[PATCH v4 0/2] Fix virtio console port assignment issue
by Aaron M. Brown
Changelog:
---
v4:
- Update commit messages
---
v3:
- Added Reviewed-By
- Included CI Results Link
---
v2:
- Split patch into two commits
- Added fixes tag
---
This libvirt patch does the following:
1. fixes an issue with virtio console device port assignment on vioserial buses
2. updates console port reservation comment and changes the allowZero variable to allowPortZero for clarity
Currently in libvirt, a virtio console device cannot be assigned a port number greater than zero on a vioserial bus. This leads to port collision errors when adding more than 1 virtio console device on a single vioserial bus.
After applying this patch, one can add multiple console ports under a single vioserial bus.
Here is a link to CI results for this series: https://gitlab.com/aaronbmalik/libvirt/-/pipelines/1832324065
Aaron M. Brown (2):
virDomainVirtioSerialAddrAssign: Fix virtio console port assignment on
vioserial bus
domain_addr.c: Update console port reservation comment and allowZero
variable for clarity
src/conf/domain_addr.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--
2.39.5 (Apple Git-154)
4 days, 23 hours
[PATCH] passt: Define backend hostname and fqdn
by Enrique Llorente
This commit introduces a feature enhancement for configuring hostnames in
virtual machines (VMs) using DHCP. It adds new options to the "passt" tool
to set the hostname and fully qualified domain name (FQDN) for VMs. These
map to DHCP option 12 for the hostname and options 81 (IPv4) and 39 (IPv6)
for the FQDN.
The update enables passt to dynamically assign hostnames to DHCP-aware
VMs. To achieve this, the commit adds two fields to the passt domain XML
backend. These fields allow passt to configure the hostname and FQDN for
the virtual machine, ensuring smooth integration with the DHCP protocol.
This improvement is particularly valuable in environments where VMs need
dynamic hostname configuration, enhancing flexibility and automation in
virtualized network setups.
libvirt: Integrate passt --hostname --fqdn options
Resolves: https://issues.redhat.com/browse/RHEL-79806
Signed-off-by: Enrique Llorente <ellorent(a)redhat.com>
---
docs/formatdomain.rst | 8 +++++---
src/conf/domain_conf.c | 10 +++++++++-
src/conf/domain_conf.h | 2 ++
src/conf/schemas/domaincommon.rng | 6 ++++++
src/qemu/qemu_passt.c | 6 ++++++
tests/qemuxmlconfdata/net-user-passt.x86_64-7.2.0.xml | 2 +-
tests/qemuxmlconfdata/net-user-passt.x86_64-latest.xml | 2 +-
tests/qemuxmlconfdata/net-user-passt.xml | 2 +-
.../net-vhostuser-passt.x86_64-latest.xml | 2 +-
tests/qemuxmlconfdata/net-vhostuser-passt.xml | 2 +-
10 files changed, 33 insertions(+), 9 deletions(-)
diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
index 8753ee9c23..9c80aa9270 100644
--- a/docs/formatdomain.rst
+++ b/docs/formatdomain.rst
@@ -5372,10 +5372,12 @@ came from the host's IP.
