- Devel - libvirt List Archives

[libvirt] [PATCH] datatypes: fix comment typo
by Eric Blake 12 May '10

12 May '10

* src/datatypes.c: Use correct word. --- Pushing under the trivial rule. src/datatypes.c | 18 +++++++++--------- 1 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/datatypes.c b/src/datatypes.c index 25962a6..88ad695 100644 --- a/src/datatypes.c +++ b/src/datatypes.c @@ -350,7 +350,7 @@ virGetDomain(virConnectPtr conn, const char *name, const unsigned char *uuid) { } virMutexLock(&conn->lock); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ ret = (virDomainPtr) virHashLookup(conn->domains, name); /* TODO check the UUID */ @@ -413,7 +413,7 @@ virReleaseDomain(virDomainPtr domain) { virConnectPtr conn = domain->conn; DEBUG("release domain %p %s", domain, domain->name); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ if (virHashRemoveEntry(conn->domains, domain->name, NULL) < 0) { virMutexUnlock(&conn->lock); virLibConnError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -495,7 +495,7 @@ virGetNetwork(virConnectPtr conn, const char *name, const unsigned char *uuid) { } virMutexLock(&conn->lock); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ ret = (virNetworkPtr) virHashLookup(conn->networks, name); /* TODO check the UUID */ @@ -553,7 +553,7 @@ virReleaseNetwork(virNetworkPtr network) { virConnectPtr conn = network->conn; DEBUG("release network %p %s", network, network->name); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ if (virHashRemoveEntry(conn->networks, network->name, NULL) < 0) { virMutexUnlock(&conn->lock); virLibConnError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -815,7 +815,7 @@ virGetStoragePool(virConnectPtr conn, const char *name, const unsigned char *uui } virMutexLock(&conn->lock); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ ret = (virStoragePoolPtr) virHashLookup(conn->storagePools, name); /* TODO check the UUID */ @@ -874,7 +874,7 @@ virReleaseStoragePool(virStoragePoolPtr pool) { virConnectPtr conn = pool->conn; DEBUG("release pool %p %s", pool, pool->name); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ if (virHashRemoveEntry(conn->storagePools, pool->name, NULL) < 0) { virMutexUnlock(&conn->lock); virLibConnError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -1022,7 +1022,7 @@ virReleaseStorageVol(virStorageVolPtr vol) { virConnectPtr conn = vol->conn; DEBUG("release vol %p %s", vol, vol->name); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ if (virHashRemoveEntry(conn->storageVols, vol->key, NULL) < 0) { virMutexUnlock(&conn->lock); virLibConnError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -1428,7 +1428,7 @@ virGetNWFilter(virConnectPtr conn, const char *name, const unsigned char *uuid) } virMutexLock(&conn->lock); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ ret = (virNWFilterPtr) virHashLookup(conn->nwfilterPools, name); /* TODO check the UUID */ @@ -1487,7 +1487,7 @@ virReleaseNWFilterPool(virNWFilterPtr pool) { virConnectPtr conn = pool->conn; DEBUG("release pool %p %s", pool, pool->name); - /* TODO search by UUID first as they are better differenciators */ + /* TODO search by UUID first as they are better differentiators */ if (virHashRemoveEntry(conn->nwfilterPools, pool->name, NULL) < 0) { virMutexUnlock(&conn->lock); virLibConnError(VIR_ERR_INTERNAL_ERROR, "%s", -- 1.7.0.1

1 0

[libvirt] [Reminder] KVM Forum 2010: Call for Papers
by KVM Forum 2010 Program Committee 12 May '10

12 May '10

Just a reminder...The submission deadline is in two days. thanks, -KVM Forum 2010 Program Commitee -- ================================================================= CALL FOR PAPERS KVM Forum 2010 ================================================================= DESCRIPTION The KVM Forum is back! After a break last year we're proud to present this year's gathering around KVM again. The idea is to have everyone involved with KVM development come together to talk about the future and current state of KVM, teaching everyone some pieces of the puzzle they might be missing without. So if you're a KVM developer, mark the dates in your calendar! If possible, also submit a talk -- we're interested in a wide variety of KVM topics, so don't hesitate to propose a talk on your work. If you're not a KVM developer, please read on nevertheless (or jump to END USER COLLABORATION). DATES / LOCATION Conference: August 9 - 10, 2010 Location: Renaissance Boston Waterfront in Boston, MA Abstracts due: May 14th, 2010 Notification: May 28th, 2010 Yes, we're colocated with LinuxCon. Tickets for the KVM Forum also count for LinuxCon. http://events.linuxfoundation.org/component/registrationpro/?func=details&d… PROCESS At first check if it's before May 14th. If you're past that date, you're out of luck. Now try to think hard and come up with a great idea that you could talk about. Once you have that set, we need you to write up a short abstract (~150 words) on it. In your submission please note how long your talk will take. Slots vary in length up to one hour. Also include in your proposal the proposal type -- one of: technical talk, breakout session, or end-user talk. Add that information to the abstract and submit it at the following URL: http://events.linuxfoundation.org/cfp/cfp-add Now, wait until May 24th. You will receive a notification on whether your talk was accepted or not. SCOPE OF TALKS We have a list of suggested presentation topics below. These suggestions are just for guidance, please feel free to submit a proposal on any of these or related topics. In general, the more it's about backend infrastructure, the better. KVM - Scaling and performance - Nested virtualization - I/O improvements - Driver domains - Time keeping - Memory management (page sharing, swapping, huge pages, etc) - Fault tolerance - VEPA, vswitch Embedded KVM - KVM on ARM, PPC, MIPS, ...? - Real-time requirements host/guest - Device pass-through w/o iommu - Custom device/platform models QEMU - Device model improvements - New devices - Security model - Scaling and performance - Desktop virtualization - Increasing robustness - Management interfaces - QMP protocol and implementation - Live migration Virtio - Speeding up existing devices - Vhost - Alternatives - Using virtio in non-kvm environments - Virtio on non-Linux Management infrastructure - Libvirt - Kvm autotest - Easy networking - Qemud BREAKOUT SESSION We will reserve some time each day to break out for working sessions. These sessions will be less formal than a presentation and more focused on developing a solution to some real development issue. If you are interested in getting developers together to hack on some code, submit your proposal and just make it clear it's a breakout session proposal. END-USER COLLABORATION One of the big challenges as developers is to know what, where and how people actually use our software. To solve this issue at least a little, there will be a few slots reserved for end users talking about their deployments, problems and achievements. So if you have a KVM based deployment running in production or are about to roll out one, please also submit a talk (see PROCESS), and simply mark it asn an end-user collaboration proposal. We would love to have an open discussion of fields where KVM/Qemu can still improve and you would have the unique chance to steer that process! Keep in mind that most of the Forum will be focused on development though, so we suggest you also come with a good portion of technical interest :-). And of course, no product marketing please! The purpose is to engage with KVM developers. LIGHTNING TALKS In addition to submitted talks we will also have some room for lightning talks. So if you have something you think might be done until the KVM Forum, but you're not sure you could fill 15 minutes with it. Or if you don't know if you'll make it until there, just keep in mind that you will still get the chance to talk about it. Lightning talk submissions and scheduling will be handled on-site at KVM Forum. Thank you for your interest in KVM. We're looking forward to your submissions and seeing you at the KVM Forum 2010 in August! Now, start thinking about that talk you want to give. Thanks, your KVM Forum 2010 Program Commitee Alexander Graf, Novell Anthony Liguori, IBM Avi Kivity, Red Hat Chris Wright, Red Hat Dor Laor, Red Hat Jan Kiszka, Siemens Please contact us with any questions or comments. KVM-Forum-2010-PC(a)redhat.com

