[libvirt] [PATCH 4/9] add DHCP snooping support to nwfilter
by David L Stevens
This patch simplifies the table rules by setting the protocol chains policy to
be "DROP" and removes the explicit "-j DROP" entries that the protocol rules
had previously. It also makes "no-other-rarp-traffic.xml" obsolete.
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 8ef9a71..60301c9 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -14,7 +14,6 @@ FILTERS = \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
no-other-l2-traffic.xml \
- no-other-rarp-traffic.xml \
qemu-announce-self.xml \
qemu-announce-self-rarp.xml
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
<rule action='return' direction='out' priority='410' >
<arp match='yes' arpsrcipaddr='0.0.0.0' />
</rule>
- <!-- drop everything else -->
- <rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
<rule action='return' direction='out' priority='350' >
<arp match='yes' arpsrcmacaddr='$MAC'/>
</rule>
- <!-- drop everything else -->
- <rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
<rule action='return' direction='out'>
<ip match='yes' srcipaddr='$IP' />
</rule>
- <!-- drop any that don't match the source IP list -->
- <rule action='drop' direction='out' />
</filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
<rule action='return' direction='out' priority='350' >
<mac match='yes' srcmacaddr='$MAC'/>
</rule>
- <!-- drop everything else -->
- <rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..0000000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<filter name='no-other-rarp-traffic' chain='rarp'>
- <rule action='drop' direction='inout' priority='1000'/>
-</filter>
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@
<!-- accept if it was changed to rarp -->
<filterref filter='qemu-announce-self-rarp'/>
- <filterref filter='no-other-rarp-traffic'/>
</filter>
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index fa6f719..dc0ad2e 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2783,7 +2783,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
protostr[0] = '\0';
virBufferVSprintf(buf,
- CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
+ CMD_DEF("%s -t %s -N %s -P DROP") CMD_SEPARATOR
CMD_EXEC
"%s"
CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
@@ -3006,14 +3006,6 @@ ebtablesApplyBasicRules(const char *ifname,
ebtablesCreateTmpRootChain(&buf, 1, ifname, 1);
PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
- virBufferVSprintf(&buf,
- CMD_DEF("%s -t %s -A %s -s ! %s -j DROP") CMD_SEPARATOR
- CMD_EXEC
- "%s",
-
- ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
- chain, macaddr_str,
- CMD_STOPONERR(1));
virBufferVSprintf(&buf,
CMD_DEF("%s -t %s -A %s -p IPv4 -j ACCEPT") CMD_SEPARATOR
14 years
[libvirt] [PATCH 3/9] add DHCP snooping support to nwfilter
by David L Stevens
This patch changes rules of the form:
if ! addr drop
accept
to:
if addr return
...
drop
The patch adds a "mac" chain to do a mac address list and separates the "arp"
chain into separate "arpmac" and "arpip" chains that can check multiple MAC
or IP addresses in any combination. This patch itself does not support multiple
addresses via the MAC and IP variables, but only changes the form of the rules
to allow multiple addresses in the future.
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
diff --git a/examples/xml/nwfilter/Makefile.am b/examples/xml/nwfilter/Makefile.am
index 439e7b8..8ef9a71 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -7,6 +7,8 @@ FILTERS = \
allow-ipv4.xml \
clean-traffic.xml \
no-arp-spoofing.xml \
+ no-arpmac-spoofing.xml \
+ no-arpip-spoofing.xml \
no-ip-multicast.xml \
no-ip-spoofing.xml \
no-mac-broadcast.xml \
diff --git a/examples/xml/nwfilter/allow-arp.xml b/examples/xml/nwfilter/allow-arp.xml
index 63a92b2..006bb54 100644
--- a/examples/xml/nwfilter/allow-arp.xml
+++ b/examples/xml/nwfilter/allow-arp.xml
@@ -1,3 +1,6 @@
-<filter name='allow-arp' chain='arp'>
+<filter name='allow-arp' chain='arpmac'>
+ <rule direction='inout' action='accept'/>
+</filter>
+<filter name='allow-arp' chain='arpip'>
<rule direction='inout' action='accept'/>
</filter>
diff --git a/examples/xml/nwfilter/clean-traffic.xml b/examples/xml/nwfilter/clean-traffic.xml
index 40f0ecb..9cee799 100644
--- a/examples/xml/nwfilter/clean-traffic.xml
+++ b/examples/xml/nwfilter/clean-traffic.xml
@@ -11,10 +11,10 @@
<!-- preventing ARP spoofing/poisoning -->
<filterref filter='no-arp-spoofing'/>
- <!-- preventing any other traffic than IPv4 and ARP -->
- <filterref filter='no-other-l2-traffic'/>
-
<!-- allow qemu to send a self-announce upon migration end -->