There are a few other options that are configurable only for the passt
backend. For example, the ``<backend>`` attribute ``logFile`` can be
used to tell the passt process for this interface where to write its
-message log, and the ``<source>`` attribute ``dev`` can tell it a
+message log, the ``<source>`` attribute ``dev`` can tell it a
particular host interface to use when deriving the routes given to the
-guest for forwarding traffic upstream. Due to the design decisions of
-passt, when using SELinux on the host, it is recommended that the log
+guest for forwarding traffic upstream and the ``hostname`` and ``fqdn``
+will conigure the DHCP option 12 hostname and DHCP option 81 and DHCPv6
+option 39 fqdn attribute. Due to the design decisions of passt, when using
+SELinux on the host, it is recommended that the log
file reside in the runtime directory of the user under which the passt
process will run, most probably ``/run/user/$UID`` (where ``$UID`` is
the UID of that user), e.g. ``/run/user/1000``. Be aware that libvirt
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index b3b0bd7329..15143f8fa2 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -2909,6 +2909,8 @@ virDomainNetDefFree(virDomainNetDef *def)
g_free(def->backend.tap);
g_free(def->backend.vhost);
g_free(def->backend.logFile);
+ g_free(def->backend.hostname);
+ g_free(def->backend.fqdn);
virDomainNetTeamingInfoFree(def->teaming);
g_free(def->virtPortProfile);
g_free(def->script);
@@ -9757,6 +9759,8 @@ virDomainNetBackendParseXML(xmlNodePtr node,
}
def->backend.logFile = virXMLPropString(node, "logFile");
+ def->backend.hostname = virXMLPropString(node, "hostname");
+ def->backend.fqdn = virXMLPropString(node, "fqdn");
if (tap)
def->backend.tap = virFileSanitizePath(tap);
@@ -20757,7 +20761,9 @@ virDomainNetBackendIsEqual(virDomainNetBackend *src,
if (src->type != dst->type ||
STRNEQ_NULLABLE(src->tap, dst->tap) ||
STRNEQ_NULLABLE(src->vhost, dst->vhost) ||
- STRNEQ_NULLABLE(src->logFile, dst->logFile)) {
+ STRNEQ_NULLABLE(src->logFile, dst->logFile) ||
+ STRNEQ_NULLABLE(src->hostname, dst->hostname) ||
+ STRNEQ_NULLABLE(src->fqdn, dst->fqdn)) {
return false;
}
return true;
@@ -24838,6 +24844,8 @@ virDomainNetBackendFormat(virBuffer *buf,
virBufferEscapeString(&attrBuf, " tap='%s'", backend->tap);
virBufferEscapeString(&attrBuf, " vhost='%s'", backend->vhost);
virBufferEscapeString(&attrBuf, " logFile='%s'", backend->logFile);
+ virBufferEscapeString(&attrBuf, " hostname='%s'", backend->hostname);
+ virBufferEscapeString(&attrBuf, " fqdn='%s'", backend->fqdn);
virXMLFormatElement(buf, "backend", &attrBuf, NULL);
}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 58b97a2b54..79fd2f1f63 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1067,6 +1067,8 @@ struct _virDomainNetBackend {
char *vhost;
/* The following are currently only valid/used when backend type='passt' */
char *logFile; /* path to logfile used by passt process */
+ char *hostname; /* hostname of the passt process */
+ char *fqdn; /* fully qualified domain name of the passt process */
};
struct _virDomainNetPortForwardRange {
diff --git a/src/conf/schemas/domaincommon.rng b/src/conf/schemas/domaincommon.rng
index 5597d5a66b..f64199ca18 100644
--- a/src/conf/schemas/domaincommon.rng
+++ b/src/conf/schemas/domaincommon.rng
@@ -3913,6 +3913,12 @@
<ref name="absFilePath"/>
</attribute>
</optional>
+ <optional>
+ <attribute name="hostname"/>
+ </optional>
+ <optional>
+ <attribute name="fqdn"/>
+ </optional>
</element>
</optional>
<optional>
diff --git a/src/qemu/qemu_passt.c b/src/qemu/qemu_passt.c
index fcc34de384..9ebb766433 100644
--- a/src/qemu/qemu_passt.c
+++ b/src/qemu/qemu_passt.c
@@ -229,6 +229,12 @@ qemuPasstStart(virDomainObj *vm,
if (net->backend.logFile)
virCommandAddArgList(cmd, "--log-file", net->backend.logFile, NULL);