1 0

[libvirt] [PATCH 0/2] Fix hang during concurrent guest migrations
by jdenemar＠redhat.com 12 May '10

12 May '10

From: Jiri Denemark <jdenemar(a)redhat.com> As described in https://bugzilla.redhat.com/show_bug.cgi?id=582278 libvirt may hang during concurrent P2P migration of several KVM guests. These two patches fix that for me. Hopefully the fix will be confirmed by the reporter. Jirka Jiri Denemark (2): Remove watches before calling REMOTE_PROC_CLOSE Fix monitor ref counting when adding event handle src/qemu/qemu_monitor.c | 11 ++++++++++- src/remote/remote_driver.c | 10 +++++----- 2 files changed, 15 insertions(+), 6 deletions(-)

5 10

[libvirt] [RFC PATCH 0/3+] cleanup __FUNCTION__ usage
by Eric Blake 12 May '10

12 May '10

Posting as an RFC, since this patch series could be extended to do a lot more cleanups - I don't want to do the extra work unless we agree that this is worthwhile. See each patch for more comments. [RFC PATCH 1/3] build: use gnulib func module [PATCH 2/3] datatypes: avoid redundant __FUNCTION__ [RFC PATCH 3/3] libvirt: convert virLibNetworkError to avoid __FUNCTION__ bootstrap.conf | 1 + src/datatypes.c | 36 ++++++++++++++++++------------------ src/libvirt.c | 52 +++++++++++++++++++++++++++------------------------- 3 files changed, 46 insertions(+), 43 deletions(-)