<filterref filter='qemu-announce-self'/>
+ <!-- preventing any other traffic than IPv4 and ARP -->
+ <filterref filter='no-other-l2-traffic'/>
+
</filter>
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml b/examples/xml/nwfilter/no-arp-spoofing.xml
index fdd4e60..1979b20 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -1,17 +1,4 @@
-<filter name='no-arp-spoofing' chain='arp'>
- <uuid>f88f1932-debf-4aa1-9fbe-f10d3aa4bc95</uuid>
- <rule action='drop' direction='out' priority='300' >
- <mac match='no' srcmacaddr='$MAC'/>
- </rule>
-
- <!-- no arp spoofing -->
- <!-- drop if ipaddr or macaddr does not belong to guest -->
- <rule action='drop' direction='out' priority='350' >
- <arp match='no' arpsrcmacaddr='$MAC'/>
- </rule>
- <rule action='drop' direction='out' priority='400' >
- <arp match='no' arpsrcipaddr='$IP' />
- </rule>
- <!-- drop everything else -->
- <rule action='drop' direction='out' priority='1000' />
+<filter name='no-arp-spoofing'>
+ <filterref filter='no-arpmac-spoofing' />
+ <filterref filter='no-arpip-spoofing' />
</filter>
diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml b/examples/xml/nwfilter/no-arpip-spoofing.xml
new file mode 100644
index 0000000..ee42d40
--- /dev/null
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -0,0 +1,12 @@
+<filter name='no-arpip-spoofing' chain='arpip'>
+ <!-- no arp spoofing -->
+ <!-- drop if ipaddr does not belong to guest -->
+ <rule action='return' direction='out' priority='400' >
+ <arp match='yes' arpsrcipaddr='$IP' />
+ </rule>
+ <rule action='return' direction='out' priority='410' >
+ <arp match='yes' arpsrcipaddr='0.0.0.0' />
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml b/examples/xml/nwfilter/no-arpmac-spoofing.xml
new file mode 100644
index 0000000..90499d3
--- /dev/null
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -0,0 +1,7 @@
+<filter name='no-arpmac-spoofing' chain='arpmac'>
+ <rule action='return' direction='out' priority='350' >
+ <arp match='yes' arpsrcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml b/examples/xml/nwfilter/no-ip-spoofing.xml
index b8c94c8..84e8a5e 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -1,7 +1,9 @@
<filter name='no-ip-spoofing' chain='ipv4'>
<!-- drop if srcipaddr is not the IP address of the guest -->
- <rule action='drop' direction='out'>
- <ip match='no' srcipaddr='$IP' />
+ <rule action='return' direction='out'>
+ <ip match='yes' srcipaddr='$IP' />
</rule>
+ <!-- drop any that don't match the source IP list -->
+ <rule action='drop' direction='out' />
</filter>
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml b/examples/xml/nwfilter/no-mac-spoofing.xml
index f210623..aee56c7 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -1,5 +1,9 @@
-<filter name='no-mac-spoofing' chain='ipv4'>
- <rule action='drop' direction='out' priority='10'>
- <mac match='no' srcmacaddr='$MAC' />
- </rule>
+<filter name='no-mac-spoofing' chain='mac'>
+ <!-- no mac spoofing -->
+ <!-- drop if macaddr does not belong to guest -->
+ <rule action='return' direction='out' priority='350' >
+ <mac match='yes' srcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
</filter>
diff --git a/examples/xml/nwfilter/no-other-l2-traffic.xml b/examples/xml/nwfilter/no-other-l2-traffic.xml
index 8bad86e..0501b1a 100644
--- a/examples/xml/nwfilter/no-other-l2-traffic.xml
+++ b/examples/xml/nwfilter/no-other-l2-traffic.xml
@@ -1,7 +1,12 @@
-<filter name='no-other-l2-traffic'>
+<filter name='no-other-l2-traffic' chain='root'>
- <!-- drop all other l2 traffic than for which rules have been
- written for; i.e., drop all other than arp and ipv4 traffic -->
- <rule action='drop' direction='inout' priority='1000'/>
+ <!-- drop all other than arp and ipv4 traffic -->
+ <rule action='accept' direction='inout'>
+ <mac protocolid='0x800' />
+ </rule>
+ <rule action='accept' direction='inout'>
+ <mac protocolid='0x806' />
+ </rule>
+ <rule action='drop' direction='inout' priority='1000' />
</filter>
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index c5705c1..df1a012 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -82,7 +82,9 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_NWFILTER_EBTABLES_TABLE_LAST,
VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST,
"root",
- "arp",
+ "mac",
+ "arpmac",
+ "arpip",
"rarp",
"ipv4",
"ipv6");
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index ef60b6b..4d60751 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -425,7 +425,9 @@ struct _virNWFilterEntry {
enum virNWFilterChainSuffixType {
VIR_NWFILTER_CHAINSUFFIX_ROOT = 0,
