May 2010 - Devel - libvirt List Archives

[libvirt] [PATCH] tests: Test for nwfilter
by Stefan Berger 12 May '10

12 May '10

This is a repost of a previously posted patch. Attached is a test for automatic testing of of the nwfilter rules as the are instantiated in form of ebtables, iptables and ip6tables rules on running VMs. The test automatically starts libvirtd from the build directory unless it finds libvirtd running. My hope is that one won't notice this. It uses virsh from the build directory to create two dummy VMs with random name suffixes. The VMs don't boot any OS but just stop in the BIOS. This is enough to run the nwfilter tests. Afterwards the nwfilter of the one VM are continuously modified and the instantiation is checked. The instantiation of rules of the 2nd VM are also continously checked to verify that the modifications on the 1st VM has had no effect on the instantiated rules of the 2nd VM. The test has a couple of command line options. Run it as follows nwfilter2vmtest.sh --noattach --libvirt-test to get the expected libvirt test suite output: TEST: nwfilter2vmtest.sh ........................................ 40 [...] ..................... 821 OK nwfilter2vmtest.sh --noattach --verbose to get lots of this kind of output: PASS nwfilterxml2xmlin/ah-ipv6-test.xml : ip6tables -L FI-testvm8328 -n PASS nwfilterxml2xmlin/ah-ipv6-test.xml : ip6tables -L FO-testvm8328 -n [...] My installation currently has problems with attaching interfaces to VMs, so I have to use the --noattach option to avoid tests on interface attachments (ymmv). Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- tests/nwfilter2vmtest.sh | 461 ++++++++++++++++++ tests/nwfilterxml2fwallout/ah-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/ah-test.fwall | 26 + tests/nwfilterxml2fwallout/all-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/all-test.fwall | 26 + tests/nwfilterxml2fwallout/arp-test.fwall | 9 tests/nwfilterxml2fwallout/conntrack-test.fwall | 24 tests/nwfilterxml2fwallout/esp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/esp-test.fwall | 26 + tests/nwfilterxml2fwallout/hex-data-test.fwall | 68 ++ tests/nwfilterxml2fwallout/icmp-direction-test.fwall | 23 tests/nwfilterxml2fwallout/icmp-direction2-test.fwall | 23 tests/nwfilterxml2fwallout/icmp-direction3-test.fwall | 23 tests/nwfilterxml2fwallout/icmp-test.fwall | 23 tests/nwfilterxml2fwallout/icmpv6-test.fwall | 26 + tests/nwfilterxml2fwallout/igmp-test.fwall | 26 + tests/nwfilterxml2fwallout/ip-test.fwall | 12 tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall | 19 tests/nwfilterxml2fwallout/ipv6-test.fwall | 13 tests/nwfilterxml2fwallout/mac-test.fwall | 12 tests/nwfilterxml2fwallout/rarp-test.fwall | 9 tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/sctp-ipv6-test.xml | 29 + tests/nwfilterxml2fwallout/sctp-test.fwall | 26 + tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/tcp-test.fwall | 26 + tests/nwfilterxml2fwallout/testvm.fwall.dat | 73 ++ tests/nwfilterxml2fwallout/udp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/udp-ipv6-test.xml | 29 + tests/nwfilterxml2fwallout/udp-test.fwall | 26 + tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/udplite-test.fwall | 26 + 32 files changed, 1280 insertions(+) Index: libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT + Index: libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT +-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT +-p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT + Index: libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall @@ -0,0 +1,13 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 +ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 +ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall @@ -0,0 +1,26 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 +ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 +ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 + Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml @@ -0,0 +1,29 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 + +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml @@ -0,0 +1,29 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 + +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah ::/0 a:b:c::/128 DSCP match 0x21 +RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all ::/0 a:b:c::/128 DSCP match 0x21 +RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp ::/0 a:b:c::/128 DSCP match 0x21 +RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21 +RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall @@ -0,0 +1,19 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! 12:34:56:78:9A:BC +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! AA:AA:AA:AA:AA:AA +#iptables -L HI-vnet0 +Chain HI-vnet0 (1 references) +target prot opt source destination +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/conntrack-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/conntrack-test.fwall @@ -0,0 +1,24 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/rarp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/rarp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | sed s/0x8035/RARP/g | grep -v "^Bridge" | grep -v "^$" +-p RARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-acl/tests/nwfilterxml2fwallout/hex-data-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/hex-data-test.fwall @@ -0,0 +1,68 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p 0x1234 -j ACCEPT +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 +#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilter2vmtest.sh =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilter2vmtest.sh @@ -0,0 +1,459 @@ +#!/bin/bash + +ORIG_IFNAME="vnet0" +TESTFILTERNAME="nwfiltertestfilter" + +LIBVIRTD=`type -P ${PWD}/../daemon/libvirtd` +VIRSH=`type -P ${PWD}/../tools/virsh` +LD_LIBRARY_PATH="${PWD}../src/.libs/" + +# Maybe no libvirtd was built +[ -z ${LIBVIRTD} ] && exit 0; + +FLAG_WAIT="$((1<<0))" +FLAG_ATTACH="$((1<<1))" +FLAG_VERBOSE="$((1<<2))" +FLAG_LIBVIRT_TEST="$((1<<3))" + +failctr=0 +passctr=0 +attachfailctr=0 +attachctr=0 + +function usage() { + local cmd="$0" +cat <<EOF +Usage: ${cmd} [--help|-h|-?] [--noattach] [--wait] [--verbose] + [--libvirt-test] + +Options: + --help,-h,-? : Display this help screen. + --noattach : Skip tests that attach and detach a network interface + --wait : Wait for the user to press the enter key once an error + was detected + --verbose : Verbose output + --libvirt-test : Use the libvirt test output format + +This test will create two virtual machines. The one virtual machine +will use a filter called '${TESTFILTERNAME}', and reference the filter +'clean-traffic' which should be available by default with every install. +The other virtual machine will reference the filter 'testcase' and will +have its filter permanently updated. +EOF +} + + +# A wrapper for mktemp in case it does not exist +# Echos the name of a temporary file. +function mktmpfile() { + local tmp + type -P mktemp > /dev/null + if [ $? -eq 0 ]; then + tmp=$(mktemp -t nwfvmtest.XXXXXX) + echo ${tmp} + else + while :; do + tmp="/tmp/nwfvmtest.${RANDOM}" + if [ ! -f ${tmp} ]; then + touch ${tmp} + chmod 666 ${tmp} + echo ${tmp} + break + fi + done + fi + return 0 +} + + +function checkExpectedOutput() { + local xmlfile="$1" + local fwallfile="$2" + local ifname="$3" + local flags="$4" + local skipregex="$5" + local regex="s/${ORIG_IFNAME}/${ifname}/g" + local cmd line tmpfile tmpfile2 skip + + tmpfile=`mktmpfile` + tmpfile2=`mktmpfile` + + exec 4<${fwallfile} + + read <&4 + line="${REPLY}" + + while [ "x${line}x" != "xx" ]; do + cmd=`echo ${line##\#} | sed ${regex}` + + skip=0 + if [ "x${skipregex}x" != "xx" ]; then + skip=`echo ${cmd} | grep -c -E ${skipregex}` + fi + + eval ${cmd} 2>&1 | tee ${tmpfile} 1>/dev/null + + rm ${tmpfile2} 2>/dev/null + touch ${tmpfile2} + + while [ 1 ]; do + read <&4 + line="${REPLY}" + + if [ "${line:0:1}" == "#" ] || [ "x${line}x" == "xx" ]; then + + if [ ${skip} -ne 0 ]; then + break + fi + + diff ${tmpfile} ${tmpfile2} >/dev/null + + if [ $? -ne 0 ]; then + echo "FAIL ${xmlfile} : ${cmd}" + diff ${tmpfile} ${tmpfile2} + ((failctr++)) + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "tmp files: $tmpfile, $tmpfile2" + echo "Press enter" + read + fi + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 1 + else + ((passctr++)) + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && \ + echo "PASS ${xmlfile} : ${cmd}" + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 0 + fi + + break; + + fi + echo "${line}" | sed ${regex} >> ${tmpfile2} + done + done + + exec 4>&- + + rm -rf "${tmpfile}" "${tmpfile2}" 2>/dev/null +} + + +function doTest() { + local xmlfile="$1" + local fwallfile="$2" + local vm1name="$3" + local vm2name="$4" + local flags="$5" + local linenums ctr=0 + local tmpfile b msg rc + + if [ ! -r "${xmlfile}" ]; then + echo "FAIL : Cannot access filter XML file ${xmlfile}." + return 1 + fi + + ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null + + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" "${flags}" \ + "" + + checkExpectedOutput "${TESTFILTERNAME}" "nwfilterxml2fwallout/testvm.fwall.dat" \ + "${vm2name}" "${flags}" "" + + if [ $((flags & FLAG_ATTACH)) -ne 0 ]; then + + tmpfile=`mktmpfile` + + b=`{ ${VIRSH} dumpxml ${vm1name} | tr -d "\n"; echo; } | \ + sed "s/.*\<interface.*source bridge='$[a-zA-Z0-9_]\+$'.*<\/interface>.*/\1/"` + + cat >>${tmpfile} <<EOF +<interface type='bridge'> + <source bridge='${b}'/> + <mac address='52:54:00:11:22:33'/> + <target dev='attach0'/> + <filterref filter='testcase'/> +</interface> +EOF + msg=`${VIRSH} attach-device "${vm1name}" "${tmpfile}" > /dev/null` + rc=$? + + ((attachctr++)) + + if [ $rc -eq 0 ]; then + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" \ + "${flags}" "(PRE|POST)ROUTING" + msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"` + if [ $? -ne 0 ]; then + echo "FAIL: Detach of interface failed." + fi + else + ((attachfailctr++)) + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL: Could not attach interface to vm ${vm1name}." + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter" + read + fi + fi + fi + + rm -rf ${tmpfile} + fi + + return 0 +} + + +function runTests() { + local vm1name="$1" + local vm2name="$2" + local xmldir="$3" + local fwalldir="$4" + local flags="$5" + local fwallfiles f + + pushd ${PWD} > /dev/null + cd ${fwalldir} + fwallfiles=`ls *.fwall` + popd > /dev/null + + for fil in ${fwallfiles}; do + f=${fil%%.fwall} + doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}" "${vm1name}" \ + "${vm2name}" "${flags}" + done + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + test_final $((passctr+failctr)) $failctr + else + echo "" + echo "Summary: ${failctr} failures, ${passctr} passes," + if [ ${attachctr} -ne 0 ]; then + echo " ${attachfailctr} interface attachment failures with ${attachctr} attempts" + fi + fi +} + + +function createVM() { + local vmname="$1" + local filtername="$2" + local ipaddr="$3" + local macaddr="$4" + local flags="$5" + local res + local tmpfile='mktmpfile' + + cat > ${tmpfile} << EOF + <domain type='kvm'> + <name>${vmname}</name> + <memory>131072</memory> + <currentMemory>131072</currentMemory> + <vcpu>1</vcpu> + <os> + <type arch='x86_64' machine='fedora-13'>hvm</type> + <boot dev='hd'/> + </os> + <features> + <acpi/> + <apic/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <interface type='bridge'> + <mac address='${macaddr}'/> + <source bridge='virbr0'/> + <filterref filter='${filtername}'> + <parameter name='IP' value='${ipaddr}'/> + </filterref> + <target dev='${vmname}'/> + </interface> + <console type='pty'> + </console> + <input type='mouse' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes'/> + </devices> + </domain> +EOF + + res=$(${VIRSH} define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define VM ${vmname} : ${res}" + return 1 + fi + + res=$(${VIRSH} start ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not start VM ${vmname} : ${res}" + `${VIRSH} undefine ${vmname}` + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Created VM ${vmname}." + + rm -rf ${tmpfile} + + return 0 +} + + +function destroyVM() { + local vmname="$1" + local flags="$2" + local res + + res=$(${VIRSH} destroy ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not destroy VM ${vmname} : ${res}" + return 1 + fi + + res=$(${VIRSH} undefine ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not undefine VM ${vmname} : ${res}" + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Destroyed VM ${vmname}." + + return 0 +} + + +function createTestFilter() { + local tmpfile=`mktmpfile` + local res + + cat >${tmpfile} << EOF +<filter name="${TESTFILTERNAME}"> + <filterref filter='clean-traffic'/> + + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + + <rule action='drop' direction='inout' priority='1000'> + <all-ipv6/> + </rule> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + rm -rf ${tmpfile} + return 1 + fi + + rm -rf ${tmpfile} + + return 0 +} + + +function deleteTestFilter() { + local res + res=$(${VIRSH} nwfilter-undefine ${TESTFILTERNAME}) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + return 1 + fi + return 0 +} + + +function main() { + local prgname="$0" + local vm1 vm2 + local xmldir="nwfilterxml2xmlin" + local fwalldir="nwfilterxml2fwallout" + local found=0 vms res + local filtername="testcase" + local startedlibvirtd=0 + local flags OPWD + + ((flags=${FLAG_ATTACH})) + + while [ $# -ne 0 ]; do + case "$1" in + --help|-h|-\?) usage ${prgname}; exit 0;; + --noattach) ((flags ^= FLAG_ATTACH ));; + --wait) ((flags |= FLAG_WAIT ));; + --verbose) ((flags |= FLAG_VERBOSE ));; + --libvirt-test) ((flags |= FLAG_LIBVIRT_TEST ));; + *) usage ${prgname}; exit 1;; + esac + shift 1 + done + + if [ `uname` != "Linux" ]; then + echo "This script will only run on Linux." + exit 1; + fi + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + pushd ${PWD} > /dev/null + . test-lib.sh + test_intro $this_test + popd > /dev/null + fi + + res=$(${VIRSH} capabilities 2>/dev/null 1>/dev/null) + + if [ $? -ne 0 ]; then + if [ "x${LIBVIRTD}x" == "xx" ]; then + echo "Cannot find libvirtd. Exiting." + exit 1 + fi + + ${LIBVIRTD} 2>/dev/null 1>/dev/null & + sleep 2 + + startedlibvirtd=1 + res=$(${VIRSH} capabilities 2>/dev/null 1>/dev/null) + if [ $? -ne 0 ]; then + echo "Could not start the libvirt daemon : $res" + echo "Exiting." + exit 1 + fi + fi + + vm1="testvm${RANDOM}" + vm2="testvm${RANDOM}" + + createTestFilter + if [ $? -ne 0 ]; then + exit 1; + fi + + createVM "${vm1}" "testcase" "10.2.2.2" "52:54:0:0:0:1" "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm1}. Exiting." + exit 1 + fi + + createVM "${vm2}" "${TESTFILTERNAME}" "10.1.1.1" "52:54:0:9f:33:da" \ + "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm2}. Exiting." + destroyVM "${vm1}" "${flags}" + exit 1 + fi + + runTests "${vm1}" "${vm2}" "${xmldir}" "${fwalldir}" "${flags}" + + destroyVM "${vm1}" "${flags}" + destroyVM "${vm2}" "${flags}" + deleteTestFilter + + [ ${startedlibvirtd} -eq 1 ] && killall lt-libvirtd + return 0 +} + +main "$@" Index: libvirt-acl/tests/nwfilterxml2fwallout/testvm.fwall.dat =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/testvm.fwall.dat @@ -0,0 +1,73 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j I-vnet0-ipv4 +-p ARP -j I-vnet0-arp +-p 0x8035 -j I-vnet0-rarp +-p 0x835 -j ACCEPT +-j DROP +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j O-vnet0-ipv4 +-p ARP -j O-vnet0-arp +-p 0x8035 -j O-vnet0-rarp +-j DROP +#ebtables -t nat -L I-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p IPv4 --ip-src ! 10.1.1.1 -j DROP +#ebtables -t nat -L O-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-j ACCEPT +#ebtables -t nat -L I-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-mac-src ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-src ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ebtables -t nat -L O-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-p ARP --arp-op Reply --arp-mac-dst ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-dst ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0