4 6

[libvirt] [PATCH] tests: Test for nwfilter
by Stefan Berger 12 May '10

12 May '10

This is a repost of a previously posted patch. Attached is a test for automatic testing of of the nwfilter rules as the are instantiated in form of ebtables, iptables and ip6tables rules on running VMs. The test automatically starts libvirtd from the build directory unless it finds libvirtd running. My hope is that one won't notice this. It uses virsh from the build directory to create two dummy VMs with random name suffixes. The VMs don't boot any OS but just stop in the BIOS. This is enough to run the nwfilter tests. Afterwards the nwfilter of the one VM are continuously modified and the instantiation is checked. The instantiation of rules of the 2nd VM are also continously checked to verify that the modifications on the 1st VM has had no effect on the instantiated rules of the 2nd VM. The test has a couple of command line options. Run it as follows nwfilter2vmtest.sh --noattach --libvirt-test to get the expected libvirt test suite output: TEST: nwfilter2vmtest.sh ........................................ 40 [...] ..................... 821 OK nwfilter2vmtest.sh --noattach --verbose to get lots of this kind of output: PASS nwfilterxml2xmlin/ah-ipv6-test.xml : ip6tables -L FI-testvm8328 -n PASS nwfilterxml2xmlin/ah-ipv6-test.xml : ip6tables -L FO-testvm8328 -n [...] My installation currently has problems with attaching interfaces to VMs, so I have to use the --noattach option to avoid tests on interface attachments (ymmv). Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- tests/nwfilter2vmtest.sh | 461 ++++++++++++++++++ tests/nwfilterxml2fwallout/ah-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/ah-test.fwall | 26 + tests/nwfilterxml2fwallout/all-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/all-test.fwall | 26 + tests/nwfilterxml2fwallout/arp-test.fwall | 9 tests/nwfilterxml2fwallout/conntrack-test.fwall | 24 tests/nwfilterxml2fwallout/esp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/esp-test.fwall | 26 + tests/nwfilterxml2fwallout/hex-data-test.fwall | 68 ++ tests/nwfilterxml2fwallout/icmp-direction-test.fwall | 23 tests/nwfilterxml2fwallout/icmp-direction2-test.fwall | 23 tests/nwfilterxml2fwallout/icmp-direction3-test.fwall | 23 tests/nwfilterxml2fwallout/icmp-test.fwall | 23 tests/nwfilterxml2fwallout/icmpv6-test.fwall | 26 + tests/nwfilterxml2fwallout/igmp-test.fwall | 26 + tests/nwfilterxml2fwallout/ip-test.fwall | 12 tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall | 19 tests/nwfilterxml2fwallout/ipv6-test.fwall | 13 tests/nwfilterxml2fwallout/mac-test.fwall | 12 tests/nwfilterxml2fwallout/rarp-test.fwall | 9 tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/sctp-ipv6-test.xml | 29 + tests/nwfilterxml2fwallout/sctp-test.fwall | 26 + tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/tcp-test.fwall | 26 + tests/nwfilterxml2fwallout/testvm.fwall.dat | 73 ++ tests/nwfilterxml2fwallout/udp-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/udp-ipv6-test.xml | 29 + tests/nwfilterxml2fwallout/udp-test.fwall | 26 + tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 28 + tests/nwfilterxml2fwallout/udplite-test.fwall | 26 + 32 files changed, 1280 insertions(+) Index: libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT + Index: libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT +-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT +-p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT + Index: libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall @@ -0,0 +1,13 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 +ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 +ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall @@ -0,0 +1,26 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 +ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 +ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 + Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml @@ -0,0 +1,29 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 + +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml @@ -0,0 +1,29 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 + +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah ::/0 a:b:c::/128 DSCP match 0x21 +RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all ::/0 a:b:c::/128 DSCP match 0x21 +RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp ::/0 a:b:c::/128 DSCP match 0x21 +RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21 +RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall @@ -0,0 +1,19 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! 12:34:56:78:9A:BC +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! AA:AA:AA:AA:AA:AA +#iptables -L HI-vnet0 +Chain HI-vnet0 (1 references) +target prot opt source destination +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/conntrack-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/conntrack-test.fwall @@ -0,0 +1,24 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilterxml2fwallout/rarp-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/rarp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | sed s/0x8035/RARP/g | grep -v "^Bridge" | grep -v "^$" +-p RARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-acl/tests/nwfilterxml2fwallout/hex-data-test.fwall =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/hex-data-test.fwall @@ -0,0 +1,68 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p 0x1234 -j ACCEPT +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 +#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-acl/tests/nwfilter2vmtest.sh =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilter2vmtest.sh @@ -0,0 +1,459 @@ +#!/bin/bash + +ORIG_IFNAME="vnet0" +TESTFILTERNAME="nwfiltertestfilter" + +LIBVIRTD=`type -P ${PWD}/../daemon/libvirtd` +VIRSH=`type -P ${PWD}/../tools/virsh` +LD_LIBRARY_PATH="${PWD}../src/.libs/" + +# Maybe no libvirtd was built +[ -z ${LIBVIRTD} ] && exit 0; + +FLAG_WAIT="$((1<<0))" +FLAG_ATTACH="$((1<<1))" +FLAG_VERBOSE="$((1<<2))" +FLAG_LIBVIRT_TEST="$((1<<3))" + +failctr=0 +passctr=0 +attachfailctr=0 +attachctr=0 + +function usage() { + local cmd="$0" +cat <<EOF +Usage: ${cmd} [--help|-h|-?] [--noattach] [--wait] [--verbose] + [--libvirt-test] + +Options: + --help,-h,-? : Display this help screen. + --noattach : Skip tests that attach and detach a network interface + --wait : Wait for the user to press the enter key once an error + was detected + --verbose : Verbose output + --libvirt-test : Use the libvirt test output format + +This test will create two virtual machines. The one virtual machine +will use a filter called '${TESTFILTERNAME}', and reference the filter +'clean-traffic' which should be available by default with every install. +The other virtual machine will reference the filter 'testcase' and will +have its filter permanently updated. +EOF +} + + +# A wrapper for mktemp in case it does not exist +# Echos the name of a temporary file. +function mktmpfile() { + local tmp + type -P mktemp > /dev/null + if [ $? -eq 0 ]; then + tmp=$(mktemp -t nwfvmtest.XXXXXX) + echo ${tmp} + else + while :; do + tmp="/tmp/nwfvmtest.