- VIR_NWFILTER_CHAINSUFFIX_ARP,
+ VIR_NWFILTER_CHAINSUFFIX_MAC,
+ VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
+ VIR_NWFILTER_CHAINSUFFIX_ARPIP,
VIR_NWFILTER_CHAINSUFFIX_RARP,
VIR_NWFILTER_CHAINSUFFIX_IPv4,
VIR_NWFILTER_CHAINSUFFIX_IPv6,
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 39bd4a5..fa6f719 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -129,20 +129,24 @@ struct ushort_map {
enum l3_proto_idx {
- L3_PROTO_IPV4_IDX = 0,
- L3_PROTO_IPV6_IDX,
- L3_PROTO_ARP_IDX,
+ L3_PROTO_MAC_IDX = 0,
+ L3_PROTO_ARPMAC_IDX,
+ L3_PROTO_ARPIP_IDX,
L3_PROTO_RARP_IDX,
+ L3_PROTO_IPV4_IDX,
+ L3_PROTO_IPV6_IDX,
L3_PROTO_LAST_IDX
};
#define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT, .val = VAL }
static const struct ushort_map l3_protocols[] = {
- USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP , "ipv4"),
- USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6 , "ipv6"),
- USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP , "arp"),
- USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
+ USHORTMAP_ENTRY_IDX(L3_PROTO_MAC_IDX, 0 , "mac"),
+ USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP , "ipv4"),
+ USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6 , "ipv6"),
+ USHORTMAP_ENTRY_IDX(L3_PROTO_ARPMAC_IDX,ETHERTYPE_ARP , "arpmac"),
+ USHORTMAP_ENTRY_IDX(L3_PROTO_ARPIP_IDX, ETHERTYPE_ARP , "arpip"),
+ USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"),
USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0 , NULL),
};
@@ -1946,7 +1950,7 @@ ebtablesCreateRuleInstance(char chainPrefix,
virBufferVSprintf(&buf, " -p 0x%x",
(rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP)
- ? l3_protocols[L3_PROTO_ARP_IDX].attr
+ ? l3_protocols[L3_PROTO_ARPMAC_IDX].attr
: l3_protocols[L3_PROTO_RARP_IDX].attr);
if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) {
@@ -2767,15 +2771,22 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
char chainPrefix = (incoming) ? CHAINPREFIX_HOST_IN_TEMP
: CHAINPREFIX_HOST_OUT_TEMP;
+ char protostr[16];
PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val);
+ if (l3_protocols[protoidx].attr)
+ snprintf(protostr, sizeof(protostr), "-p 0x%04x ",
+ l3_protocols[protoidx].attr);
+ else
+ protostr[0] = '\0';
+
virBufferVSprintf(buf,
CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR
CMD_EXEC
"%s"
- CMD_DEF("%s -t %s -A %s -p 0x%x -j %s") CMD_SEPARATOR
+ CMD_DEF("%s -t %s -A %s %s -j %s") CMD_SEPARATOR
CMD_EXEC
"%s",
@@ -2784,7 +2795,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
CMD_STOPONERR(stopOnError),
ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
- rootchain, l3_protocols[protoidx].attr, chain,
+ rootchain, protostr, chain,
CMD_STOPONERR(stopOnError));
@@ -3357,6 +3368,11 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
if (chains_out != 0)
ebtablesCreateTmpRootChain(&buf, 0, ifname, 1);
+ if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_MAC))
+ ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_MAC_IDX, 1);
+ if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_MAC))
+ ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_MAC_IDX, 1);
+
if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4))
ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_IPV4_IDX, 1);
if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4))
@@ -3368,10 +3384,14 @@ ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_IPV6_IDX, 1);
/* keep arp,rarp as last */
- if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP))
- ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_ARP_IDX, 1);
- if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP))
- ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_ARP_IDX, 1);
+ if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_ARPMAC))
+ ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_ARPMAC_IDX, 1);
+ if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_ARPIP))
+ ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_ARPIP_IDX, 1);
+ if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_ARPMAC))
+ ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_ARPMAC_IDX, 1);
+ if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_ARPIP))
+ ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_ARPIP_IDX, 1);
if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP))
ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_RARP_IDX, 1);
if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP))
14 years
[libvirt] [PATCH 1/9] add DHCP snooping support to nwfilter
by David L Stevens
This patch adds support for "continue" and "return" actions
in filter rules.