+ if (net->backend.hostname)
+ virCommandAddArgList(cmd, "--hostname", net->backend.hostname, NULL);
+
+ if (net->backend.fqdn)
+ virCommandAddArgList(cmd, "--fqdn", net->backend.hostname, NULL);
+
/* Add IP address info */
for (i = 0; i < net->guestIP.nips; i++) {
const virNetDevIPAddr *ip = net->guestIP.ips[i];
diff --git a/tests/qemuxmlconfdata/net-user-passt.x86_64-7.2.0.xml b/tests/qemuxmlconfdata/net-user-passt.x86_64-7.2.0.xml
index cfe07cc627..77da297936 100644
--- a/tests/qemuxmlconfdata/net-user-passt.x86_64-7.2.0.xml
+++ b/tests/qemuxmlconfdata/net-user-passt.x86_64-7.2.0.xml
@@ -50,7 +50,7 @@
<range start='443' to='344'/>
</portForward>
<model type='rtl8139'/>
- <backend type='passt' logFile='/var/log/loglaw.blog'/>
+ <backend type='passt' logFile='/var/log/loglaw.blog' hostname='hostname1' fqdn='hostname1.test.local'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/qemuxmlconfdata/net-user-passt.x86_64-latest.xml b/tests/qemuxmlconfdata/net-user-passt.x86_64-latest.xml
index d7e0ef5f90..917a9edaa0 100644
--- a/tests/qemuxmlconfdata/net-user-passt.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/net-user-passt.x86_64-latest.xml
@@ -50,7 +50,7 @@
<range start='443' to='344'/>
</portForward>
<model type='rtl8139'/>
- <backend type='passt' logFile='/var/log/loglaw.blog'/>
+ <backend type='passt' logFile='/var/log/loglaw.blog' hostname='hostname1' fqdn='hostname1.test.local'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/qemuxmlconfdata/net-user-passt.xml b/tests/qemuxmlconfdata/net-user-passt.xml
index 20c9f50542..80d15de2ed 100644
--- a/tests/qemuxmlconfdata/net-user-passt.xml
+++ b/tests/qemuxmlconfdata/net-user-passt.xml
@@ -47,7 +47,7 @@
<range start='443' to='344'/>
</portForward>
<model type='rtl8139'/>
- <backend type='passt' logFile='/var/log/loglaw.blog'/>
+ <backend type='passt' logFile='/var/log/loglaw.blog' hostname='hostname1' fqdn='hostname1.test.local'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
<input type='mouse' bus='ps2'/>
diff --git a/tests/qemuxmlconfdata/net-vhostuser-passt.x86_64-latest.xml b/tests/qemuxmlconfdata/net-vhostuser-passt.x86_64-latest.xml
index 529aff11f8..5802754c4b 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-passt.x86_64-latest.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser-passt.x86_64-latest.xml
@@ -53,7 +53,7 @@
<range start='443' to='344'/>
</portForward>
<model type='virtio'/>
- <backend type='passt' logFile='/var/log/loglaw.blog'/>
+ <backend type='passt' logFile='/var/log/loglaw.blog' hostname='hostname1' fqdn='hostname1.test.local'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
<interface type='vhostuser'>
diff --git a/tests/qemuxmlconfdata/net-vhostuser-passt.xml b/tests/qemuxmlconfdata/net-vhostuser-passt.xml
index 71b845329b..0a37511a0f 100644
--- a/tests/qemuxmlconfdata/net-vhostuser-passt.xml
+++ b/tests/qemuxmlconfdata/net-vhostuser-passt.xml
@@ -50,7 +50,7 @@
<range start='443' to='344'/>
</portForward>
<model type='virtio'/>
- <backend type='passt' logFile='/var/log/loglaw.blog'/>
+ <backend type='passt' logFile='/var/log/loglaw.blog' hostname='hostname1' fqdn='hostname1.test.local'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
</interface>
<interface type='vhostuser'>
--
2.49.0
5 days, 3 hours
[PATCH] NEWS: Make sure releases are separated by two blank lines
by Jiri Denemark
From: Jiri Denemark <jdenemar(a)redhat.com>
Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com>
---
NEWS.rst | 2 ++
1 file changed, 2 insertions(+)
diff --git a/NEWS.rst b/NEWS.rst
index a880524ca2..0ba2d20191 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -533,6 +533,7 @@ v10.9.0 (2024-11-01)
``<blockers model='...'>`` element is added for that CPU model listing
features required by the CPU model, but not supported on the host.