${RANDOM}" + if [ ! -f ${tmp} ]; then + touch ${tmp} + chmod 666 ${tmp} + echo ${tmp} + break + fi + done + fi + return 0 +} + + +function checkExpectedOutput() { + local xmlfile="$1" + local fwallfile="$2" + local ifname="$3" + local flags="$4" + local skipregex="$5" + local regex="s/${ORIG_IFNAME}/${ifname}/g" + local cmd line tmpfile tmpfile2 skip + + tmpfile=`mktmpfile` + tmpfile2=`mktmpfile` + + exec 4<${fwallfile} + + read <&4 + line="${REPLY}" + + while [ "x${line}x" != "xx" ]; do + cmd=`echo ${line##\#} | sed ${regex}` + + skip=0 + if [ "x${skipregex}x" != "xx" ]; then + skip=`echo ${cmd} | grep -c -E ${skipregex}` + fi + + eval ${cmd} 2>&1 | tee ${tmpfile} 1>/dev/null + + rm ${tmpfile2} 2>/dev/null + touch ${tmpfile2} + + while [ 1 ]; do + read <&4 + line="${REPLY}" + + if [ "${line:0:1}" == "#" ] || [ "x${line}x" == "xx" ]; then + + if [ ${skip} -ne 0 ]; then + break + fi + + diff ${tmpfile} ${tmpfile2} >/dev/null + + if [ $? -ne 0 ]; then + echo "FAIL ${xmlfile} : ${cmd}" + diff ${tmpfile} ${tmpfile2} + ((failctr++)) + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "tmp files: $tmpfile, $tmpfile2" + echo "Press enter" + read + fi + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 1 + else + ((passctr++)) + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && \ + echo "PASS ${xmlfile} : ${cmd}" + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 0 + fi + + break; + + fi + echo "${line}" | sed ${regex} >> ${tmpfile2} + done + done + + exec 4>&- + + rm -rf "${tmpfile}" "${tmpfile2}" 2>/dev/null +} + + +function doTest() { + local xmlfile="$1" + local fwallfile="$2" + local vm1name="$3" + local vm2name="$4" + local flags="$5" + local linenums ctr=0 + local tmpfile b msg rc + + if [ ! -r "${xmlfile}" ]; then + echo "FAIL : Cannot access filter XML file ${xmlfile}." + return 1 + fi + + ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null + + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" "${flags}" \ + "" + + checkExpectedOutput "${TESTFILTERNAME}" "nwfilterxml2fwallout/testvm.fwall.dat" \ + "${vm2name}" "${flags}" "" + + if [ $((flags & FLAG_ATTACH)) -ne 0 ]; then + + tmpfile=`mktmpfile` + + b=`{ ${VIRSH} dumpxml ${vm1name} | tr -d "\n"; echo; } | \ + sed "s/.*\<interface.*source bridge='$[a-zA-Z0-9_]\+$'.*<\/interface>.*/\1/"` + + cat >>${tmpfile} <<EOF +<interface type='bridge'> + <source bridge='${b}'/> + <mac address='52:54:00:11:22:33'/> + <target dev='attach0'/> + <filterref filter='testcase'/> +</interface> +EOF + msg=`${VIRSH} attach-device "${vm1name}" "${tmpfile}" > /dev/null` + rc=$? + + ((attachctr++)) + + if [ $rc -eq 0 ]; then + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" \ + "${flags}" "(PRE|POST)ROUTING" + msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"` + if [ $? -ne 0 ]; then + echo "FAIL: Detach of interface failed." + fi + else + ((attachfailctr++)) + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL: Could not attach interface to vm ${vm1name}." + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter" + read + fi + fi + fi + + rm -rf ${tmpfile} + fi + + return 0 +} + + +function runTests() { + local vm1name="$1" + local vm2name="$2" + local xmldir="$3" + local fwalldir="$4" + local flags="$5" + local fwallfiles f + + pushd ${PWD} > /dev/null + cd ${fwalldir} + fwallfiles=`ls *.fwall` + popd > /dev/null + + for fil in ${fwallfiles}; do + f=${fil%%.fwall} + doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}" "${vm1name}" \ + "${vm2name}" "${flags}" + done + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + test_final $((passctr+failctr)) $failctr + else + echo "" + echo "Summary: ${failctr} failures, ${passctr} passes," + if [ ${attachctr} -ne 0 ]; then + echo " ${attachfailctr} interface attachment failures with ${attachctr} attempts" + fi + fi +} + + +function createVM() { + local vmname="$1" + local filtername="$2" + local ipaddr="$3" + local macaddr="$4" + local flags="$5" + local res + local tmpfile='mktmpfile' + + cat > ${tmpfile} << EOF + <domain type='kvm'> + <name>${vmname}</name> + <memory>131072</memory> + <currentMemory>131072</currentMemory> + <vcpu>1</vcpu> + <os> + <type arch='x86_64' machine='fedora-13'>hvm</type> + <boot dev='hd'/> + </os> + <features> + <acpi/> + <apic/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <interface type='bridge'> + <mac address='${macaddr}'/> + <source bridge='virbr0'/> + <filterref filter='${filtername}'> + <parameter name='IP' value='${ipaddr}'/> + </filterref> + <target dev='${vmname}'/> + </interface> + <console type='pty'> + </console> + <input type='mouse' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes'/> + </devices> + </domain> +EOF + + res=$(${VIRSH} define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define VM ${vmname} : ${res}" + return 1 + fi + + res=$(${VIRSH} start ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not start VM ${vmname} : ${res}" + `${VIRSH} undefine ${vmname}` + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Created VM ${vmname}." + + rm -rf ${tmpfile} + + return 0 +} + + +function destroyVM() { + local vmname="$1" + local flags="$2" + local res + + res=$(${VIRSH} destroy ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not destroy VM ${vmname} : ${res}" + return 1 + fi + + res=$(${VIRSH} undefine ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not undefine VM ${vmname} : ${res}" + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Destroyed VM ${vmname}." + + return 0 +} + + +function createTestFilter() { + local tmpfile=`mktmpfile` + local res + + cat >${tmpfile} << EOF +<filter name="${TESTFILTERNAME}"> + <filterref filter='clean-traffic'/> + + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + + <rule action='drop' direction='inout' priority='1000'> + <all-ipv6/> + </rule> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + rm -rf ${tmpfile} + return 1 + fi + + rm -rf ${tmpfile} + + return 0 +} + + +function deleteTestFilter() { + local res + res=$(${VIRSH} nwfilter-undefine ${TESTFILTERNAME}) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + return 1 + fi + return 0 +} + + +function main() { + local prgname="$0" + local vm1 vm2 + local xmldir="nwfilterxml2xmlin" + local fwalldir="nwfilterxml2fwallout" + local found=0 vms res + local filtername="testcase" + local startedlibvirtd=0 + local flags OPWD + + ((flags=${FLAG_ATTACH})) + + while [ $# -ne 0 ]; do + case "$1" in + --help|-h|-\?) usage ${prgname}; exit 0;; + --noattach) ((flags ^= FLAG_ATTACH ));; + --wait) ((flags |= FLAG_WAIT ));; + --verbose) ((flags |= FLAG_VERBOSE ));; + --libvirt-test) ((flags |= FLAG_LIBVIRT_TEST ));; + *) usage ${prgname}; exit 1;; + esac + shift 1 + done + + if [ `uname` != "Linux" ]; then + echo "This script will only run on Linux." + exit 1; + fi + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + pushd ${PWD} > /dev/null + . test-lib.sh + test_intro $this_test + popd > /dev/null + fi + + res=$(${VIRSH} capabilities 2>/dev/null 1>/dev/null) + + if [ $? -ne 0 ]; then + if [ "x${LIBVIRTD}x" == "xx" ]; then + echo "Cannot find libvirtd. Exiting." + exit 1 + fi + + ${LIBVIRTD} 2>/dev/null 1>/dev/null & + sleep 2 + + startedlibvirtd=1 + res=$(${VIRSH} capabilities 2>/dev/null 1>/dev/null) + if [ $? -ne 0 ]; then + echo "Could not start the libvirt daemon : $res" + echo "Exiting." + exit 1 + fi + fi + + vm1="testvm${RANDOM}" + vm2="testvm${RANDOM}" + + createTestFilter + if [ $? -ne 0 ]; then + exit 1; + fi + + createVM "${vm1}" "testcase" "10.2.2.2" "52:54:0:0:0:1" "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm1}. Exiting." + exit 1 + fi + + createVM "${vm2}" "${TESTFILTERNAME}" "10.1.1.1" "52:54:0:9f:33:da" \ + "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm2}. Exiting." + destroyVM "${vm1}" "${flags}" + exit 1 + fi + + runTests "${vm1}" "${vm2}" "${xmldir}" "${fwalldir}" "${flags}" + + destroyVM "${vm1}" "${flags}" + destroyVM "${vm2}" "${flags}" + deleteTestFilter + + [ ${startedlibvirtd} -eq 1 ] && killall lt-libvirtd + return 0 +} + +main "$@" Index: libvirt-acl/tests/nwfilterxml2fwallout/testvm.fwall.dat =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2fwallout/testvm.fwall.dat @@ -0,0 +1,73 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j I-vnet0-ipv4 +-p ARP -j I-vnet0-arp +-p 0x8035 -j I-vnet0-rarp +-p 0x835 -j ACCEPT +-j DROP +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j O-vnet0-ipv4 +-p ARP -j O-vnet0-arp +-p 0x8035 -j O-vnet0-rarp +-j DROP +#ebtables -t nat -L I-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p IPv4 --ip-src ! 10.1.1.1 -j DROP +#ebtables -t nat -L O-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-j ACCEPT +#ebtables -t nat -L I-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-mac-src ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-src ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ebtables -t nat -L O-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-p ARP --arp-op Reply --arp-mac-dst ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-dst ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0