Signed-off-by: David L Stevens <dlstevens(a)us.ibm.com>
diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c
index 13b5b38..6a15f04 100644
--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -54,12 +54,16 @@
VIR_ENUM_IMPL(virNWFilterRuleAction, VIR_NWFILTER_RULE_ACTION_LAST,
"drop",
"accept",
- "reject");
+ "reject",
+ "return",
+ "continue");
VIR_ENUM_IMPL(virNWFilterJumpTarget, VIR_NWFILTER_RULE_ACTION_LAST,
"DROP",
"ACCEPT",
- "REJECT");
+ "REJECT",
+ "RETURN",
+ "CONTINUE");
VIR_ENUM_IMPL(virNWFilterRuleDirection, VIR_NWFILTER_RULE_DIRECTION_LAST,
"in",
diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 40da8c3..ab9d4c1 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -291,6 +291,8 @@ enum virNWFilterRuleActionType {
VIR_NWFILTER_RULE_ACTION_DROP = 0,
VIR_NWFILTER_RULE_ACTION_ACCEPT,
VIR_NWFILTER_RULE_ACTION_REJECT,
+ VIR_NWFILTER_RULE_ACTION_RETURN,
+ VIR_NWFILTER_RULE_ACTION_CONTINUE,
VIR_NWFILTER_RULE_ACTION_LAST,
};
14 years
[libvirt] [PATCH] build: Fix problem of building Python bindings
by Osier Yang
If one specify "--with-python=yes" but no python-devel package
is installed, we ignore it with just a notice message, which
doesn't give clear guide to user.
---
configure.ac | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index 190bf40..758c893 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1917,15 +1917,13 @@ if test "$with_python" != "no" ; then
then
PYTHON_INCLUDES=-I/usr/include/python$PYTHON_VERSION
else
- AC_MSG_NOTICE([Could not find python$PYTHON_VERSION/Python.h, disabling bindings])
- with_python=no
+ AC_MSG_ERROR([You must install python-devel to build Python bindings])
fi
fi
fi
fi
else
- AC_MSG_NOTICE([Could not find python interpreter, disabling bindings])
- with_python=no
+ AC_MSG_ERROR([You must install python to build Python bindings])
fi
else
AC_MSG_NOTICE([Could not find python in $with_python, disabling bindings])
--
1.7.4
14 years
[libvirt] Magic error introduced by commit f09accc
by Jiri Denemark
Hi all,
After commit f09accc (buf: add virBufferVasprintf) libvirt no longer compiles
with -Werror because of the following error:
CC libvirt_util_la-macvtap.lo
cc1: warnings being treated as errors
/usr/include/netlink/object.h:58: error: inline function 'nl_object_priv'
declared but never defined
I must admit I don't understand why including stdarg.h (which seems to be the
only change visible in macvtap.c) results in this warning.
Does anyone have an idea?
Jirka
14 years
[libvirt] libvirt.pc file
by Eric Blake
Why is libvirt.pc included in the tarball? It contains information
learned at configure time, thus its contents depend on who built the
tarball, which is in violation of the normal rule that any generated
file that depends on config.status must not be shipped.