+
v10.8.0 (2024-10-01)
====================
@@ -668,6 +669,7 @@ v10.7.0 (2024-09-02)
Cloud-Hypervisor driver now supports Ethernet, Network (NAT) and Bridge
networking modes.
+
v10.6.0 (2024-08-05)
====================
--
2.49.0
5 days, 4 hours
[PATCH 0/2] qemu: Fix crash when resuming failed post-copy migration
by Jiri Denemark
Jiri Denemark (2):
qemu: Fix crash when resuming failed post-copy migration
NEWS: Fix virtqemud crash when resuming failed post-copy migration
NEWS.rst | 7 +++++++
src/qemu/qemu_migration.c | 3 ++-
2 files changed, 9 insertions(+), 1 deletion(-)
--
2.49.0
5 days, 4 hours
Entering freeze for libvirt-11.4.0
by Jiri Denemark
I have just tagged v11.4.0-rc1 in the repository and pushed signed
tarballs to https://download.libvirt.org/
Please give the release candidate some testing and in case you find a
serious issue which should have a fix in the upcoming release, feel
free to reply to this thread to make sure the issue is more visible.
If you have not done so yet, please update NEWS.rst to document any
significant change you made since the last release.
Jirka
5 days, 6 hours
[PATCH 0/9] qemu: Move config validation out of qemu_process.c
by Peter Krempa
Some more cleanups for misplaced validation of config that I've noticed
when I was looking for the code validating floppies in my previous
series.
Peter Krempa (9):
qemuDomainValidateStorageSource: Rework protocol validation into a
switch statement
qemu: Move disk backend validation checks from
qemuProcessStartValidateDisks to qemuDomainValidateStorageSource
qemu: block: Drop code for 'vxhs' storage protocol
qemu.conf: Document options for VxHS block network protocol TLS config
as ignored
qemu: conf: Drop handling of 'vxhs' config options
qemu: Move logic from qemuProcessStartValidateShmem to
qemuValidateDomainDeviceDefShmem
qemu: Move checks for number of listening sockets of graphics to
validation code
qemuProcessStartValidateGraphics: Remove redundant checks for RDP
protocol features
qemuProcessStartValidateGraphics: Move RDP validation logic to
qemu_validate.c
src/qemu/libvirtd_qemu.aug | 2 +
src/qemu/qemu.conf.in | 42 +-----------
src/qemu/qemu_block.c | 41 +-----------
src/qemu/qemu_conf.c | 17 -----
src/qemu/qemu_conf.h | 4 --
src/qemu/qemu_domain.c | 112 +++++++++++++++----------------
src/qemu/qemu_process.c | 132 -------------------------------------
src/qemu/qemu_validate.c | 45 ++++++++++++-
tests/qemuxmlconftest.c | 4 --
tests/testutilsqemu.c | 2 -
10 files changed, 101 insertions(+), 300 deletions(-)
--
2.49.0
5 days, 6 hours
[PATCH v2 0/3] CH: Add support for a configuration file and log level configuration
by Stefan Kober
Similar to the qemu.conf file that allows QEMU specific configurations we add
the possibility to specify a ch.conf file for Cloud Hypervisor configuration.
The initial single config option is the log level, which sets the verbosity of
the Cloud Hypervisor process. This allows for simpler debugging when using
Cloud Hypervisor via libvirt.