4 7

[libvirt] snapshots and LVM
by Daniel Berteaud 12 May '10

12 May '10

Hi. I've just tested the snapshot function, which seems to work, but for now, is limited to qcow2 images. Are there any plans to add LVM based snapshots ? I know LVM would have some limitations, but, with recent distribs (F13, RHEL6 at least), as snapshots can be merged back into the original LV, I think we could have at least some snapshots function. Basically, the domain could be paused, then, the memory can be dumped in a separated file (as a virsh save do), then, all LVM based disks (and qcow2 based) could be snapshoted, then, the domain could be reloaded from the saved state. (or even just resumed, if the save function don't destroy it like a virsh save does) LVM gives some (a lot of ?) performance improvements over qcow2, and I think snapshots would be a lot faster (on my tests, it takes 4 or 5 minutes to snapshot a simple ubuntu guest on qcow2, and even longer to revert). There would still be some limitations, like: - check if lvconvert support merging before we create the snapshots - size of snapshots are fixed, should libvirt monitor the % used, and auto-grow when needed ? - there would be no support for snapshot of snapshot Any thoughts ? Regards, Daniel -- Daniel Berteaud FIREWALL-SERVICES SARL. Société de Services en Logiciels Libres Technopôle Montesquieu 33650 MARTILLAC Tel : 05 56 64 15 32 Fax : 05 56 64 15 32 Mail: daniel(a)firewall-services.com Web : http://www.firewall-services.com

3 6

[libvirt] [PATCH] libvirt_proxy: link with -lpthread if needed
by Eric Blake 11 May '10

11 May '10

Continuation of earlier patches to fix LIB_PTHREAD, only triggered by ./configure --with-xen-proxy (a la autobuild.sh). * proxy/Makefile.am (libvirt_proxy_LDADD): Add LIB_PTHREAD. --- I'm pushing this under the obvious rule - autobuild.sh has been broken for a few commits now. It is more fallout from using gnulib for LIB_PTHREAD, and wasn't detected until now because I don't use --with-xen-proxy that often. proxy/Makefile.am | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/proxy/Makefile.am b/proxy/Makefile.am index 9ea91d8..bee47d0 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -34,7 +34,7 @@ libvirt_proxy_SOURCES = libvirt_proxy.c \ @top_srcdir@/src/xen/xs_internal.c libvirt_proxy_LDFLAGS = $(WARN_CFLAGS) $(XEN_LIBS) libvirt_proxy_DEPENDENCIES = -libvirt_proxy_LDADD = ../gnulib/lib/libgnu.la +libvirt_proxy_LDADD = ../gnulib/lib/libgnu.la $(LIB_PTHREAD) install-exec-hook: chmod u+s $(DESTDIR)$(libexecdir)/libvirt_proxy -- 1.7.0.1

1 0

[libvirt] [PATCH] node_device: udev: Fix PCI product/vendor swappage
by Cole Robinson 11 May '10

11 May '10

Product and vendor values were swapped in the XML, which made virt-manager PCI device listing kinda useless. Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- src/node_device/node_device_udev.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/node_device/node_device_udev.c b/src/node_device/node_device_udev.c index bcfe991..4a9d65f 100644 --- a/src/node_device/node_device_udev.c +++ b/src/node_device/node_device_udev.c @@ -382,8 +382,8 @@ static int udevTranslatePCIIds(unsigned int vendor, /* pci_get_strings returns void */ pci_get_strings(&m, - &vendor_name, &device_name, + &vendor_name, NULL, NULL); -- 1.6.6.1

3 3

[libvirt] [PATCH v2] Determine the root physical interface of a given interface
by Stefan Berger 11 May '10