Unless anyone has a good reason why it is distributed, I'm working on a
patch to fix that.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
14 years
[libvirt] virsh nodedev-dempxml is not supported by the connection driver
by guan qin
Hi,
I meet a problem when I use the command "virsh nodedev-dumpxml
pci_0000_00_19_0",it shows as follows:
root@shahe26:~# virsh nodedev-list
error: Failed to count node devices
error: this function is not supported by the connection driver:
virNodeNumOfDevices
root@shahe26:~# virsh nodedev-dumpxml pci_0000_00_19_0
error: Could not find matching device 'pci_0000_00_19_0'
error: this function is not supported by the connection driver:
virNodeDeviceLookupByName
root@shahe26:~# virsh -version
0.9.0
root@shahe26:~# virsh net-list
Name State Autostart
-----------------------------------------
default active yes
root@shahe26:~# virsh list
Id Name State
----------------------------------
root@shahe26:~#
I find that only the command "virsh nodedev-? ***" can't work . How can I
solve this problem ? thanks.
best regards,
qinguan
14 years
[libvirt] [PATCH] json: Fix *GetBoolean functions
by Jiri Denemark
They were not used anywhere so far so nobody noticed they are broken.
---
src/util/json.c | 11 ++++++-----
src/util/json.h | 4 ++--
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/src/util/json.c b/src/util/json.c
index 0daeae9..df4771d 100644
--- a/src/util/json.c
+++ b/src/util/json.c
@@ -491,12 +491,13 @@ int virJSONValueGetNumberDouble(virJSONValuePtr number, double *value)
}
-int virJSONValueGetBoolean(virJSONValuePtr val)
+int virJSONValueGetBoolean(virJSONValuePtr val, bool *value)
{
- if (val->type != VIR_JSON_TYPE_NUMBER)
+ if (val->type != VIR_JSON_TYPE_BOOLEAN)
return -1;
- return val->data.boolean;
+ *value = val->data.boolean;
+ return 0;
}
@@ -593,7 +594,7 @@ int virJSONValueObjectGetNumberDouble(virJSONValuePtr object, const char *key, d
}
-int virJSONValueObjectGetBoolean(virJSONValuePtr object, const char *key)
+int virJSONValueObjectGetBoolean(virJSONValuePtr object, const char *key, bool *value)
{
virJSONValuePtr val;
if (object->type != VIR_JSON_TYPE_OBJECT)
@@ -603,7 +604,7 @@ int virJSONValueObjectGetBoolean(virJSONValuePtr object, const char *key)
if (!val)
return -1;
- return virJSONValueGetBoolean(val);
+ return virJSONValueGetBoolean(val, value);
}
diff --git a/src/util/json.h b/src/util/json.h
index ea28de6..4572654 100644
--- a/src/util/json.h
+++ b/src/util/json.h
@@ -105,7 +105,7 @@ int virJSONValueGetNumberUint(virJSONValuePtr object, unsigned int *value);
int virJSONValueGetNumberLong(virJSONValuePtr object, long long *value);
int virJSONValueGetNumberUlong(virJSONValuePtr object, unsigned long long *value);
int virJSONValueGetNumberDouble(virJSONValuePtr object, double *value);
-int virJSONValueGetBoolean(virJSONValuePtr object);
+int virJSONValueGetBoolean(virJSONValuePtr object, bool *value);
int virJSONValueIsNull(virJSONValuePtr object);
const char *virJSONValueObjectGetString(virJSONValuePtr object, const char *key);
@@ -114,7 +114,7 @@ int virJSONValueObjectGetNumberUint(virJSONValuePtr object, const char *key, uns
int virJSONValueObjectGetNumberLong(virJSONValuePtr object, const char *key, long long *value);
int virJSONValueObjectGetNumberUlong(virJSONValuePtr object, const char *key, unsigned long long *value);
int virJSONValueObjectGetNumberDouble(virJSONValuePtr object, const char *key, double *value);
-int virJSONValueObjectGetBoolean(virJSONValuePtr object, const char *key);
+int virJSONValueObjectGetBoolean(virJSONValuePtr object, const char *key, bool *value);
int virJSONValueObjectIsNull(virJSONValuePtr object, const char *key);
int virJSONValueObjectAppendString(virJSONValuePtr object, const char *key, const char *value);
--
1.7.5.rc3
14 years
[libvirt] How to suppress error printing to stderr from virConnectOpen*?
by Richard W.M. Jones
I can set the global error handling function (virSetErrorFunc). That
doesn't seem to be a good idea from a library. Looking at the code,
it doesn't appear that the internal virErrorHandler is thread-local,
so I can't set it and restore it around the function call.
