 63 deletions(-) Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -39,6 +39,15 @@ </optional> <optional> <zeroOrMore> + <element name="rarp"> + <ref name="match-attribute"/> + <ref name="common-l2-attributes"/> + <ref name="arp-attributes"/>  + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> <element name="ip"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -46,22 +46,6 @@ #include "domain_conf.h" -/* XXX - * The config parser/structs should not be using platform specific - * constants. Win32 lacks these constants, breaking the parser, - * so temporarily define them until this can be re-written to use - * locally defined enums for all constants - */ -#ifndef ETHERTYPE_IP -# define ETHERTYPE_IP 0x0800 -#endif -#ifndef ETHERTYPE_ARP -# define ETHERTYPE_ARP 0x0806 -#endif -#ifndef ETHERTYPE_IPV6 -# define ETHERTYPE_IPV6 0x86dd -#endif - #define VIR_FROM_THIS VIR_FROM_NWFILTER @@ -90,6 +74,7 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST, "root", "arp", + "rarp", "ipv4", "ipv6"); @@ -97,6 +82,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V "none", "mac", "arp", + "rarp", "ip", "ipv6", "tcp", @@ -412,11 +398,10 @@ struct _virXMLAttr2Struct static const struct int_map macProtoMap[] = { - INTMAP_ENTRY(ETHERTYPE_ARP , "arp"), - INTMAP_ENTRY(ETHERTYPE_IP , "ipv4"), -#ifdef ETHERTYPE_IPV6 - INTMAP_ENTRY(ETHERTYPE_IPV6, "ipv6"), -#endif + INTMAP_ENTRY(ETHERTYPE_ARP , "arp"), + INTMAP_ENTRY(ETHERTYPE_REVARP, "rarp"), + INTMAP_ENTRY(ETHERTYPE_IP , "ipv4"), + INTMAP_ENTRY(ETHERTYPE_IPV6 , "ipv6"), INTMAP_ENTRY_LAST }; @@ -1084,6 +1069,7 @@ struct _virAttributes { static const virAttributes virAttr[] = { PROTOCOL_ENTRY("arp" , arpAttributes , VIR_NWFILTER_RULE_PROTOCOL_ARP), + PROTOCOL_ENTRY("rarp" , arpAttributes , VIR_NWFILTER_RULE_PROTOCOL_RARP), PROTOCOL_ENTRY("mac" , macAttributes , VIR_NWFILTER_RULE_PROTOCOL_MAC), PROTOCOL_ENTRY("ip" , ipAttributes , VIR_NWFILTER_RULE_PROTOCOL_IP), PROTOCOL_ENTRY("ipv6" , ipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPV6), @@ -1434,6 +1420,7 @@ virNWFilterRuleDefFixup(virNWFilterRuleD break; case VIR_NWFILTER_RULE_PROTOCOL_ARP: + case VIR_NWFILTER_RULE_PROTOCOL_RARP: case VIR_NWFILTER_RULE_PROTOCOL_NONE: break; Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -35,6 +35,24 @@ # include "xml.h" # include "network.h" +/* XXX + * The config parser/structs should not be using platform specific + * constants. Win32 lacks these constants, breaking the parser, + * so temporarily define them until this can be re-written to use + * locally defined enums for all constants + */ +# ifndef ETHERTYPE_IP +# define ETHERTYPE_IP 0x0800 +# endif +# ifndef ETHERTYPE_ARP +# define ETHERTYPE_ARP 0x0806 +# endif +# ifndef ETHERTYPE_REVARP +# define ETHERTYPE_REVARP 0x8035 +# endif +# ifndef ETHERTYPE_IPV6 +# define ETHERTYPE_IPV6 0x86dd +# endif /** * Chain suffix size is: @@ -290,6 +308,7 @@ enum virNWFilterRuleProtocolType { VIR_NWFILTER_RULE_PROTOCOL_NONE = 0, VIR_NWFILTER_RULE_PROTOCOL_MAC, VIR_NWFILTER_RULE_PROTOCOL_ARP, + VIR_NWFILTER_RULE_PROTOCOL_RARP, VIR_NWFILTER_RULE_PROTOCOL_IP, VIR_NWFILTER_RULE_PROTOCOL_IPV6, VIR_NWFILTER_RULE_PROTOCOL_TCP, @@ -334,7 +353,7 @@ struct _virNWFilterRuleDef { enum virNWFilterRuleProtocolType prtclType; union { ethHdrFilterDef ethHdrFilter; - arpHdrFilterDef arpHdrFilter; + arpHdrFilterDef arpHdrFilter; /* also used for rarp */ ipHdrFilterDef ipHdrFilter; ipv6HdrFilterDef ipv6HdrFilter; tcpHdrFilterDef tcpHdrFilter; @@ -371,6 +390,7 @@ struct _virNWFilterEntry { enum virNWFilterChainSuffixType { VIR_NWFILTER_CHAINSUFFIX_ROOT = 0, VIR_NWFILTER_CHAINSUFFIX_ARP, + VIR_NWFILTER_CHAINSUFFIX_RARP, VIR_NWFILTER_CHAINSUFFIX_IPv4, VIR_NWFILTER_CHAINSUFFIX_IPv6, Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -32,6 +32,7 @@ #include "logging.h" #include "virterror_internal.h" #include "domain_conf.h" +#include "nwfilter_conf.h" #include "nwfilter_gentech_driver.h" #include "nwfilter_ebiptables_driver.h" @@ -103,11 +104,28 @@ static int ebiptablesDriverInit(void); static void ebiptablesDriverShutdown(void); -static const char *supported_protocols[] = { - "ipv4", - "ipv6", - "arp", - NULL, +struct ushort_map { + unsigned short attr; + const char *val; +}; + + +enum l3_proto_idx { + L3_PROTO_IPV4_IDX = 0, + L3_PROTO_IPV6_IDX, + L3_PROTO_ARP_IDX, + L3_PROTO_RARP_IDX, + L3_PROTO_LAST_IDX +}; + +#define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT, .val = VAL } + +static const struct ushort_map l3_protocols[] = { + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP , "ipv4"), + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6 , "ipv6"), + USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP , "arp"), + USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"), + USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0 , NULL), }; @@ -1609,6 +1627,7 @@ ebtablesCreateRuleInstance(char chainPre break; case VIR_NWFILTER_RULE_PROTOCOL_ARP: + case VIR_NWFILTER_RULE_PROTOCOL_RARP: virBufferVSprintf(&buf, CMD_DEF_PRE "%s -t %s -%%c %s %%s", @@ -1620,7 +1639,10 @@ ebtablesCreateRuleInstance(char chainPre reverse)) goto err_exit; - virBufferAddLit(&buf, " -p arp"); + virBufferVSprintf(&buf, " -p 0x%x", + (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP) + ? l3_protocols[L3_PROTO_ARP_IDX].attr + : l3_protocols[L3_PROTO_RARP_IDX].attr); if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) { if (printDataType(vars, @@ -2034,6 +2056,7 @@ ebiptablesCreateRuleInstance(virConnectP case VIR_NWFILTER_RULE_PROTOCOL_IP: case VIR_NWFILTER_RULE_PROTOCOL_MAC: case VIR_NWFILTER_RULE_PROTOCOL_ARP: + case VIR_NWFILTER_RULE_PROTOCOL_RARP: case VIR_NWFILTER_RULE_PROTOCOL_NONE: case VIR_NWFILTER_RULE_PROTOCOL_IPV6: @@ -2425,7 +2448,7 @@ static int ebtablesCreateTmpSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol, + enum l3_proto_idx protoidx, int stopOnError) { char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; @@ -2433,13 +2456,13 @@ ebtablesCreateTmpSubChain(virBufferPtr b : CHAINPREFIX_HOST_OUT_TEMP; PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); - PRINT_CHAIN(chain, chainPrefix, ifname, protocol); + PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val); virBufferVSprintf(buf, CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR CMD_EXEC "%s" - CMD_DEF("%s -t %s -A %s -p %s -j %s") CMD_SEPARATOR + CMD_DEF("%s -t %s -A %s -p 0x%x -j %s") CMD_SEPARATOR CMD_EXEC "%s", @@ -2448,7 +2471,7 @@ ebtablesCreateTmpSubChain(virBufferPtr b CMD_STOPONERR(stopOnError), ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, - rootchain, protocol, chain, + rootchain, l3_protocols[protoidx].attr, chain, CMD_STOPONERR(stopOnError)); @@ -2460,11 +2483,12 @@ static int _ebtablesRemoveSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol, + enum l3_proto_idx protoidx, int isTempChain) { char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; char chainPrefix; + if (isTempChain) { chainPrefix =(incoming) ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_OUT_TEMP; @@ -2474,14 +2498,14 @@ _ebtablesRemoveSubChain(virBufferPtr buf } PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); - PRINT_CHAIN(chain, chainPrefix, ifname, protocol); + PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val); virBufferVSprintf(buf, - "%s -t %s -D %s -p %s -j %s" CMD_SEPARATOR + "%s -t %s -D %s -p 0x%x -j %s" CMD_SEPARATOR "%s -t %s -F %s" CMD_SEPARATOR "%s -t %s -X %s" CMD_SEPARATOR, ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, - rootchain, protocol, chain, + rootchain, l3_protocols[protoidx].attr, chain, ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, @@ -2495,10 +2519,10 @@ static int ebtablesRemoveSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol) + enum l3_proto_idx protoidx) { return _ebtablesRemoveSubChain(buf, - incoming, ifname, protocol, 0); + incoming, ifname, protoidx, 0); } @@ -2506,10 +2530,11 @@ static int ebtablesRemoveSubChains(virBufferPtr buf, const char *ifname) { - int i; - for (i = 0; supported_protocols[i]; i++) { - ebtablesRemoveSubChain(buf, 1, ifname, supported_protocols[i]); - ebtablesRemoveSubChain(buf, 0, ifname, supported_protocols[i]); + enum l3_proto_idx i; + + for (i = 0; i < L3_PROTO_LAST_IDX; i++) { + ebtablesRemoveSubChain(buf, 1, ifname, i); + ebtablesRemoveSubChain(buf, 0, ifname, i); } return 0; @@ -2520,10 +2545,10 @@ static int ebtablesRemoveTmpSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol) + enum l3_proto_idx protoidx) { return _ebtablesRemoveSubChain(buf, - incoming, ifname, protocol, 1); + incoming, ifname, protoidx, 1); } @@ -2531,12 +2556,11 @@ static int ebtablesRemoveTmpSubChains(virBufferPtr buf, const char *ifname) { - int i; - for (i = 0; supported_protocols[i]; i++) { - ebtablesRemoveTmpSubChain(buf, 1, ifname, - supported_protocols[i]); - ebtablesRemoveTmpSubChain(buf, 0, ifname, - supported_protocols[i]); + enum l3_proto_idx i; + + for (i = 0; i < L3_PROTO_LAST_IDX; i++) { + ebtablesRemoveTmpSubChain(buf, 1, ifname, i); + ebtablesRemoveTmpSubChain(buf, 0, ifname, i); } return 0; @@ -2574,12 +2598,11 @@ static int ebtablesRenameTmpSubChains(virBufferPtr buf, const char *ifname) { - int i; - for (i = 0; supported_protocols[i]; i++) { - ebtablesRenameTmpSubChain (buf, 1, ifname, - supported_protocols[i]); - ebtablesRenameTmpSubChain (buf, 0, ifname, - supported_protocols[i]); + enum l3_proto_idx i; + + for (i = 0; i < L3_PROTO_LAST_IDX; i++) { + ebtablesRenameTmpSubChain (buf, 1, ifname, l3_protocols[i].val); + ebtablesRenameTmpSubChain (buf, 0, ifname, l3_protocols[i].val); } return 0; @@ -2909,20 +2932,24 @@ ebiptablesApplyNewRules(virConnectPtr co ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4)) - ebtablesCreateTmpSubChain(&buf, 1, ifname, "ipv4", 1); + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_IPV4_IDX, 1); if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4)) - ebtablesCreateTmpSubChain(&buf, 0, ifname, "ipv4", 1); + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_IPV4_IDX, 1); if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6)) - ebtablesCreateTmpSubChain(&buf, 1, ifname, "ipv6", 1); + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_IPV6_IDX, 1); if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6)) - ebtablesCreateTmpSubChain(&buf, 0, ifname, "ipv6", 1); + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_IPV6_IDX, 1); - // keep arp as last + // keep arp,rarp as last if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP)) - ebtablesCreateTmpSubChain(&buf, 1, ifname, "arp", 1); + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_ARP_IDX, 1); if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP)) - ebtablesCreateTmpSubChain(&buf, 0, ifname, "arp", 1); + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_ARP_IDX, 1); + if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP)) + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_RARP_IDX, 1); + if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP)) + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_RARP_IDX, 1); if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) goto tear_down_tmpebchains;

2 1