11 May '10

In this patch I am adding functions that help to iteratively determine the root physical interface of a given interface. An example would be that a macvtap device is linked to eth0.100 which in turn is linked to eth0. Given the name or interface index of the macvtap device that is linked to eth0.100, eth0 is found by following the links to the end. I am using now the netlink library to parse the returned netlink messages and for that I am making additions to configure.ac and the rpm spec file to check for the netlink and netlink-devel packages respectively. In the configure.ac the requirement to have the netlink library is dependent on having macvtap. The setup of the upcoming VEPA patches requires knowledge over which interface to run the setup protocol. In the above case the protocol would need to run over interface eth0 and provide the knowledge of vlan id 100 in the protocol (see previous patch). Changes from V1 to V2: - replaced the constant '256' representing the space for a netlink message with a constant - replaced the constant '64' representing the space for a rtattr structure with a constant - fixed the spacings that weren't correct - fixed M4 quoting Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- configure.ac | 24 ++++++ libvirt.spec.in | 14 +++ src/Makefile.am | 4 - src/util/macvtap.c | 197 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 229 insertions(+), 10 deletions(-) Index: libvirt-acl/src/util/macvtap.c =================================================================== --- libvirt-acl.orig/src/util/macvtap.c +++ libvirt-acl/src/util/macvtap.c @@ -41,6 +41,9 @@ # include <linux/rtnetlink.h> # include <linux/if_tun.h> +# include <netlink/attr.h> +# include <netlink/msg.h> + # include "util.h" # include "memory.h" # include "macvtap.h" @@ -57,6 +60,9 @@ # define MACVTAP_NAME_PREFIX "macvtap" # define MACVTAP_NAME_PATTERN "macvtap%d" +#define MAX_NL_MESSAGE_SIZE 256 +#define MAX_RTATTR_SIZE 64 + static int nlOpen(void) { int fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); @@ -202,10 +208,10 @@ link_add(const char *type, int *retry) { int rc = 0; - char nlmsgbuf[256]; + char nlmsgbuf[MAX_NL_MESSAGE_SIZE] = { 0, }; struct nlmsghdr *nlm = (struct nlmsghdr *)nlmsgbuf, *resp; struct nlmsgerr *err; - char rtattbuf[64]; + char rtattbuf[MAX_RTATTR_SIZE]; struct rtattr *rta, *rta1, *li; struct ifinfomsg i = { .ifi_family = AF_UNSPEC }; int ifindex; @@ -217,8 +223,6 @@ link_add(const char *type, *retry = 0; - memset(&nlmsgbuf, 0, sizeof(nlmsgbuf)); - nlInit(nlm, NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL, RTM_NEWLINK); if (!nlAppend(nlm, sizeof(nlmsgbuf), &i, sizeof(i))) @@ -347,17 +351,15 @@ static int link_del(const char *name) { int rc = 0; - char nlmsgbuf[256]; + char nlmsgbuf[MAX_NL_MESSAGE_SIZE] = { 0, }; struct nlmsghdr *nlm = (struct nlmsghdr *)nlmsgbuf, *resp; struct nlmsgerr *err; - char rtattbuf[64]; + char rtattbuf[MAX_RTATTR_SIZE]; struct rtattr *rta; struct ifinfomsg ifinfo = { .ifi_family = AF_UNSPEC }; char *recvbuf = NULL; int recvbuflen; - memset(&nlmsgbuf, 0, sizeof(nlmsgbuf)); - nlInit(nlm, NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL, RTM_DELLINK); if (!nlAppend(nlm, sizeof(nlmsgbuf), &ifinfo, sizeof(ifinfo))) @@ -421,6 +423,185 @@ buffer_too_small: } +static struct nla_policy ifla_policy[IFLA_MAX + 1] = +{ + [IFLA_IFNAME] = { .type = NLA_STRING }, + [IFLA_LINK] = { .type = NLA_U32 }, +}; + + +static int +link_dump(int ifindex, const char *ifname, struct nlattr **tb, + char **recvbuf) +{ + int rc = 0; + char nlmsgbuf[MAX_NL_MESSAGE_SIZE] = { 0, }; + struct nlmsghdr *nlm = (struct nlmsghdr *)nlmsgbuf, *resp; + struct nlmsgerr *err; + char rtattbuf[MAX_RTATTR_SIZE]; + struct rtattr *rta; + struct ifinfomsg i = { + .ifi_family = AF_UNSPEC, + .ifi_index = ifindex + }; + int recvbuflen; + + *recvbuf = NULL; + + nlInit(nlm, NLM_F_REQUEST, RTM_GETLINK); + + if (!nlAppend(nlm, sizeof(nlmsgbuf), &i, sizeof(i))) + goto buffer_too_small; + + if (ifindex < 0 && ifname != NULL) { + rta = rtattrCreate(rtattbuf, sizeof(rtattbuf), IFLA_IFNAME, + ifname, strlen(ifname) + 1); + if (!rta) + goto buffer_too_small; + + if (!nlAppend(nlm, sizeof(nlmsgbuf), rtattbuf, rta->rta_len)) + goto buffer_too_small; + } + + if (nlComm(nlm, recvbuf, &recvbuflen) < 0) + return -1; + + if (recvbuflen < NLMSG_LENGTH(0) || *recvbuf == NULL) + goto malformed_resp; + + resp = (struct nlmsghdr *)*recvbuf; + + switch (resp->nlmsg_type) { + case NLMSG_ERROR: + err = (struct nlmsgerr *)NLMSG_DATA(resp); + if (resp->nlmsg_len < NLMSG_LENGTH(sizeof(*err))) + goto malformed_resp; + + switch (-err->error) { + case 0: + break; + + default: + virReportSystemError(-err->error, + _("error dumping %d interface"), + ifindex); + rc = -1; + } + break; + + case GENL_ID_CTRL: + case NLMSG_DONE: + if (nlmsg_parse(resp, sizeof(struct ifinfomsg), + tb, IFLA_MAX, ifla_policy)) { + goto malformed_resp; + } + break; + + default: + goto malformed_resp; + } + + if (rc != 0) + VIR_FREE(*recvbuf); + + return rc; + +malformed_resp: + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("malformed netlink response message")); + VIR_FREE(*recvbuf); + return -1; + +buffer_too_small: + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("internal buffer is too small")); + return -1; +} + + +/* TODO: move this into interface.c after moving netlink functions into + * utils dir + */ +/** + * ifaceGetNthParent + * + * @ifindex : the index of the interface or -1 if ifname is given + * @ifname : the name of the interface; ignored if ifindex is valid + * @nthParent : the nth parent interface to get + * @rootifname : pointer to buffer of size IFNAMSIZ + * @nth : the nth parent that is actually returned; if for example eth0.100 + * was given and the 100th parent is to be returned, then eth0 will + * most likely be returned with nth set to 1 since the chain does + * not have more interfaces + * + * Get the nth parent interface of the given interface. 