- Devel - libvirt List Archives

[libvirt] Host IP Address
by IKI-サガル　バルウェ 25 Jun '10

25 Jun '10

Hi, I was trying to figure out a way to get the IP Address of the host, in which a particular VM is running using the LibvirtAPI. For Eg.; If I have a VM object, then I would like to fetch the IP Address of the host in which this VM is running, programatically. Is there a way to do this using the API? Please guide me, if there is some other way to do this also. Thanks and Regards Sagar Barve

3 7

[libvirt] [PATCH] phyp: Adding storage management driver
by Eduardo Otubo 25 Jun '10

25 Jun '10

Hello Folks, This is the result of a couple of months of hard work. I added the storage management driver to the Power Hypervisor driver. This is a big but simple patch, it's just a new set of functions, nothing more. I could split it into multiple commits, but the feature freeze starts in some hours and I really reed this feature to be included in the next release. This patch includes: * Storage driver: The set of pool-* and vol-* functions. * attach-disk function. * Support for IVM on the new functions. I've been looking at this code for a long time, so I apologize now for the silly mistakes that might be present. Looking forward to see the comments. Thanks! --- src/phyp/phyp_driver.c | 1638 +++++++++++++++++++++++++++++++++++++++++++++++- src/phyp/phyp_driver.h | 52 ++ 2 files changed, 1688 insertions(+), 2 deletions(-) diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c index cefb8be..77a74ef 100644 --- a/src/phyp/phyp_driver.c +++ b/src/phyp/phyp_driver.c @@ -56,6 +56,7 @@ #include "virterror_internal.h" #include "uuid.h" #include "domain_conf.h" +#include "storage_conf.h" #include "nodeinfo.h" #include "phyp_driver.h" @@ -1680,6 +1681,466 @@ phypDomainSetCPU(virDomainPtr dom, unsigned int nvcpus) } +static char * +phypGetLparProfile(virConnectPtr conn, int lpar_id) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int exit_status = 0; + char *cmd = NULL; + char *ret = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + virBufferAddLit(&buf, "lssyscfg"); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, + " -r prof --filter lpar_ids=%d -F name|head -n 1", + lpar_id); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return NULL; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + char *char_ptr = strchr(ret, '\n'); + + if (char_ptr) + *char_ptr = '\0'; + + VIR_FREE(cmd); + return ret; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return NULL; +} + +static int +phypGetVIOSNextSlotNumber(virConnectPtr conn) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *char_ptr; + char *cmd = NULL; + char *ret = NULL; + char *profile = NULL; + int slot = 0; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (!(profile = phypGetLparProfile(conn, vios_id))) { + VIR_ERROR("%s", "Unable to get VIOS profile name."); + goto err; + } + + virBufferAddLit(&buf, "echo $((`lssyscfg"); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, "-r prof --filter " + "profile_names=%s -F virtual_eth_adapters," + "virtual_opti_pool_id,virtual_scsi_adapters," + "virtual_serial_adapters|sed -e 's/\"//g' -e " + "'s/,/\\n/g'|sed -e 's/\$^[0-9][0-9]\\*\$.*$/\\1/'" + "|sort|tail -n 1` +1 ))", profile); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + if (virStrToLong_i(ret, &char_ptr, 10, &slot) == -1) + goto err; + + VIR_FREE(cmd); + VIR_FREE(ret); + return slot; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +static int +phypCreateServerSCSIAdapter(virConnectPtr conn) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *ret = NULL; + char *profile = NULL; + int slot = 0; + char *vios_name = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (! + (vios_name = + phypGetLparNAME(session, managed_system, vios_id, conn))) { + VIR_ERROR("%s", "Unable to get VIOS name"); + goto err; + } + + if (!