4 7

[libvirt] snapshots and LVM
by Daniel Berteaud 12 May '10

12 May '10

Hi. I've just tested the snapshot function, which seems to work, but for now, is limited to qcow2 images. Are there any plans to add LVM based snapshots ? I know LVM would have some limitations, but, with recent distribs (F13, RHEL6 at least), as snapshots can be merged back into the original LV, I think we could have at least some snapshots function. Basically, the domain could be paused, then, the memory can be dumped in a separated file (as a virsh save do), then, all LVM based disks (and qcow2 based) could be snapshoted, then, the domain could be reloaded from the saved state. (or even just resumed, if the save function don't destroy it like a virsh save does) LVM gives some (a lot of ?) performance improvements over qcow2, and I think snapshots would be a lot faster (on my tests, it takes 4 or 5 minutes to snapshot a simple ubuntu guest on qcow2, and even longer to revert). There would still be some limitations, like: - check if lvconvert support merging before we create the snapshots - size of snapshots are fixed, should libvirt monitor the % used, and auto-grow when needed ? - there would be no support for snapshot of snapshot Any thoughts ? Regards, Daniel -- Daniel Berteaud FIREWALL-SERVICES SARL. Société de Services en Logiciels Libres Technopôle Montesquieu 33650 MARTILLAC Tel : 05 56 64 15 32 Fax : 05 56 64 15 32 Mail: daniel(a)firewall-services.com Web : http://www.firewall-services.com

3 6

[libvirt] [PATCH] libvirt_proxy: link with -lpthread if needed
by Eric Blake 11 May '10