Stefan Kober (3):
ch: Add config file support
ch: add log level configuration option
NEWS: ch: announce log_level config option
NEWS.rst | 5 +++++
src/ch/ch.conf | 11 ++++++++++
src/ch/ch_conf.c | 31 ++++++++++++++++++++++++++
src/ch/ch_conf.h | 18 +++++++++++++++
src/ch/ch_driver.c | 6 +++++
src/ch/ch_monitor.c | 6 +++++
src/ch/libvirtd_ch.aug | 40 ++++++++++++++++++++++++++++++++++
src/ch/meson.build | 12 ++++++++++
src/ch/test_libvirtd_ch.aug.in | 5 +++++
9 files changed, 134 insertions(+)
create mode 100644 src/ch/ch.conf
create mode 100644 src/ch/libvirtd_ch.aug
create mode 100644 src/ch/test_libvirtd_ch.aug.in
--
2.49.0
5 days, 7 hours
[PATCH v3 0/3] Disable Deprecated Features by Default on s390 CPU Models
by Collin Walling
Changelog
v3
- added qemu caps check to avoid breaking s390 guests trying to
default deprecated_features='off' on QEMU versions that
do not support reporting these features
v2
- changed behavior from disabling features on the host model to
instead flagging the guest CPU to disable deprecated features
- removed disabling deprecated features on host model in
virQEMUCapsInitCPUModelS390
- added flagging deprecated_feats in qemuProcessUpdateGuestCPU
- added tests for deprecated_features='on'
- split virQEMUCapsUpdateCPUDeprecatedFeatures update and
qemuProcessUpdateGuestCPU changes
The intention of reporting deprecated features and modifying the guest
CPU model was to alleviate the user from the burden of preparing a guest
with the necessary amendments to assure migration to newer hardware.
While that goal was met by way of the "deprecated_features='on|off'"
attribute, it still adds an extra step that the user must be aware to
prepare a guest for migration and the errors that stem from an
unsuccessful migration (due to feature incompatibility) is not always
clear how to resolve.
These patches make s390 CPU host models migration ready from the get-go
by disabling deprecated features by default. They may still be disabled
for other model types via the respective attribute, or reenabled if
desired.
Collin Walling (3):
qemu: caps: add virCPUFeaturePolicy param to
virQEMUCapsUpdateCPUDeprecatedFeatures
qemu: process: refactor deprecated features code
qemu: process: disable deprecated features for s390 models by default
src/qemu/qemu_capabilities.c | 6 ++--
src/qemu/qemu_capabilities.h | 3 +-
src/qemu/qemu_driver.c | 3 +-
src/qemu/qemu_process.c | 32 ++++++++++++++-----
...l-deprecated-features-on.s390x-latest.args | 32 +++++++++++++++++++
...el-deprecated-features-on.s390x-latest.xml | 25 +++++++++++++++
.../cpu-model-deprecated-features-on.xml | 15 +++++++++
...default-video-type-s390x.s390x-latest.args | 2 +-
...vfio-zpci-ccw-memballoon.s390x-latest.args | 2 +-
.../launch-security-s390-pv.s390x-latest.args | 2 +-
...t-cpu-kvm-ccw-virtio-4.2.s390x-latest.args | 2 +-
.../s390-defaultconsole.s390x-latest.args | 2 +-
.../s390-panic.s390x-latest.args | 2 +-
tests/qemuxmlconftest.c | 1 +
14 files changed, 110 insertions(+), 19 deletions(-)
create mode 100644 tests/qemuxmlconfdata/cpu-model-deprecated-features-on.s390x-latest.args
create mode 100644 tests/qemuxmlconfdata/cpu-model-deprecated-features-on.s390x-latest.xml
create mode 100644 tests/qemuxmlconfdata/cpu-model-deprecated-features-on.xml
--
2.47.1
5 days, 23 hours
[PATCH 0/4] qemu: Reflect support of floppy devices in capabilities XML
by Peter Krempa
Probe if qemu actually supports floppy controllers which can be compiled
out with custom configs and reflect that in the capability XML.