(profile = phypGetLparProfile(conn, vios_id))) { + VIR_ERROR("%s", "Unable to get VIOS profile name."); + goto err; + } + + if ((slot = phypGetVIOSNextSlotNumber(conn)) == -1) { + VIR_ERROR("%s", "Unable to get free slot number"); + goto err; + } + + /* Listing all the virtual_scsi_adapter interfaces, the new adapter must + * be appended to this list + * */ + virBufferAddLit(&buf, "lssyscfg"); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, "-r prof --filter lpar_ids=%d,profile_names=%s" + " -F virtual_scsi_adapters|sed -e s/\"//g", + vios_id, profile); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + /* Here I change the VIOS configuration to append the new adapter + * with the free slot I got with phypGetVIOSNextSlotNumber. + * */ + virBufferAddLit(&buf, "chsyscfg"); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, "-r prof -i 'name=%s,lpar_id=%d," + "\"virtual_scsi_adapters=%s,%d/server/any/any/1\"'", + vios_name, vios_id, ret, slot); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + /* Finally I add the new scsi adapter to VIOS using the same slot + * I used in the VIOS configuration. + * */ + virBufferAddLit(&buf, "chhwres -r virtualio --rsubtype scsi "); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, + "-p %s -o a -s %d -d 0 -a \"adapter_type=server\"", + vios_name, slot); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + VIR_FREE(profile); + VIR_FREE(vios_name); + VIR_FREE(cmd); + VIR_FREE(ret); + return 0; + + err: + VIR_FREE(profile); + VIR_FREE(vios_name); + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +static char * +phypGetVIOSFreeSCSIAdapter(virConnectPtr conn) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *ret = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lsmap -all -field svsa backing -fmt ,'"); + } else { + virBufferVSprintf(&buf, "lsmap -all -field svsa backing -fmt ,"); + } + virBufferVSprintf(&buf, "|grep -v ',[^.*]'|head -n 1|sed -e 's/,//g'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return NULL; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + char *char_ptr = strchr(ret, '\n'); + + if (char_ptr) + *char_ptr = '\0'; + + VIR_FREE(cmd); + return ret; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return NULL; +} + + +int +phypAttachDevice(virDomainPtr domain, const char *xml) +{ + + virConnectPtr conn = domain->conn; + ConnectionData *connection_data = domain->conn->networkPrivateData; + phyp_driverPtr phyp_driver = domain->conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *char_ptr = NULL; + char *cmd = NULL; + char *ret = NULL; + char *scsi_adapter = NULL; + int slot = 0; + char *vios_name = NULL; + char *profile = NULL; + virDomainDeviceDefPtr dev = NULL; + virDomainDefPtr def = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + def->os.type = strdup("aix"); + + if (def->os.type == NULL) { + virReportOOMError(); + goto err; + } + + dev = virDomainDeviceDefParse(phyp_driver->caps, def, xml, + VIR_DOMAIN_XML_INACTIVE); + if (!dev) { + virReportOOMError(); + goto err; + } + + if (! + (vios_name = + phypGetLparNAME(session, managed_system, vios_id, conn))) { + VIR_ERROR("%s", "Unable to get VIOS name"); + goto err; + } + + /* First, let's look for a free SCSI Adapter + * */ + if (!(scsi_adapter = phypGetVIOSFreeSCSIAdapter(conn))) { + /* If not found, let's create one. + * */ + if (phypCreateServerSCSIAdapter(conn) == -1) { + VIR_ERROR("%s", "Unable to create new virtual adapter"); + goto err; + } else { + if (!(scsi_adapter = phypGetVIOSFreeSCSIAdapter(conn))) { + VIR_ERROR("%s", "Unable to create new virtual adapter"); + goto err; + } + } + } + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'mkvdev -vdev %s -vadapter %s'", + dev->data.disk->src, scsi_adapter); + } else { + virBufferVSprintf(&buf, "mkvdev -vdev %s -vadapter %s", + dev->data.disk->src, scsi_adapter); + } + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + if (!