11 May '10

Continuation of earlier patches to fix LIB_PTHREAD, only triggered by ./configure --with-xen-proxy (a la autobuild.sh). * proxy/Makefile.am (libvirt_proxy_LDADD): Add LIB_PTHREAD. --- I'm pushing this under the obvious rule - autobuild.sh has been broken for a few commits now. It is more fallout from using gnulib for LIB_PTHREAD, and wasn't detected until now because I don't use --with-xen-proxy that often. proxy/Makefile.am | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/proxy/Makefile.am b/proxy/Makefile.am index 9ea91d8..bee47d0 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -34,7 +34,7 @@ libvirt_proxy_SOURCES = libvirt_proxy.c \ @top_srcdir@/src/xen/xs_internal.c libvirt_proxy_LDFLAGS = $(WARN_CFLAGS) $(XEN_LIBS) libvirt_proxy_DEPENDENCIES = -libvirt_proxy_LDADD = ../gnulib/lib/libgnu.la +libvirt_proxy_LDADD = ../gnulib/lib/libgnu.la $(LIB_PTHREAD) install-exec-hook: chmod u+s $(DESTDIR)$(libexecdir)/libvirt_proxy -- 1.7.0.1

1 0

[libvirt] [PATCH] node_device: udev: Fix PCI product/vendor swappage
by Cole Robinson 11 May '10

11 May '10

Product and vendor values were swapped in the XML, which made virt-manager PCI device listing kinda useless. Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- src/node_device/node_device_udev.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c index bcfe991..4a9d65f 100644 --- a/src/node_device/node_device_udev.c +++ b/src/node_device/node_device_udev.c @@ -382,8 +382,8 @@ static int udevTranslatePCIIds(unsigned int vendor, /* pci_get_strings returns void */ pci_get_strings(&m, - &vendor_name, &device_name, + &vendor_name, NULL, NULL); -- 1.6.6.1

3 3

[libvirt] [PATCH v2] Determine the root physical interface of a given interface
by Stefan Berger 11 May '10

11 May '10

In this patch I am adding functions that help to iteratively determine the root physical interface of a given interface. An example would be that a macvtap device is linked to eth0.100 which in turn is linked to eth0. Given the name or interface index of the macvtap device that is linked to eth0.100, eth0 is found by following the links to the end. I am using now the netlink library to parse the returned netlink messages and for that I am making additions to configure.ac and the rpm spec file to check for the netlink and netlink-devel packages respectively. In the configure.ac the requirement to have the netlink library is dependent on having macvtap. The setup of the upcoming VEPA patches requires knowledge over which interface to run the setup protocol. In the above case the protocol would need to run over interface eth0 and provide the knowledge of vlan id 100 in the protocol (see previous patch). Changes from V1 to V2: - replaced the constant '256' representing the space for a netlink message with a constant - replaced the constant '64' representing the space for a rtattr structure with a constant - fixed the spacings that weren't correct - fixed M4 quoting Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- configure.ac | 24 ++++++ libvirt.spec.in | 14 +++ src/Makefile.am | 4 - src/util/macvtap.c | 197 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 229 insertions(+), 10 deletions(-) Index: libvirt-acl/src/util/macvtap.c =================================================================== --- libvirt-acl.orig/src/util/macvtap.c +++ libvirt-acl/src/util/macvtap.c @@ -41,6 +41,9 @@ # include <linux/rtnetlink.h> # include <linux/if_tun.h> +# include <netlink/attr.h> +# include <netlink/msg.h> + # include "util.h" # include "memory.h" # include "macvtap.h" @@ -57,6 +60,9 @@ # define MACVTAP_NAME_PREFIX "macvtap" # define MACVTAP_NAME_PATTERN "macvtap%d" +#define MAX_NL_MESSAGE_SIZE 256 +#define MAX_RTATTR_SIZE 64 + static int nlOpen(void) { int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); @@ -202,10 +208,10 @@ link_add(const char *type, int *retry) { int rc = 0; - char nlmsgbuf[256]; + char nlmsgbuf[MAX_NL_MESSAGE_SIZE] = { 0, }; struct nlmsghdr *nlm = (struct nlmsghdr *)nlmsgbuf, *resp; struct nlmsgerr *err; - char rtattbuf[64]; + char rtattbuf[MAX_RTATTR_SIZE]; struct rtattr *rta, *rta1, *li; struct ifinfomsg i = { .ifi_family = AF_UNSPEC }; int ifindex; @@ -217,8 +223,6 @@ link_add(const char *type, *retry = 0; - memset(&nlmsgbuf, 0, sizeof(nlmsgbuf)); - nlInit(nlm, NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL, RTM_NEWLINK); if (!nlAppend(nlm, sizeof(nlmsgbuf), &i, sizeof(i))) @@ -347,17 +351,15 @@ static int link_del(const char *name) { int rc = 0; - char nlmsgbuf[256]; + char nlmsgbuf[MAX_NL_MESSAGE_SIZE] = { 0, }; struct nlmsghdr *nlm = (struct nlmsghdr *)nlmsgbuf, *resp; struct nlmsgerr *err; - char rtattbuf[64]; + char rtattbuf[MAX_RTATTR_SIZE]; struct rtattr *rta; struct ifinfomsg ifinfo = { .ifi_family = AF_UNSPEC }; char *recvbuf = NULL; int recvbuflen; - memset(&nlmsgbuf, 0, sizeof(nlmsgbuf)); - nlInit(nlm, NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL, RTM_DELLINK); if (!nlAppend(nlm, sizeof(nlmsgbuf), &ifinfo, sizeof(ifinfo))) @@ -421,6 +423,185 @@ buffer_too_small: } +static struct nla_policy ifla_policy[IFLA_MAX + 1] = +{ + [IFLA_IFNAME] = { .type = NLA_STRING }, + [IFLA_LINK] = { .type = NLA_U32 }, +}; + + +static int +link_dump(int ifindex, const char *ifname, struct nlattr **tb, + char **recvbuf) +{ + int rc = 0; + char nlmsgbuf[MAX_NL_MESSAGE_SIZE] = { 0, }; + struct nlmsghdr *nlm = (struct nlmsghdr *)nlmsgbuf, *resp; + struct nlmsgerr *err; + char rtattbuf[MAX_RTATTR_SIZE]; + struct rtattr *rta; + struct ifinfomsg i = { + .ifi_family = AF_UNSPEC, + .ifi_index = ifindex + }; + int recvbuflen; + + *recvbuf = NULL; + + nlInit(nlm, NLM_F_REQUEST, RTM_GETLINK); + + if (!nlAppend(nlm, sizeof(nlmsgbuf), &i, sizeof(i))) + goto buffer_too_small; + + if (ifindex < 0 && ifname != NULL) { + rta = rtattrCreate(rtattbuf, sizeof(rtattbuf), IFLA_IFNAME, + ifname, strlen(ifname) + 1); + if (!rta) + goto buffer_too_small; + + if (!nlAppend(nlm, sizeof(nlmsgbuf), rtattbuf, rta->rta_len)) + goto buffer_too_small; + } + + if (nlComm(nlm, recvbuf, &recvbuflen) < 0) + return -1; + + if (recvbuflen < NLMSG_LENGTH(0) || *recvbuf == NULL) + goto malformed_resp; + + resp = (struct nlmsghdr *)*recvbuf; + + switch (resp->nlmsg_type) { + case NLMSG_ERROR: + err = (struct nlmsgerr *)NLMSG_DATA(resp); + if (resp->nlmsg_len < NLMSG_LENGTH(sizeof(*err))) + goto malformed_resp; + + switch (-err->error) { + case 0: + break; + + default: + virReportSystemError(-err->error, + _("error dumping %d interface"), + ifindex); + rc = -1; + } + break; + + case GENL_ID_CTRL: + case NLMSG_DONE: + if (nlmsg_parse(resp, sizeof(struct ifinfomsg), + tb, IFLA_MAX, ifla_policy)) { + goto malformed_resp; + } + break; + + default: + goto malformed_resp; + } + + if (rc != 0) + VIR_FREE(*recvbuf); + + return rc; + +malformed_resp: + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("malformed netlink response message")); + VIR_FREE(*recvbuf); + return -1; + +buffer_too_small: + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("internal buffer is too small")); + return -1; +} + + +/* TODO: move this into interface.c after moving netlink functions into + * utils dir + */ +/** + * ifaceGetNthParent + * + * @ifindex : the index of the interface or -1 if ifname is given + * @ifname : the name of the interface; ignored if ifindex is valid + * @nthParent : the nth parent interface to get + * @rootifname : pointer to buffer of size IFNAMSIZ + * @nth : the nth parent that is actually returned; if for example eth0.100 + * was given and the 100th parent is to be returned, then eth0 will + * most likely be returned with nth set to 1 since the chain does + * not have more interfaces + * + * Get the nth parent interface of the given interface. 0 is the interface + * itself. + * + * Return 0 on success, != 0 otherwise + */ +static int +ifaceGetNthParent(int ifindex, const char *ifname, unsigned int nthParent, + char *rootifname, unsigned int *nth) +{ + int rc; + struct nlattr *tb[IFLA_MAX + 1]; + char *recvbuf = NULL; + bool end = false; + unsigned int i = 0; + + while (!end && i <= nthParent) { + rc = link_dump(ifindex, ifname, tb, &recvbuf); + if (rc) + break; + + if (tb[IFLA_IFNAME]) { + if (!virStrcpy(rootifname, (char*)RTA_DATA(tb[IFLA_IFNAME]), + IFNAMSIZ)) { + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("buffer for root interface name is too small")); + VIR_FREE(recvbuf); + return 1; + } + } + + if (tb[IFLA_LINK]) { + ifindex = *(int *)RTA_DATA(tb[IFLA_LINK]); + ifname = NULL; + } else + end = true; + + VIR_FREE(recvbuf); + + i++; + } + + if (nth) + *nth = i - 1; + + return rc; +} + + +/** + * ifaceGetRootIface + * + * @ifindex : the index of the interface or -1 if ifname is given + * @ifname : the name of the interface; ignored if ifindex is valid + * @rootifname : pointer to buffer of size IFNAMSIZ + * + * Get the root interface of a given interface, i.e., if macvtap + * is linked to eth0.100, it will return eth0. + * + * Return 0 on success, != 0 otherwise + */ +static int +ifaceGetRootIface(int ifindex, const char *ifname, + char *rootifname) +{ + return ifaceGetNthParent(ifindex, ifname, ~0, rootifname, NULL); +} + + /* Open the macvtap's tap device. * @ifname: Name of the macvtap interface * @retries : Number of retries in case udev for example may need to be Index: libvirt-acl/configure.ac =================================================================== --- libvirt-acl.orig/configure.ac +++ libvirt-acl/configure.ac @@ -42,6 +42,7 @@ HAL_REQUIRED=0.5.0 DEVMAPPER_REQUIRED=1.0.0 LIBCURL_REQUIRED="7.18.0" LIBPCAP_REQUIRED="1.0.0" +LIBNL_REQUIRED="1.1" dnl Checks for C compiler. AC_PROG_CC @@ -2005,6 +2006,24 @@ fi AM_CONDITIONAL([WITH_MACVTAP], [test "$with_macvtap" = "yes"]) +dnl netlink library + +LIBNL_CFLAGS="" +LIBNL_LIBS="" + +if test "$with_macvtap" = "yes"; then + PKG_CHECK_MODULES([LIBNL], [libnl-1 >= $LIBNL_REQUIRED], [ + ], [ + AC_MSG_ERROR([libnl >= $LIBNL_REQUIRED is required for macvtap support]) + ]) +fi + +AC_SUBST([LIBNL_CFLAGS]) +AC_SUBST([LIBNL_LIBS]) + + + + # Only COPYING.LIB is under version control, yet COPYING # is included as part of the distribution tarball. # Copy one to the other, but only if this is a srcdir-build. @@ -2183,6 +2202,11 @@ AC_MSG_NOTICE([ pcap: $LIBPCAP_CFLAGS else AC_MSG_NOTICE([ pcap: no]) fi +if test "$with_macvtap" = "yes" ; then +AC_MSG_NOTICE([ nl: $LIBNL_CFLAGS $LIBNL_LIBS]) +else +AC_MSG_NOTICE([ nl: no]) +fi AC_MSG_NOTICE([]) AC_MSG_NOTICE([Test suite]) AC_MSG_NOTICE([]) Index: libvirt-acl/libvirt.spec.in =================================================================== --- libvirt-acl.orig/libvirt.spec.in +++ libvirt-acl/libvirt.spec.in @@ -63,6 +63,7 @@ %define with_yajl 0%{!?_without_yajl:0} %define with_nwfilter 0%{!?_without_nwfilter:0} %define with_libpcap 0%{!?_without_libpcap:0} +%define with_macvtap 0%{!?_without_macvtap:0} # Non-server/HV driver defaults which are always enabled %define with_python 0%{!?_without_python:1} @@ -153,6 +154,11 @@ %if %{with_qemu} %define with_nwfilter 0%{!?_without_nwfilter:%{server_drivers}} %define with_libpcap 0%{!?_without_libpcap:%{server_drivers}} +%define with_macvtap 0%{!?_without_macvtap:%{server_drivers}} +%endif + +%if %{with_macvtap} +%define with_libnl 1 %endif # Force QEMU to run as non-root @@ -282,6 +288,9 @@ BuildRequires: yajl-devel %if %{with_libpcap} BuildRequires: libpcap-devel %endif +%if %{with_libnl} +BuildRequires: libnl-devel +%endif %if %{with_avahi} BuildRequires: avahi-devel %endif @@ -531,6 +540,10 @@ of recent versions of Linux (and other O %define _without_libpcap --without-libpcap %endif +%if ! %{with_macvtap} +%define _without_macvtap --without-macvtap +%endif + %configure %{?_without_xen} \ %{?_without_qemu} \ %{?_without_openvz} \ @@ -560,6 +573,7 @@ of recent versions of Linux (and other O %{?_without_udev} \ %{?_without_yajl} \ %{?_without_libpcap} \ + %{?_without_macvtap} \ --with-qemu-user=%{qemu_user} \ --with-qemu-group=%{qemu_group} \ --with-init-script=redhat \ Index: libvirt-acl/src/Makefile.am =================================================================== --- libvirt-acl.orig/src/Makefile.am +++ libvirt-acl/src/Makefile.am @@ -973,7 +973,7 @@ libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FL $(COVERAGE_CFLAGS:-f%=-Wc,-f%) \ $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) libvirt_la_LIBADD += $(LIBXML_LIBS) \ - $(LIBPCAP_LIBS) \ + $(LIBPCAP_LIBS) $(LIBNL_LIBS) \ $(DRIVER_MODULE_LIBS) \ $(CYGWIN_EXTRA_LIBADD) ../gnulib/lib/libgnu.la libvirt_la_CFLAGS = $(COVERAGE_CFLAGS) -DIN_LIBVIRT @@ -1027,7 +1027,7 @@ libvirt_lxc_SOURCES = \ libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDCFLAGS) libvirt_lxc_LDADD = $(CAPNG_LIBS) $(YAJL_LIBS) \ $(LIBXML_LIBS) $(NUMACTL_LIBS) $(LIB_PTHREAD) \ - ../gnulib/lib/libgnu.la + $(LIBNL_LIBS) ../gnulib/lib/libgnu.la libvirt_lxc_CFLAGS = \ $(LIBPARTED_CFLAGS) \ $(NUMACTL_CFLAGS) \