Peter Krempa (4):
qemu: domain: Introduce qemuDomainMachineSupportsFloppy
qemu: Move floppy device support validation to validation code
qemu: capabilities: Introduce QEMU_CAPS_BUS_FLOPPY
qemuDomainMachineSupportsFloppy: Check for QEMU_CAPS_BUS_FLOPPY
src/qemu/qemu_capabilities.c | 6 ++-
src/qemu/qemu_capabilities.h | 1 +
src/qemu/qemu_domain.c | 15 +++++++
src/qemu/qemu_domain.h | 4 ++
src/qemu/qemu_process.c | 8 ----
src/qemu/qemu_validate.c | 7 +++
.../qemu_10.0.0-virt.aarch64.xml | 2 -
tests/domaincapsdata/qemu_10.0.0.aarch64.xml | 2 -
tests/domaincapsdata/qemu_10.0.0.s390x.xml | 2 -
tests/domaincapsdata/qemu_8.1.0.s390x.xml | 2 -
.../qemu_8.2.0-tcg-virt.loongarch64.xml | 2 -
.../qemu_8.2.0-virt.aarch64.xml | 2 -
.../qemu_8.2.0-virt.loongarch64.xml | 2 -
tests/domaincapsdata/qemu_8.2.0.aarch64.xml | 2 -
tests/domaincapsdata/qemu_8.2.0.armv7l.xml | 2 -
tests/domaincapsdata/qemu_8.2.0.s390x.xml | 2 -
.../qemu_9.1.0-tcg-virt.riscv64.xml | 2 -
.../qemu_9.1.0-virt.riscv64.xml | 2 -
tests/domaincapsdata/qemu_9.1.0.s390x.xml | 2 -
.../qemu_9.2.0-hvf.aarch64+hvf.xml | 2 -
tests/domaincapsdata/qemu_9.2.0.s390x.xml | 2 -
.../caps_10.0.0_ppc64.xml | 1 +
.../caps_10.0.0_x86_64+amdsev.xml | 1 +
.../caps_10.0.0_x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_6.2.0_ppc64.xml | 1 +
.../caps_6.2.0_x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_7.0.0_ppc64.xml | 1 +
.../caps_7.0.0_x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_7.1.0_ppc64.xml | 1 +
.../caps_7.1.0_x86_64.xml | 1 +
tests/qemucapabilitiesdata/caps_7.2.0_ppc.xml | 1 +
.../caps_7.2.0_x86_64+hvf.xml | 1 +
.../caps_7.2.0_x86_64.xml | 1 +
.../caps_8.0.0_x86_64.xml | 1 +
.../caps_8.1.0_x86_64.xml | 1 +
.../caps_8.2.0_x86_64.xml | 1 +
.../qemucapabilitiesdata/caps_9.0.0_sparc.xml | 1 +
.../caps_9.0.0_x86_64.xml | 1 +
.../caps_9.1.0_x86_64.xml | 1 +
.../caps_9.2.0_x86_64+amdsev.xml | 1 +
.../caps_9.2.0_x86_64.xml | 1 +
.../disk-floppy-pseries.ppc64-latest.err | 2 +-
.../disk-floppy-pseries.ppc64-latest.xml | 44 -------------------
tests/qemuxmlconftest.c | 2 +-
44 files changed, 53 insertions(+), 86 deletions(-)
delete mode 100644 tests/qemuxmlconfdata/disk-floppy-pseries.ppc64-latest.xml
--
2.49.0
6 days, 1 hour
[PATCH 0/2] network: support NAT networking for FreeBSD/pf
by Roman Bogorodskiy
This series implements NAT networks support for FreeBSD using the Packet
Filter (pf) firewall.
The commit messages provide high-level details and limitations of the
current implementation, and I'll use this cover letter to provide some
more technical details and describe testing I have performed for this
change.