I can set the error handling function _after_ I've got a connection
object (virConnSetErrorFunc). That doesn't help with making the
initial connection.
libguestfs itself has the same problem with the guestfs_create call,
so I'm not going to point any fingers :-) However it seems like a
shortcoming of the libvirt API.
Am I missing something here?
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw
14 years
[libvirt] [PATCH] Allow destroying QEMU VM even if a job is active
by Daniel P. Berrange
Introduce a virProcessKill function that can be safely called
even when the job mutex is held. This allows virDomainDestroy
to kill any VM even if it is asleep in a monitor job. The PID
will die and the thread asleep on the monitor will then wake
up releasing the job mutex.
* src/qemu/qemu_driver.c: Kill process before using qemuProcessStop
to ensure job is released
* src/qemu/qemu_process.c: Add virProcessKill for killing off
QEMU processes
---
src/qemu/qemu_driver.c | 7 +++++++
src/qemu/qemu_process.c | 39 +++++++++++++++++++++++++++++++--------
src/qemu/qemu_process.h | 2 ++
3 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index b3f9e00..6d6fb51 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1482,6 +1482,13 @@ static int qemudDomainDestroy(virDomainPtr dom) {
goto cleanup;
}
+ /* Although qemuProcessStop does this already, there may
+ * be an outstanding job active. We want to make sure we
+ * can kill the process even if a job is active. Killing
+ * it now, means the job will be released
+ */
+ qemuProcessKill(vm);
+
if (qemuDomainObjBeginJobWithDriver(driver, vm) < 0)
goto cleanup;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index a6c0dc8..c60c51f 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2369,6 +2369,36 @@ cleanup:
}
+void qemuProcessKill(virDomainObjPtr vm)
+{
+ int i;
+ int rc;
+ VIR_DEBUG("vm=%s pid=%d", vm->def->name, vm->pid);
+
+ if (!virDomainObjIsActive(vm)) {
+ VIR_DEBUG("VM '%s' not active", vm->def->name);
+ return;
+ }
+
+ for (i = 0 ; i < 15 ; i++) {
+ int signum;
+ if (i == 0)
+ signum = SIGTERM;
+ else if (i == 8)
+ signum = SIGKILL;
+ else
+ signum = 0; /* Just check for existance */
+
+ rc = virKillProcess(vm->pid, signum);
+ VIR_DEBUG("Iteration %d rc=%d", i, rc);
+ if (rc < 0)
+ break;
+
+ usleep(200 * 1000);
+ }
+}
+
+
void qemuProcessStop(struct qemud_driver *driver,
virDomainObjPtr vm,
int migrated)
@@ -2436,13 +2466,6 @@ void qemuProcessStop(struct qemud_driver *driver,
}
}
- /* This will safely handle a non-running guest with pid=0 or pid=-1*/
- if (virKillProcess(vm->pid, 0) == 0 &&
- virKillProcess(vm->pid, SIGTERM) < 0)
- virReportSystemError(errno,
- _("Failed to send SIGTERM to %s (%d)"),
- vm->def->name, vm->pid);
-
if (priv->mon)
qemuMonitorClose(priv->mon);
@@ -2454,7 +2477,7 @@ void qemuProcessStop(struct qemud_driver *driver,
}
/* shut it off for sure */
- virKillProcess(vm->pid, SIGKILL);
+ qemuProcessKill(vm);
/* now that we know it's stopped call the hook if present */
if (virHookPresent(VIR_HOOK_DRIVER_QEMU)) {
diff --git a/src/qemu/qemu_process.h b/src/qemu/qemu_process.h
index f1ab599..d8afab0 100644
--- a/src/qemu/qemu_process.h
+++ b/src/qemu/qemu_process.h
@@ -49,4 +49,6 @@ void qemuProcessStop(struct qemud_driver *driver,
virDomainObjPtr vm,
int migrated);
+void qemuProcessKill(virDomainObjPtr vm);
+
#endif /* __QEMU_PROCESS_H__ */
--
1.7.4.4
14 years