2 1

[libvirt] [PATCH] tests: adjust copyrights on scripts: s/FSF/Red Hat/
by Jim Meyering 11 May '10

11 May '10

FYI, just pushed. I ran this command: cd tests && grep -l 'Copy.*Free.Sof' * |xargs perl -pi -e \ 's/Copyright $C$ (.*) Free Software Foundation,/Copyright (C) $1 Red Hat,/' >From c5be8bcb8f4b72a39481eeef58d601ec585e0c6f Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering(a)redhat.com> Date: Tue, 11 May 2010 16:43:07 +0200 Subject: [PATCH] tests: adjust copyrights on scripts: s/FSF/Red Hat/ * tests/cpuset: Change copyright holder from FSF to Red Hat, Inc. * tests/read-bufsiz: Likewise. * tests/read-non-seekable: Likewise. * tests/start: Likewise. * tests/undefine: Likewise. * tests/vcpupin: Likewise. * tests/virsh-all: Likewise. * tests/virsh-synopsis: Likewise. --- tests/cpuset | 2 +- tests/read-bufsiz | 2 +- tests/read-non-seekable | 2 +- tests/start | 2 +- tests/undefine | 2 +- tests/vcpupin | 2 +- tests/virsh-all | 2 +- tests/virsh-synopsis | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/cpuset b/tests/cpuset index 89c19e0..3c48f0a 100755 --- a/tests/cpuset +++ b/tests/cpuset @@ -1,7 +1,7 @@ #!/bin/sh # ensure that defining with an invalid vCPU cpuset elicits a diagnostic -# Copyright (C) 2008-2009 Free Software Foundation, Inc. +# Copyright (C) 2008-2009 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/read-bufsiz b/tests/read-bufsiz index f4f8f19..3ebc135 100755 --- a/tests/read-bufsiz +++ b/tests/read-bufsiz @@ -1,7 +1,7 @@ #!/bin/sh # ensure that reading a file larger than BUFSIZ works -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/read-non-seekable b/tests/read-non-seekable index 59c2389..1aed286 100755 --- a/tests/read-non-seekable +++ b/tests/read-non-seekable @@ -1,7 +1,7 @@ #!/bin/sh # ensure that certain file-reading commands can handle non-seekable files -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/start b/tests/start index 930a6d9..df92a36 100755 --- a/tests/start +++ b/tests/start @@ -1,7 +1,7 @@ #!/bin/sh # ensure that virsh start works properly -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/undefine b/tests/undefine index 48b0ad9..d9efbf7 100755 --- a/tests/undefine +++ b/tests/undefine @@ -1,7 +1,7 @@ #!/bin/sh # exercise virsh's "undefine" command -# Copyright (C) 2008-2009 Free Software Foundation, Inc. +# Copyright (C) 2008-2009 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/vcpupin b/tests/vcpupin index a72ad4c..36dd093 100755 --- a/tests/vcpupin +++ b/tests/vcpupin @@ -1,7 +1,7 @@ #!/bin/sh # ensure that an invalid CPU spec elicits a diagnostic -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/virsh-all b/tests/virsh-all index f1eb82c..baec161 100755 --- a/tests/virsh-all +++ b/tests/virsh-all @@ -1,7 +1,7 @@ #!/bin/sh # blindly run each and every command listed by "virsh help" -# Copyright (C) 2008, 2009 Free Software Foundation, Inc. +# Copyright (C) 2008, 2009 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/virsh-synopsis b/tests/virsh-synopsis index d72e887..e60aeb5 100755 --- a/tests/virsh-synopsis +++ b/tests/virsh-synopsis @@ -1,7 +1,7 @@ #!/bin/sh # ensure that each command's help "SYNOPSIS" line starts with the command name -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -- 1.7.1.189.g07419