Libvirt FreeBSD/pf NAT testing
For two networks:
virsh # net-dumpxml default
<network>
<name>default</name>
<uuid>68cd5419-9fda-4cf0-9ac6-2eb9c1ba41ed</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr0' stp='on' delay='0'/>
<mac address='52:54:00:db:0e:e5'/>
<ip address='192.168.122.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.122.2' end='192.168.122.254'/>
</dhcp>
</ip>
</network>
virsh # net-dumpxml natnet
<network>
<name>natnet</name>
<uuid>d3c59659-3ceb-4482-a625-1f839a54429c</uuid>
<forward mode='nat'>
<nat>
<port start='1024' end='65535'/>
</nat>
</forward>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:0a:fc:1d'/>
<ip address='10.0.100.1' netmask='255.255.255.0'>
<dhcp>
<range start='10.0.100.2' end='10.0.100.254'/>
</dhcp>
</ip>
</network>
virsh #
The following rules are generated:
$ sudo pfctl -a '*' -sn
nat-anchor "libvirt/*" all {
nat-anchor "default" all {
nat pass on re0 inet from 192.168.122.0/24 to <natdst> -> (re0) port
1024:65535 round-robin
}
nat-anchor "natnet" all {
nat pass on re0 inet from 10.0.100.0/24 to <natdst> -> (re0) port
1024:65535 round-robin
}
}
$
$ sudo pfctl -a 'libvirt/default' -t natdst -T show
0.0.0.0/0
!192.168.122.0/24
!224.0.0.0/24
!255.255.255.255
$ sudo pfctl -a 'libvirt/natnet' -t natdst -T show
0.0.0.0/0
!10.0.100.0/24
!224.0.0.0/24
!255.255.255.255
$
$ sudo pfctl -a '*' -sr
scrub all fragment reassemble
anchor "libvirt/*" all {
anchor "default" all {
pass quick on virbr0 inet from 192.168.122.0/24 to 192.168.122.0/24
flags S/SA keep state
pass quick on virbr0 inet from 192.168.122.0/24 to 224.0.0.0/24
flags S/SA keep state
pass quick on virbr0 inet from 192.168.122.0/24 to 255.255.255.255
flags S/SA keep state
block drop on virbr0 all
}
anchor "natnet" all {
pass quick on virbr1 inet from 10.0.100.0/24 to 10.0.100.0/24 flags
S/SA keep state
pass quick on virbr1 inet from 10.0.100.0/24 to 224.0.0.0/24 flags
S/SA keep state
pass quick on virbr1 inet from 10.0.100.0/24 to 255.255.255.255
flags S/SA keep state
block drop on virbr1 all
}
}
pass all flags S/SA keep state
$
Create two guests attached to the "default" network, vmA and vmB.
vmA $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:67:eb:de brd ff:ff:ff:ff:ff:ff
inet 192.168.122.92/24 brd 192.168.122.255 scope global dynamic noprefixroute enp0s4
valid_lft 1082sec preferred_lft 1082sec
inet6 fe80::5054:ff:fe67:ebde/64 scope link noprefixroute
valid_lft forever preferred_lft forever
vmA $
vmB $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp0s4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:d2:8b:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.154/24 metric 100 brd 192.168.122.255 scope global dynamic enp0s4
valid_lft 1040sec preferred_lft 1040sec
inet6 fe80::5054:ff:fed2:8b41/64 scope link
valid_lft forever preferred_lft forever
vmB $
Test NAT rules:
vmA $ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=14.7 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=10.7 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=10.1 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2006ms
rtt min/avg/max/mdev = 10.099/11.835/14.710/2.047 ms
vmA $
vmB $ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=15.1 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=11.0 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=57 time=10.4 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2006ms
rtt min/avg/max/mdev = 10.434/12.198/15.113/2.075 ms
vmB $
vmA $ curl wttr.in/?0Q
Fog
_ - _ - _ - +4(1) °C
_ - _ - _ ↙ 11 km/h
_ - _ - _ - 0 km
0.0 mm
vmA $
vmB $ curl wttr.in/?0Q
Fog
_ - _ - _ - +4(1) °C
_ - _ - _ ↙ 11 km/h
_ - _ - _ - 0 km
0.0 mm
vmB $
Inter-VM connectivity:
vmA $ ping -c 3 192.168.122.154
PING 192.168.122.154 (192.168.122.154) 56(84) bytes of data.