0 is the interface + * itself. + * + * Return 0 on success, != 0 otherwise + */ +static int +ifaceGetNthParent(int ifindex, const char *ifname, unsigned int nthParent, + char *rootifname, unsigned int *nth) +{ + int rc; + struct nlattr *tb[IFLA_MAX + 1]; + char *recvbuf = NULL; + bool end = false; + unsigned int i = 0; + + while (!end && i <= nthParent) { + rc = link_dump(ifindex, ifname, tb, &recvbuf); + if (rc) + break; + + if (tb[IFLA_IFNAME]) { + if (!virStrcpy(rootifname, (char*)RTA_DATA(tb[IFLA_IFNAME]), + IFNAMSIZ)) { + macvtapError(VIR_ERR_INTERNAL_ERROR, "%s", + _("buffer for root interface name is too small")); + VIR_FREE(recvbuf); + return 1; + } + } + + if (tb[IFLA_LINK]) { + ifindex = *(int *)RTA_DATA(tb[IFLA_LINK]); + ifname = NULL; + } else + end = true; + + VIR_FREE(recvbuf); + + i++; + } + + if (nth) + *nth = i - 1; + + return rc; +} + + +/** + * ifaceGetRootIface + * + * @ifindex : the index of the interface or -1 if ifname is given + * @ifname : the name of the interface; ignored if ifindex is valid + * @rootifname : pointer to buffer of size IFNAMSIZ + * + * Get the root interface of a given interface, i.e., if macvtap + * is linked to eth0.100, it will return eth0. + * + * Return 0 on success, != 0 otherwise + */ +static int +ifaceGetRootIface(int ifindex, const char *ifname, + char *rootifname) +{ + return ifaceGetNthParent(ifindex, ifname, ~0, rootifname, NULL); +} + + /* Open the macvtap's tap device. * @ifname: Name of the macvtap interface * @retries : Number of retries in case udev for example may need to be Index: libvirt-acl/configure.ac =================================================================== --- libvirt-acl.orig/configure.ac +++ libvirt-acl/configure.ac @@ -42,6 +42,7 @@ HAL_REQUIRED=0.5.0 DEVMAPPER_REQUIRED=1.0.0 LIBCURL_REQUIRED="7.18.0" LIBPCAP_REQUIRED="1.0.0" +LIBNL_REQUIRED="1.1" dnl Checks for C compiler. AC_PROG_CC @@ -2005,6 +2006,24 @@ fi AM_CONDITIONAL([WITH_MACVTAP], [test "$with_macvtap" = "yes"]) +dnl netlink library + +LIBNL_CFLAGS="" +LIBNL_LIBS="" + +if test "$with_macvtap" = "yes"; then + PKG_CHECK_MODULES([LIBNL], [libnl-1 >= $LIBNL_REQUIRED], [ + ], [ + AC_MSG_ERROR([libnl >= $LIBNL_REQUIRED is required for macvtap support]) + ]) +fi + +AC_SUBST([LIBNL_CFLAGS]) +AC_SUBST([LIBNL_LIBS]) + + + + # Only COPYING.LIB is under version control, yet COPYING # is included as part of the distribution tarball. # Copy one to the other, but only if this is a srcdir-build. @@ -2183,6 +2202,11 @@ AC_MSG_NOTICE([ pcap: $LIBPCAP_CFLAGS else AC_MSG_NOTICE([ pcap: no]) fi +if test "$with_macvtap" = "yes" ; then +AC_MSG_NOTICE([ nl: $LIBNL_CFLAGS $LIBNL_LIBS]) +else +AC_MSG_NOTICE([ nl: no]) +fi AC_MSG_NOTICE([]) AC_MSG_NOTICE([Test suite]) AC_MSG_NOTICE([]) Index: libvirt-acl/libvirt.spec.in =================================================================== --- libvirt-acl.orig/libvirt.spec.in +++ libvirt-acl/libvirt.spec.in @@ -63,6 +63,7 @@ %define with_yajl 0%{!?_without_yajl:0} %define with_nwfilter 0%{!?_without_nwfilter:0} %define with_libpcap 0%{!?_without_libpcap:0} +%define with_macvtap 0%{!?_without_macvtap:0} # Non-server/HV driver defaults which are always enabled %define with_python 0%{!?_without_python:1} @@ -153,6 +154,11 @@ %if %{with_qemu} %define with_nwfilter 0%{!?_without_nwfilter:%{server_drivers}} %define with_libpcap 0%{!?_without_libpcap:%{server_drivers}} +%define with_macvtap 0%{!?_without_macvtap:%{server_drivers}} +%endif + +%if %{with_macvtap} +%define with_libnl 1 %endif # Force QEMU to run as non-root @@ -282,6 +288,9 @@ BuildRequires: yajl-devel %if %{with_libpcap} BuildRequires: libpcap-devel %endif +%if %{with_libnl} +BuildRequires: libnl-devel +%endif %if %{with_avahi} BuildRequires: avahi-devel %endif @@ -531,6 +540,10 @@ of recent versions of Linux (and other O %define _without_libpcap --without-libpcap %endif +%if ! %{with_macvtap} +%define _without_macvtap --without-macvtap +%endif + %configure %{?_without_xen} \ %{?_without_qemu} \ %{?_without_openvz} \ @@ -560,6 +573,7 @@ of recent versions of Linux (and other O %{?_without_udev} \ %{?_without_yajl} \ %{?_without_libpcap} \ + %{?_without_macvtap} \ --with-qemu-user=%{qemu_user} \ --with-qemu-group=%{qemu_group} \ --with-init-script=redhat \ Index: libvirt-acl/src/Makefile.am =================================================================== --- libvirt-acl.orig/src/Makefile.am +++ libvirt-acl/src/Makefile.am @@ -973,7 +973,7 @@ libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FL $(COVERAGE_CFLAGS:-f%=-Wc,-f%) \ $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) libvirt_la_LIBADD += $(LIBXML_LIBS) \ - $(LIBPCAP_LIBS) \ + $(LIBPCAP_LIBS) $(LIBNL_LIBS) \ $(DRIVER_MODULE_LIBS) \ $(CYGWIN_EXTRA_LIBADD) ../gnulib/lib/libgnu.la libvirt_la_CFLAGS = $(COVERAGE_CFLAGS) -DIN_LIBVIRT @@ -1027,7 +1027,7 @@ libvirt_lxc_SOURCES = \ libvirt_lxc_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDCFLAGS) libvirt_lxc_LDADD = $(CAPNG_LIBS) $(YAJL_LIBS) \ $(LIBXML_LIBS) $(NUMACTL_LIBS) $(LIB_PTHREAD) \ - ../gnulib/lib/libgnu.la + $(LIBNL_LIBS) ../gnulib/lib/libgnu.la libvirt_lxc_CFLAGS = \ $(LIBPARTED_CFLAGS) \ $(NUMACTL_CFLAGS) \