4 8

[libvirt] [PATCH] storage_encryption: silence clang warning
by Eric Blake 11 May '10

11 May '10

For printf("%*s",foo,bar), clang complains if foo is not int: warning: field width should have type 'int', but argument has type 'unsigned int' [-Wformat] * src/conf/storage_encryption_conf.c (virStorageEncryptionSecretFormat, virStorageEncryptionFormat): Use correct type. --- src/conf/storage_encryption_conf.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/conf/storage_encryption_conf.c b/src/conf/storage_encryption_conf.c index 7a64050..8f29492 100644 --- a/src/conf/storage_encryption_conf.c +++ b/src/conf/storage_encryption_conf.c @@ -1,7 +1,7 @@ /* * storage_encryption_conf.c: volume encryption information * - * Copyright (C) 2009 Red Hat, Inc. + * Copyright (C) 2009-2010 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -216,7 +216,7 @@ virStorageEncryptionParseNode(xmlDocPtr xml, xmlNodePtr root) static int virStorageEncryptionSecretFormat(virBufferPtr buf, virStorageEncryptionSecretPtr secret, - unsigned int indent) + int indent) { const char *type; char uuidstr[VIR_UUID_STRING_BUFLEN]; @@ -249,14 +249,15 @@ virStorageEncryptionFormat(virBufferPtr buf, return -1; } virBufferVSprintf(buf, "%*s<encryption format='%s'>\n", - indent, "", format); + (int) indent, "", format); for (i = 0; i < enc->nsecrets; i++) { - if (virStorageEncryptionSecretFormat(buf, enc->secrets[i], indent + 2) < 0) + if (virStorageEncryptionSecretFormat(buf, enc->secrets[i], + indent + 2) < 0) return -1; } - virBufferVSprintf(buf, "%*s</encryption>\n", indent, ""); + virBufferVSprintf(buf, "%*s</encryption>\n", (int) indent, ""); return 0; } -- 1.6.6.1