64 bytes from 192.168.122.154: icmp_seq=1 ttl=64 time=0.253 ms
64 bytes from 192.168.122.154: icmp_seq=2 ttl=64 time=0.226 ms
64 bytes from 192.168.122.154: icmp_seq=3 ttl=64 time=0.269 ms
--- 192.168.122.154 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2042ms
rtt min/avg/max/mdev = 0.226/0.249/0.269/0.017 ms
vmA $
vmA $ ssh 192.168.122.154 uname
novel(a)192.168.122.154's password:
Linux
vmA $
Multicast test:
vmA $ iperf -s -u -B 224.0.0.1 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Joining multicast group 224.0.0.1
Server set to single client traffic mode (per multicast receive)
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 1] local 224.0.0.1 port 5001 connected with 192.168.122.154 port
36963
[ ID] Interval Transfer Bandwidth Jitter Lost/Total
Datagrams
[ 1] 0.00-1.00 sec 131 KBytes 1.07 Mbits/sec 0.030 ms 0/91 (0%)
[ 1] 1.00-2.00 sec 128 KBytes 1.05 Mbits/sec 0.022 ms 0/89 (0%)
[ 1] 2.00-3.00 sec 128 KBytes 1.05 Mbits/sec 0.021 ms 0/89 (0%)
[ 1] 0.00-3.02 sec 389 KBytes 1.06 Mbits/sec 0.026 ms 0/271 (0%)
vmB $ iperf -c 224.0.0.1 -u -T 32 -t 3 -i 1
------------------------------------------------------------
Client connecting to 224.0.0.1, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
UDP buffer size: 208 KByte (default)
------------------------------------------------------------
[ 1] local 192.168.122.154 port 36963 connected with 224.0.0.1 port
5001
[ ID] Interval Transfer Bandwidth
[ 1] 0.0000-1.0000 sec 131 KBytes 1.07 Mbits/sec
[ 1] 1.0000-2.0000 sec 128 KBytes 1.05 Mbits/sec
[ 1] 2.0000-3.0000 sec 128 KBytes 1.05 Mbits/sec
[ 1] 0.0000-3.0173 sec 389 KBytes 1.06 Mbits/sec
[ 1] Sent 272 datagrams
vmB $
Broadcast test:
vmA $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0
net.ipv4.icmp_echo_ignore_broadcasts = 0
vmA $
vmB $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=0
net.ipv4.icmp_echo_ignore_broadcasts = 0
vmB $
host $ ping 192.168.122.255
PING 192.168.122.255 (192.168.122.255): 56 data bytes
64 bytes from 192.168.122.154: icmp_seq=0 ttl=64 time=0.199 ms
64 bytes from 192.168.122.92: icmp_seq=0 ttl=64 time=0.227 ms (DUP!)
64 bytes from 192.168.122.154: icmp_seq=1 ttl=64 time=0.209 ms
64 bytes from 192.168.122.92: icmp_seq=1 ttl=64 time=0.235 ms (DUP!)
^C
--- 192.168.122.255 ping statistics ---
2 packets transmitted, 2 packets received, +2 duplicates, 0.0% packet
loss
round-trip min/avg/max/stddev = 0.199/0.218/0.235/0.014 ms
This testing does not cover any negative scenarios which are probably
not that important at this point.
Roman Bogorodskiy (2):
network: bridge_driver: add BSD implementation
network: introduce Packet Filter firewall backend
meson.build | 2 +
po/POTFILES | 2 +
src/network/bridge_driver_bsd.c | 107 +++++++++
src/network/bridge_driver_conf.c | 8 +
src/network/bridge_driver_linux.c | 2 +
src/network/bridge_driver_platform.c | 2 +
src/network/meson.build | 1 +
src/network/network_pf.c | 327 +++++++++++++++++++++++++++
src/network/network_pf.h | 26 +++
src/util/virfirewall.c | 4 +-
src/util/virfirewall.h | 2 +
11 files changed, 482 insertions(+), 1 deletion(-)
create mode 100644 src/network/bridge_driver_bsd.c
create mode 100644 src/network/network_pf.c
create mode 100644 src/network/network_pf.h
--
2.49.0
6 days, 4 hours