2 1

[libvirt] [PATCH] tests: adjust copyrights on scripts: s/FSF/Red Hat/
by Jim Meyering 11 May '10

11 May '10

FYI, just pushed. I ran this command: cd tests && grep -l 'Copy.*Free.Sof' * |xargs perl -pi -e \ 's/Copyright $C$ (.*) Free Software Foundation,/Copyright (C) $1 Red Hat,/' >From c5be8bcb8f4b72a39481eeef58d601ec585e0c6f Mon Sep 17 00:00:00 2001 From: Jim Meyering <meyering(a)redhat.com> Date: Tue, 11 May 2010 16:43:07 +0200 Subject: [PATCH] tests: adjust copyrights on scripts: s/FSF/Red Hat/ * tests/cpuset: Change copyright holder from FSF to Red Hat, Inc. * tests/read-bufsiz: Likewise. * tests/read-non-seekable: Likewise. * tests/start: Likewise. * tests/undefine: Likewise. * tests/vcpupin: Likewise. * tests/virsh-all: Likewise. * tests/virsh-synopsis: Likewise. --- tests/cpuset | 2 +- tests/read-bufsiz | 2 +- tests/read-non-seekable | 2 +- tests/start | 2 +- tests/undefine | 2 +- tests/vcpupin | 2 +- tests/virsh-all | 2 +- tests/virsh-synopsis | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/cpuset b/tests/cpuset index 89c19e0..3c48f0a 100755 --- a/tests/cpuset +++ b/tests/cpuset @@ -1,7 +1,7 @@ #!/bin/sh # ensure that defining with an invalid vCPU cpuset elicits a diagnostic -# Copyright (C) 2008-2009 Free Software Foundation, Inc. +# Copyright (C) 2008-2009 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/read-bufsiz b/tests/read-bufsiz index f4f8f19..3ebc135 100755 --- a/tests/read-bufsiz +++ b/tests/read-bufsiz @@ -1,7 +1,7 @@ #!/bin/sh # ensure that reading a file larger than BUFSIZ works -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/read-non-seekable b/tests/read-non-seekable index 59c2389..1aed286 100755 --- a/tests/read-non-seekable +++ b/tests/read-non-seekable @@ -1,7 +1,7 @@ #!/bin/sh # ensure that certain file-reading commands can handle non-seekable files -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/start b/tests/start index 930a6d9..df92a36 100755 --- a/tests/start +++ b/tests/start @@ -1,7 +1,7 @@ #!/bin/sh # ensure that virsh start works properly -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/undefine b/tests/undefine index 48b0ad9..d9efbf7 100755 --- a/tests/undefine +++ b/tests/undefine @@ -1,7 +1,7 @@ #!/bin/sh # exercise virsh's "undefine" command -# Copyright (C) 2008-2009 Free Software Foundation, Inc. +# Copyright (C) 2008-2009 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/vcpupin b/tests/vcpupin index a72ad4c..36dd093 100755 --- a/tests/vcpupin +++ b/tests/vcpupin @@ -1,7 +1,7 @@ #!/bin/sh # ensure that an invalid CPU spec elicits a diagnostic -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/virsh-all b/tests/virsh-all index f1eb82c..baec161 100755 --- a/tests/virsh-all +++ b/tests/virsh-all @@ -1,7 +1,7 @@ #!/bin/sh # blindly run each and every command listed by "virsh help" -# Copyright (C) 2008, 2009 Free Software Foundation, Inc. +# Copyright (C) 2008, 2009 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/tests/virsh-synopsis b/tests/virsh-synopsis index d72e887..e60aeb5 100755 --- a/tests/virsh-synopsis +++ b/tests/virsh-synopsis @@ -1,7 +1,7 @@ #!/bin/sh # ensure that each command's help "SYNOPSIS" line starts with the command name -# Copyright (C) 2008 Free Software Foundation, Inc. +# Copyright (C) 2008 Red Hat, Inc. # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by -- 1.7.1.189.g07419

4 8