3 10

[libvirt] [PATCH] vepa: parsing for 802.1Qb{g|h} XML
by Stefan Berger 11 May '10

11 May '10

Below is David Alan's original patch with lots of changes. In particular, it now parses the following XML and stored the data internally. No sending of netlink messages has been implemented here. <interface type='direct'> <source dev='static' mode='vepa'/> <model type='virtio'/> <vsi managerid='12' typeid='0x123456' typeidversion='1' instanceid='fa9b7fff-b0a0-4893-8e0e-beef4ff18f8f' /> <filterref filter='clean-traffic'/> </interface> <interface type='direct'> <source dev='static' mode='vepa'/> <model type='virtio'/> <vsi profileid='my_profile'/> </interface> I'd suggest to use this patch as a base for sending out netlink messages. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> >From a945107f047c7cd71f9c1b74fd74c47d8cdc3670 Mon Sep 17 00:00:00 2001 From: David Allan <dallan(a)redhat.com> Date: Fri, 12 Mar 2010 13:25:04 -0500 Subject: [PATCH 1/1] POC of port profile id support * Modified schema per DanPB's feedback * Added test for modified schema --- docs/schemas/domain.rng | 57 +++++++++++++++++++ src/conf/domain_conf.c | 97 +++++++++++++++++++++++++++++++++ src/conf/domain_conf.h | 31 ++++++++++ src/qemu/qemu_conf.c | 11 --- src/qemu/qemu_conf.h | 2 src/qemu/qemu_driver.c | 14 +--- src/util/macvtap.c | 89 +++++++++++++++++++++++++----- src/util/macvtap.h | 7 +- tests/domainschemadata/portprofile.xml | 22 +++++++ 9 files changed, 292 insertions(+), 38 deletions(-) create mode 100644 tests/domainschemadata/portprofile.xml Index: libvirt-acl/docs/schemas/domain.rng =================================================================== --- libvirt-acl.orig/docs/schemas/domain.rng +++ libvirt-acl/docs/schemas/domain.rng @@ -817,6 +817,9 @@ </optional> <empty/> </element> + <optional> + <ref name="vsiProfile"/> + </optional> <ref name="interface-options"/> </interleave> </group> @@ -902,6 +905,33 @@ </optional> </interleave> </define> + <define name="vsiProfile"> + <choice> + <group> + <element name="vsi"> + <attribute name="managerid"> + <ref name="uint8range"/> + </attribute> + <attribute name="typeid"> + <ref name="uint24range"/> + </attribute> + <attribute name="typeidversion"> + <ref name="uint8range"/> + </attribute> + <attribute name="instanceid"> + <ref name="UUID"/> + </attribute> + </element> + </group> + <group> + <element name="vsi"> + <attribute name="profileid"> + <ref name="vsiProfileID"/> + </attribute> + </element> + </group> + </choice> + </define>  @@ -1769,4 +1799,31 @@ <param name="pattern">[a-zA-Z0-9_\.:]+</param> </data> </define> + <define name="uint8range"> + <choice> + <data type="string"> + <param name="pattern">0x[0-9a-fA-F]{1,2}</param> + </data> + <data type="int"> + <param name="minInclusive">0</param> + <param name="maxInclusive">255</param> + </data> + </choice> + </define> + <define name="uint24range"> + <choice> + <data type="string"> + <param name="pattern">0x[0-9a-fA-F]{1,6}</param> + </data> + <data type="int"> + <param name="minInclusive">0</param> + <param name="maxInclusive">16777215</param> + </data> + </choice> + </define> + <define name="vsiProfileID"> + <data type="string"> + <param name="maxLength">39</param> + </data> + </define> </grammar> Index: libvirt-acl/src/conf/domain_conf.c =================================================================== --- libvirt-acl.orig/src/conf/domain_conf.c +++ libvirt-acl/src/conf/domain_conf.c @@ -1831,7 +1831,13 @@ virDomainNetDefParseXML(virCapsPtr caps, char *internal = NULL; char *devaddr = NULL; char *mode = NULL; + char *vsiManagerID = NULL; + char *vsiTypeID = NULL; + char *vsiTypeIDVersion = NULL; + char *vsiInstanceID = NULL; + char *vsiProfileID = NULL; virNWFilterHashTablePtr filterparams = NULL; + virVSIProfileDefPtr vsi; if (VIR_ALLOC(def) < 0) { virReportOOMError(); @@ -1873,6 +1879,20 @@ virDomainNetDefParseXML(virCapsPtr caps, xmlStrEqual(cur->name, BAD_CAST "source")) { dev = virXMLPropString(cur, "dev"); mode = virXMLPropString(cur, "mode"); + } else if ((vsiManagerID == NULL) && + (vsiTypeID == NULL) && + (vsiTypeIDVersion == NULL) && + (vsiInstanceID == NULL) && + (vsiProfileID == NULL) && + (def->type == VIR_DOMAIN_NET_TYPE_DIRECT) && + xmlStrEqual(cur->name, BAD_CAST "vsi")) { + vsiManagerID = virXMLPropString(cur, "managerid"); + vsiTypeID = virXMLPropString(cur, "typeid"); + vsiTypeIDVersion = virXMLPropString(cur, "typeidversion"); + vsiInstanceID = virXMLPropString(cur, "instanceid"); +#ifdef IFLA_VF_PORT_PROFILE_MAX + vsiProfileID = virXMLPropString(cur, "profileid"); +#endif } else if ((network == NULL) && ((def->type == VIR_DOMAIN_NET_TYPE_SERVER) || (def->type == VIR_DOMAIN_NET_TYPE_CLIENT) || @@ -2049,6 +2069,51 @@ virDomainNetDefParseXML(virCapsPtr caps, } else def->data.direct.mode = VIR_DOMAIN_NETDEV_MACVTAP_MODE_VEPA; + vsi = &def->data.direct.vsiProfile; + +#ifdef IFLA_VF_PORT_PROFILE_MAX + if (vsiProfileID != NULL) { + if (virStrcpyStatic(vsi->u.vsi8021Qbh.profileID, + vsiProfileID) != NULL) { + vsi->vsiType = VIR_VSI_8021QBH; + break; + } + } +#endif + + while (vsiManagerID != NULL && vsiTypeID != NULL && + vsiTypeIDVersion != NULL && vsiInstanceID != NULL) { + unsigned int val; + + if ((virStrToLong_ui(vsiManagerID, NULL, 10, &val) && + virStrToLong_ui(vsiManagerID, NULL, 16, &val) ) || + val > 0xff) + break; + + vsi->u.vsi8021Qbg.managerID = (uint8_t)val; + + if ((virStrToLong_ui(vsiTypeID, NULL, 10, &val) && + virStrToLong_ui(vsiTypeID, NULL, 16, &val) ) || + val > 0xffffff) + break; + + vsi->u.vsi8021Qbg.typeID = (uint32_t)val; + + if ((virStrToLong_ui(vsiTypeIDVersion, NULL, 10, &val) && + virStrToLong_ui(vsiTypeIDVersion, NULL, 16, &val) ) || + val > 0xff) + break; + + vsi->u.vsi8021Qbg.typeIDVersion = (uint8_t)val; + + if (virUUIDParse(vsiInstanceID, + def->data.direct.vsiProfile.u.vsi8021Qbg.instanceID)) + break; + + vsi->vsiType = VIR_VSI_8021QBG; + break; + } + def->data.direct.linkdev = dev; dev = NULL; @@ -2114,6 +2179,11 @@ cleanup: VIR_FREE(internal); VIR_FREE(devaddr); VIR_FREE(mode); + VIR_FREE(vsiManagerID); + VIR_FREE(vsiTypeID); + VIR_FREE(vsiTypeIDVersion); + VIR_FREE(vsiInstanceID); + VIR_FREE(vsiProfileID); virNWFilterHashTableFree(filterparams); return def; @@ -5076,6 +5146,8 @@ virDomainNetDefFormat(virBufferPtr buf, { const char *type = virDomainNetTypeToString(def->type); char *attrs; + char uuidstr[VIR_UUID_STRING_BUFLEN]; + virVSIProfileDefPtr vsi; if (!type) { virDomainReportError(VIR_ERR_INTERNAL_ERROR, @@ -5141,6 +5213,31 @@ virDomainNetDefFormat(virBufferPtr buf, virBufferVSprintf(buf, " mode='%s'", virDomainNetdevMacvtapTypeToString(def->data.direct.mode)); virBufferAddLit(buf, "/>\n"); + vsi = &def->data.direct.vsiProfile; + switch (vsi->vsiType) { + case VIR_VSI_INVALID: + break; + + case VIR_VSI_8021QBG: + virUUIDFormat(def->data.direct.vsiProfile.u.vsi8021Qbg.instanceID, + uuidstr); + virBufferVSprintf(buf, + " <vsi managerid='%d' typeid='%d' " + "typeidversion='%d' instanceid='%s'/>\n", + vsi->u.vsi8021Qbg.managerID, + vsi->u.vsi8021Qbg.typeID, + vsi->u.vsi8021Qbg.typeIDVersion, + uuidstr); + break; + +#ifdef IFLA_VF_PORT_PROFILE_MAX + case VIR_VSI_8021QBH: + virBufferVSprintf(buf, + " <vsi profileid='%s'/>\n", + vsi->u.vsi8021Qbh.profileID); + break; +#endif + } break; case VIR_DOMAIN_NET_TYPE_USER: Index: libvirt-acl/src/conf/domain_conf.h =================================================================== --- libvirt-acl.orig/src/conf/domain_conf.h +++ libvirt-acl/src/conf/domain_conf.h @@ -259,6 +259,36 @@ enum virDomainNetdevMacvtapType { }; +#define IFLA_VF_PORT_PROFILE_MAX 40 +enum virVSIType { + VIR_VSI_INVALID, + VIR_VSI_8021QBG, +#ifdef IFLA_VF_PORT_PROFILE_MAX + VIR_VSI_8021QBH, +#endif +}; + +/* profile data for macvtap (VEPA) */ +typedef struct _virVSIProfileDef virVSIProfileDef; +typedef virVSIProfileDef *virVSIProfileDefPtr; +struct _virVSIProfileDef { + enum virVSIType vsiType; + union { + struct { + uint8_t managerID; + uint32_t typeID; // 24 bit valid + uint8_t typeIDVersion; + unsigned char instanceID[VIR_UUID_BUFLEN]; + } vsi8021Qbg; +#ifdef IFLA_VF_PORT_PROFILE_MAX + struct { + char profileID[IFLA_VF_PORT_PROFILE_MAX]; + } vsi8021Qbh; +#endif + } u; +}; + + /* Stores the virtual network interface configuration */ typedef struct _virDomainNetDef virDomainNetDef; typedef virDomainNetDef *virDomainNetDefPtr; @@ -290,6 +320,7 @@ struct _virDomainNetDef { struct { char *linkdev; int mode; + virVSIProfileDef vsiProfile; } direct; } data; char *ifname; Index: libvirt-acl/src/util/macvtap.c =================================================================== --- libvirt-acl.orig/src/util/macvtap.c +++ libvirt-acl/src/util/macvtap.c @@ -43,6 +43,7 @@ # include "util.h" # include "memory.h" +# include "logging.h" # include "macvtap.h" # include "interface.h" # include "conf/domain_conf.h" @@ -57,6 +58,13 @@ # define MACVTAP_NAME_PREFIX "macvtap" # define MACVTAP_NAME_PATTERN "macvtap%d" + +# define PREASSOCIATE 0x00 +# define PREASSOCIATE_WITH_RESOURCE_RESERVATION 0x01 +# define ASSOCIATE 0x02 +# define DEASSOCIATE 0x03 + + static int nlOpen(void) { int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); @@ -569,6 +577,45 @@ configMacvtapTap(int tapfd, int vnet_hdr } +static int +setPortProfileId(const char *linkdev ATTRIBUTE_UNUSED, + unsigned char *mac ATTRIBUTE_UNUSED, + int mode ATTRIBUTE_UNUSED, + const virVSIProfileDefPtr profile ATTRIBUTE_UNUSED) +{ + return 0; +} + +static int +associatePortProfileId(const char *linkdev, + unsigned char *mac, + int mode, + const virVSIProfileDefPtr profile) +{ + VIR_DEBUG("Associating port profile '%p' on link device '%s' mode % d ", + profile, linkdev, mode); + + return setPortProfileId(linkdev, + mac, + ASSOCIATE, + profile); +} + + +static int +disassociatePortProfileId(const char *linkdev, + unsigned char *mac, + const virVSIProfileDefPtr profile) +{ + VIR_DEBUG("Disassociating port profile id '%p' on link device '%s' ", + profile, linkdev); + + return setPortProfileId(linkdev, + mac, + DEASSOCIATE, + profile); +} + /** * openMacvtapTap: * Create an instance of a macvtap device and open its tap character @@ -589,9 +636,7 @@ configMacvtapTap(int tapfd, int vnet_hdr */ int openMacvtapTap(const char *tgifname, - const unsigned char *macaddress, - const char *linkdev, - int mode, + virDomainNetDefPtr net, char **res_ifname, int vnet_hdr) { @@ -599,7 +644,7 @@ openMacvtapTap(const char *tgifname, int c, rc; char ifname[IFNAMSIZ]; int retries, do_retry = 0; - uint32_t macvtapMode = macvtapModeFromInt(mode); + uint32_t macvtapMode = macvtapModeFromInt(net->data.direct.mode); const char *cr_ifname; int ifindex; @@ -616,7 +661,7 @@ openMacvtapTap(const char *tgifname, return -1; } cr_ifname = tgifname; - rc = link_add(type, macaddress, 6, tgifname, linkdev, + rc = link_add(type, net->mac, 6, tgifname, net->data.direct.linkdev, macvtapMode, &do_retry); if (rc) return -1; @@ -626,7 +671,8 @@ create_name: for (c = 0; c < 8192; c++) { snprintf(ifname, sizeof(ifname), MACVTAP_NAME_PATTERN, c); if (ifaceGetIndex(false, ifname, &ifindex) == ENODEV) { - rc = link_add(type, macaddress, 6, ifname, linkdev, + rc = link_add(type, net->mac, 6, ifname, + net->data.direct.linkdev, macvtapMode, &do_retry); if (rc == 0) break; @@ -639,6 +685,13 @@ create_name: cr_ifname = ifname; } + rc = associatePortProfileId(net->data.direct.linkdev, + net->mac, + net->data.direct.mode, + &net->data.direct.vsiProfile); + if (rc != 0) + goto link_del_exit; + rc = ifaceUp(cr_ifname); if (rc != 0) { virReportSystemError(errno, @@ -647,7 +700,7 @@ create_name: "MAC address"), cr_ifname); rc = -1; - goto link_del_exit; + goto disassociate_exit; } rc = openTap(cr_ifname, 10); @@ -656,14 +709,19 @@ create_name: if (configMacvtapTap(rc, vnet_hdr) < 0) { close(rc); rc = -1; - goto link_del_exit; + goto disassociate_exit; } *res_ifname = strdup(cr_ifname); } else - goto link_del_exit; + goto disassociate_exit; return rc; +disassociate_exit: + disassociatePortProfileId(net->data.direct.linkdev, + net->mac, + &net->data.direct.vsiProfile); + link_del_exit: link_del(cr_ifname); @@ -672,15 +730,20 @@ link_del_exit: /** - * delMacvtapByName: - * @ifname : The name of the macvtap interface + * delMacvtap: + * @net: pointer to virDomainNetDef object * * Delete an interface given its name. */ void -delMacvtap(const char *ifname) +delMacvtap(virDomainNetDefPtr net) { - link_del(ifname); + if (net->ifname) { + disassociatePortProfileId(net->data.direct.linkdev, + net->mac, + &net->data.direct.vsiProfile); + link_del(net->ifname); + } } #endif Index: libvirt-acl/src/util/macvtap.h =================================================================== --- libvirt-acl.orig/src/util/macvtap.h +++ libvirt-acl/src/util/macvtap.h @@ -27,15 +27,14 @@ # if defined(WITH_MACVTAP) # include "internal.h" +# include "conf/domain_conf.h" int openMacvtapTap(const char *ifname, - const unsigned char *macaddress, - const char *linkdev, - int mode, + virDomainNetDefPtr net, char **res_ifname, int vnet_hdr); -void delMacvtap(const char *ifname); +void delMacvtap(virDomainNetDefPtr net); # endif /* WITH_MACVTAP */ Index: libvirt-acl/tests/domainschemadata/portprofile.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/domainschemadata/portprofile.xml @@ -0,0 +1,27 @@ +<domain type='lxc'> + <name>portprofile</name> + <uuid>00000000-0000-0000-0000-000000000000</uuid> + <memory>1048576</memory> + <os> + <type>exe</type> + <init>/sh</init> + </os> + <devices> + <interface type='direct'> + <source dev='eth0' mode='vepa'/> + <vsi managerid='12' typeid='1193046' typeidversion='1' + instanceid='fa9b7fff-b0a0-4893-8e0e-beef4ff18f8f'/> + </interface> + <interface type='direct'> + <source dev='eth0' mode='vepa'/> + <vsi profileid='my_profile'/> + </interface> + <interface type='direct'> + <source dev='eth0' mode='vepa'/> + <vsi/> + </interface> + <interface type='direct'> + <source dev='eth0' mode='vepa'/> + </interface> + </devices> +</domain> Index: libvirt-acl/src/qemu/qemu_conf.h =================================================================== --- libvirt-acl.orig/src/qemu/qemu_conf.h +++ libvirt-acl/src/qemu/qemu_conf.h @@ -271,8 +271,6 @@ qemudOpenVhostNet(virDomainNetDefPtr net int qemudPhysIfaceConnect(virConnectPtr conn, struct qemud_driver *driver, virDomainNetDefPtr net, - char *linkdev, - int brmode, unsigned long long qemuCmdFlags); int qemudProbeMachineTypes (const char *binary, Index: libvirt-acl/src/qemu/qemu_driver.c =================================================================== --- libvirt-acl.orig/src/qemu/qemu_driver.c +++ libvirt-acl/src/qemu/qemu_driver.c @@ -3585,10 +3585,8 @@ static void qemudShutdownVMDaemon(struct def = vm->def; for (i = 0; i < def->nnets; i++) { virDomainNetDefPtr net = def->nets[i]; - if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) { - if (net->ifname) - delMacvtap(net->ifname); - } + if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) + delMacvtap(net); } #endif @@ -7175,8 +7173,6 @@ static int qemudDomainAttachNetDevice(vi } if ((tapfd = qemudPhysIfaceConnect(conn, driver, net, - net->data.direct.linkdev, - net->data.direct.mode, qemuCmdFlags)) < 0) return -1; } @@ -8146,10 +8142,8 @@ qemudDomainDetachNetDevice(struct qemud_ virNWFilterTearNWFilter(detach); #if WITH_MACVTAP - if (detach->type == VIR_DOMAIN_NET_TYPE_DIRECT) { - if (detach->ifname) - delMacvtap(detach->ifname); - } + if (detach->type == VIR_DOMAIN_NET_TYPE_DIRECT) + delMacvtap(detach); #endif if ((driver->macFilter) && (detach->ifname != NULL)) { Index: libvirt-acl/src/qemu/qemu_conf.c =================================================================== --- libvirt-acl.orig/src/qemu/qemu_conf.c +++ libvirt-acl/src/qemu/qemu_conf.c @@ -1465,8 +1465,6 @@ int qemudPhysIfaceConnect(virConnectPtr conn, struct qemud_driver *driver, virDomainNetDefPtr net, - char *linkdev, - int brmode, unsigned long long qemuCmdFlags) { int rc; @@ -1479,8 +1477,7 @@ qemudPhysIfaceConnect(virConnectPtr conn net->model && STREQ(net->model, "virtio")) vnet_hdr = 1; - rc = openMacvtapTap(net->ifname, net->mac, linkdev, brmode, - &res_ifname, vnet_hdr); + rc = openMacvtapTap(net->ifname, net, &res_ifname, vnet_hdr); if (rc >= 0) { VIR_FREE(net->ifname); net->ifname = res_ifname; @@ -1500,15 +1497,13 @@ qemudPhysIfaceConnect(virConnectPtr conn if (err) { close(rc); rc = -1; - delMacvtap(net->ifname); + delMacvtap(net); } } } #else (void)conn; (void)net; - (void)linkdev; - (void)brmode; (void)qemuCmdFlags; (void)driver; qemuReportError(VIR_ERR_INTERNAL_ERROR, @@ -4130,8 +4125,6 @@ int qemudBuildCommandLine(virConnectPtr goto no_memory; } else if (net->type == VIR_DOMAIN_NET_TYPE_DIRECT) { int tapfd = qemudPhysIfaceConnect(conn, driver, net, - net->data.direct.linkdev, - net->data.direct.mode, qemuCmdFlags); if (tapfd < 0) goto error;

5 8

[libvirt] [PATCH] Determine the root physical interface of a given interface
by Stefan Berger 11 May '10

11 May '10

In this patch I am adding functions that help to iteratively determine the root physical interface of a given interface. An example would be that a macvtap device is linked to eth0.100 which in turn is linked to eth0. Given the name or interface index of the macvtap device that is linked to eth0.100, eth0 is found by following the links to the end. I am using now the netlink library to parse the returned netlink messages and for that I am making additions to configure.ac and the rpm spec file to check for the netlink and netlink-devel packages respectively. In the configure.ac the requirement to have the netlink library is dependent on having macvtap. The setup of the upcoming VEPA patches requires knowledge over which interface to run the setup protocol. In the above case the protocol would need to run over interface eth0 and provide the knowledge of vlan id 100 in the protocol (see previous patch). Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- configure.ac | 24 ++++++ libvirt.spec.in | 14 ++++ src/Makefile.am | 2 src/util/macvtap.c | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 224 insertions(+), 1 deletion(-) Index: libvirt-acl/src/util/macvtap.c =================================================================== --- libvirt-acl.orig/src/util/macvtap.c +++ libvirt-acl/src/util/macvtap.c @@ -41,6 +41,9 @@ # include <linux/rtnetlink.h> # include <linux/if_tun.h> +# include <netlink/attr.h> +# include <netlink/msg.h> + # include "util.h" # include "memory.h" # include "macvtap.h" @@ -421,6 +424,187 @@ buffer_too_small: } +static struct nla_policy ifla_policy[ IFLA_MAX + 1] = +{ + [IFLA_IFNAME ] = {.type = NLA_STRING }, + [IFLA_LINK] = {.type = NLA_U32 }, +}; + + +static int +link_dump(int ifindex, const char *ifname, struct nlattr **tb, + char **recvbuf) +{ + int rc = 0; + char nlmsgbuf[256]; + struct nlmsghdr *nlm = (struct nlmsghdr *)nlmsgbuf, *resp; + struct nlmsgerr *err; + char rtattbuf[64]; + struct rtattr *rta; + struct ifinfomsg i = { + .ifi_family = AF_UNSPEC, + .ifi_index = ifindex + }; + int recvbuflen; + + *recvbuf = NULL; + + memset(&nlmsgbuf, 0, sizeof(nlmsgbuf)); + + nlInit(nlm, NLM_F_REQUEST, RTM_GETLINK); + + if (!nlAppend(nlm, sizeof(nlmsgbuf), &i, sizeof(i))) + goto buffer_too_small; + + if (ifindex < 0 && ifname != NULL) { + rta = rtattrCreate(rtattbuf, sizeof(rtattbuf), IFLA_IFNAME, + ifname, strlen(ifname)+1); + if (!rta) + goto buffer_too_small; + + if (!nlAppend(nlm, sizeof(nlmsgbuf), rtattbuf, rta->rta_len)) + goto buffer_too_small; + } + + if (nlComm(nlm, recvbuf, &recvbuflen) < 0) + return -1; + + if (recvbuflen < NLMSG_LENGTH(0) || *recvbuf == NULL) + goto malformed_resp; + + resp = (struct nlmsghdr *)*recvbuf; + + switch (resp->nlmsg_type) { + case NLMSG_ERROR: + err = (struct nlmsgerr *)NLMSG_DATA(resp); + if (resp->nlmsg_len < NLMSG_LENGTH(sizeof(*err))) + goto malformed_resp; + + switch (-err->error) { + case 0: + break; + + default: + virReportSystemError(-err->error, + _("error dumping %d interface"), + ifindex); + rc = -1; + } + break; + + case GENL_ID_CTRL: + case NLMSG_DONE: + if (nlmsg_parse(resp, sizeof(struct ifinfomsg), + tb, IFLA_MAX, ifla_policy)) { + goto malformed_resp; + } + break; + + default: + goto malformed_resp; + } + + if (rc != 0) + VIR_FREE(*recvbuf); + + return rc; + +malformed_resp: + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("malformed netlink response message")); + VIR_FREE(*recvbuf); + return -1; + +buffer_too_small: + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("internal buffer is too small")); + return -1; +} + + +/* TODO: move this into interface.c after moving netlink functions into + * utils dir + */ +/** + * ifaceGetNthParent + * + * @ifindex : the index of the interface or -1 if ifname is given + * @ifname : the name of the interface; ignored if ifindex is valid + * @nthParent : the nth parent interface to get + * @rootifname : pointer to buffer of size IFNAMSIZ + * @nth : the nth parent that is actually returned; if for example eth0.100 + * was given and the 100th parent is to be returned, then eth0 will + * most likely be returned with nth set to 1 since the chain does + * not have more interfaces + * + * Get the nth parent interface of the given interface. 0 is the interface + * itself. + * + * Return 0 on success, != 0 otherwise + */ +static int +ifaceGetNthParent(int ifindex, const char *ifname, unsigned int nthParent, + char *rootifname, unsigned int *nth) +{ + int rc; + struct nlattr *tb[IFLA_MAX + 1]; + char *recvbuf = NULL; + bool end = false; + unsigned int i = 0; + + while (!end && i <= nthParent) { + rc = link_dump(ifindex, ifname, tb, &recvbuf); + if (rc) + break; + + if (tb[IFLA_IFNAME]) { + if (!virStrcpy(rootifname, (char*)RTA_DATA(tb[IFLA_IFNAME]), + IFNAMSIZ)) { + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("buffer for root interface name is too small")); + VIR_FREE(recvbuf); + return 1; + } + } + + if (tb[IFLA_LINK]) { + ifindex = *(int *)RTA_DATA(tb[IFLA_LINK]); + ifname = NULL; + } else + end = true; + + VIR_FREE(recvbuf); + + i++; + } + + if (nth) + *nth = i-1; + + return rc; +} + + +/** + * ifaceGetRootIface + * + * @ifindex : the index of the interface or -1 if ifname is given + * @ifname : the name of the interface; ignored if ifindex is valid + * @rootifname : pointer to buffer of size IFNAMSIZ + * + * Get the root interface of a given interface, i.e., if macvtap + * is linked to eth0.100, it will return eth0. + * + * Return 0 on success, != 0 otherwise + */ +static int +ifaceGetRootIface(int ifindex, const char *ifname, + char *rootifname) +{ + return ifaceGetNthParent(ifindex, ifname, ~0, rootifname, NULL); +} + + /* Open the macvtap's tap device. * @ifname: Name of the macvtap interface * @retries : Number of retries in case udev for example may need to be Index: libvirt-acl/src/Makefile.am =================================================================== --- libvirt-acl.orig/src/Makefile.am +++ libvirt-acl/src/Makefile.am @@ -932,7 +932,7 @@ libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FL -version-info $(LIBVIRT_VERSION_INFO) \ $(COVERAGE_CFLAGS:-f%=-Wc,-f%) \ $(LIBXML_LIBS) \ - $(LIBPCAP_LIBS) \ + $(LIBPCAP_LIBS) $(LIBNL_LIBS) \ $(DRIVER_MODULE_LIBS) \ $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) libvirt_la_CFLAGS = $(COVERAGE_CFLAGS) -DIN_LIBVIRT @@ -985,7 +985,7 @@ libvirt_lxc_SOURCES = \ $(NWFILTER_PARAM_CONF_SOURCES) libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDCFLAGS) $(CAPNG_LIBS) $(YAJL_LIBS) libvirt_lxc_LDADD = $(LIBXML_LIBS) $(NUMACTL_LIBS) $(LIB_PTHREAD) \ - ../gnulib/lib/libgnu.la + $(LIBNL_LIBS) ../gnulib/lib/libgnu.la libvirt_lxc_CFLAGS = \ $(LIBPARTED_CFLAGS) \ $(NUMACTL_CFLAGS) \ Index: libvirt-acl/configure.ac =================================================================== --- libvirt-acl.orig/configure.ac +++ libvirt-acl/configure.ac @@ -42,6 +42,7 @@ HAL_REQUIRED=0.5.0 DEVMAPPER_REQUIRED=1.0.0 LIBCURL_REQUIRED="7.18.0" LIBPCAP_REQUIRED="1.0.0" +LIBNL_REQUIRED="1.1" dnl Checks for C compiler. AC_PROG_CC @@ -2005,6 +2006,24 @@ fi AM_CONDITIONAL([WITH_MACVTAP], [test "$with_macvtap" = "yes"]) +dnl netlink library + +LIBNL_CFLAGS="" +LIBNL_LIBS="" + +if test "$with_macvtap" = "yes"; then + PKG_CHECK_MODULES(LIBNL, libnl-1 >= $LIBNL_REQUIRED, [ + ], [ + AC_MSG_ERROR([libnl >= $LIBNL_REQUIRED is required for macvtap support]) + ]) +fi + +AC_SUBST([LIBNL_CFLAGS]) +AC_SUBST([LIBNL_LIBS]) + + + + # Only COPYING.LIB is under version control, yet COPYING # is included as part of the distribution tarball. # Copy one to the other, but only if this is a srcdir-build. @@ -2183,6 +2202,11 @@ AC_MSG_NOTICE([ pcap: $LIBPCAP_CFLAGS else AC_MSG_NOTICE([ pcap: no]) fi +if test "$with_macvtap" = "yes" ; then +AC_MSG_NOTICE([ nl: $LIBNL_CFLAGS $LIBNL_LIBS]) +else +AC_MSG_NOTICE([ nl: no]) +fi AC_MSG_NOTICE([]) AC_MSG_NOTICE([Test suite]) AC_MSG_NOTICE([]) Index: libvirt-acl/libvirt.spec.in =================================================================== --- libvirt-acl.orig/libvirt.spec.in +++ libvirt-acl/libvirt.spec.in @@ -63,6 +63,7 @@ %define with_yajl 0%{!?_without_yajl:0} %define with_nwfilter 0%{!?_without_nwfilter:0} %define with_libpcap 0%{!?_without_libpcap:0} +%define with_macvtap 0%{!?_without_macvtap:0} # Non-server/HV driver defaults which are always enabled %define with_python 0%{!?_without_python:1} @@ -153,6 +154,11 @@ %if %{with_qemu} %define with_nwfilter 0%{!?_without_nwfilter:%{server_drivers}} %define with_libpcap 0%{!?_without_libpcap:%{server_drivers}} +%define with_macvtap 0%{!?_without_macvtap:%{server_drivers}} +%endif + +%if %{with_macvtap} +%define with_libnl 1 %endif # Force QEMU to run as non-root @@ -282,6 +288,9 @@ BuildRequires: yajl-devel %if %{with_libpcap} BuildRequires: libpcap-devel %endif +%if %{with_libnl} +BuildRequires: libnl-devel +%endif %if %{with_avahi} BuildRequires: avahi-devel %endif @@ -531,6 +540,10 @@ of recent versions of Linux (and other O %define _without_libpcap --without-libpcap %endif +%if ! %{with_macvtap} +%define _without_macvtap --without-macvtap +%endif + %configure %{?_without_xen} \ %{?_without_qemu} \ %{?_without_openvz} \ @@ -560,6 +573,7 @@ of recent versions of Linux (and other O %{?_without_udev} \ %{?_without_yajl} \ %{?_without_libpcap} \ + %{?_without_macvtap} \ --with-qemu-user=%{qemu_user} \ --with-qemu-group=%{qemu_group} \ --with-init-script=redhat \

2 2

[libvirt] [PATCH 0/2] build: update gnulib
by Eric Blake 11 May '10

11 May '10

The latest gnulib finds a couple more syntax-check cleanups, but it also required some work to avoid requiring gettext 0.18 (since using software just released yesterday won't fly for supporting RHEL5). [PATCH 1/2] build: allow older gettext [PATCH 2/2] build: update gnulib .gnulib | 2 +- bootstrap.conf | 2 +- src/esx/esx_util.c | 6 ------ src/remote/remote_driver.c | 5 ----- tools/virsh.c | 7 +------ 5 files changed, 3 insertions(+), 19 deletions(-)

2 4