(profile = phypGetLparProfile(conn, domain->id))) { + VIR_ERROR("%s", "Unable to get VIOS profile name."); + goto err; + } + + /* Let's get the slot number for the adapter we just created + * */ + virBufferAddLit(&buf, "lshwres -r virtualio --rsubtype scsi "); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s", managed_system); + virBufferVSprintf(&buf, + "slot_num,backing_device|grep %s|cut -d, -f1", + dev->data.disk->src); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + if (virStrToLong_i(ret, &char_ptr, 10, &slot) == -1) + goto err; + + /* Listing all the virtual_scsi_adapter interfaces, the new adapter must + * be appended to this list + * */ + virBufferAddLit(&buf, "lssyscfg"); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, + "-r prof --filter lpar_ids=%d,profile_names=%s" + " -F virtual_scsi_adapters|sed -e s/\"//g", + vios_id, profile); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + /* Here I change the LPAR configuration to append the new adapter + * with the new slot we just created + * */ + virBufferAddLit(&buf, "chsyscfg"); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, + "-r prof -i 'name=%s,lpar_id=%d," + "\"virtual_scsi_adapters=%s,%d/client/%d/%s/0\"'", + domain->name, domain->id, ret, slot, + vios_id, vios_name); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (virStrToLong_i(ret, &char_ptr, 10, &slot) == -1) + goto err; + + /* Finally I add the new scsi adapter to VIOS using the same slot + * I used in the VIOS configuration. + * */ + virBufferAddLit(&buf, "chhwres -r virtualio --rsubtype scsi "); + if (system_type == HMC) + virBufferVSprintf(&buf, " -m %s ", managed_system); + virBufferVSprintf(&buf, + " -p %s -o a -s %d -d 0 -a \"adapter_type=server\"", + domain->name, slot); + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) { + VIR_ERROR0(_ + ("Possibly you don't have IBM Tools installed in your LPAR." + "Contact your support to enable this feature.")); + goto err; + } + + VIR_FREE(cmd); + VIR_FREE(ret); + VIR_FREE(def); + VIR_FREE(dev); + VIR_FREE(vios_name); + VIR_FREE(scsi_adapter); + return 0; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + VIR_FREE(def); + VIR_FREE(dev); + VIR_FREE(vios_name); + VIR_FREE(scsi_adapter); + return -1; +} + virDriver phypDriver = { VIR_DRV_PHYP, "PHYP", phypOpen, /* open */ phypClose, /* close */ @@ -1725,7 +2186,7 @@ virDriver phypDriver = { NULL, /* domainCreateWithFlags */ NULL, /* domainDefineXML */ NULL, /* domainUndefine */ - NULL, /* domainAttachDevice */ + phypAttachDevice, /* domainAttachDevice */ NULL, /* domainAttachDeviceFlags */ NULL, /* domainDetachDevice */ NULL, /* domainDetachDeviceFlags */ @@ -1779,6 +2240,1175 @@ virDriver phypDriver = { NULL, /* domainSnapshotDelete */ }; +virStorageDriver phypStorageDriver = { + .name = "PHYP", + .open = phypStorageOpen, + .close = phypStorageClose, + + .numOfPools = phypNumOfStoragePools, + .listPools = phypListStoragePools, + .numOfDefinedPools = NULL, + .listDefinedPools = NULL, + .findPoolSources = NULL, + .poolLookupByName = phypStoragePoolLookupByName, + .poolLookupByUUID = phypGetStoragePoolLookUpByUUID, + .poolLookupByVolume = NULL, + .poolCreateXML = phypStoragePoolCreateXML, + .poolDefineXML = NULL, + .poolBuild = NULL, + .poolUndefine = NULL, + .poolCreate = NULL, + .poolDestroy = phypDestroyStoragePool, + .poolDelete = NULL, + .poolRefresh = NULL, + .poolGetInfo = NULL, + .poolGetXMLDesc = phypGetStoragePoolXMLDesc, + .poolGetAutostart = NULL, + .poolSetAutostart = NULL, + .poolNumOfVolumes = phypStoragePoolNumOfVolumes, + .poolListVolumes = phypStoragePoolListVolumes, + + .volLookupByName = phypVolumeLookupByName, + .volLookupByKey = NULL, + .volLookupByPath = phypVolumeLookupByPath, + .volCreateXML = NULL, + .volCreateXMLFrom = NULL, + .volDelete = NULL, + .volGetInfo = NULL, + .volGetXMLDesc = phypVolumeGetXMLDesc, + .volGetPath = phypVolumeGetPath, + .poolIsActive = NULL, + .poolIsPersistent = NULL +}; + +static int +phypVolumeGetKey(virConnectPtr conn, char *key, const char *name) +{ + + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *ret = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lslv %s -field lvid'", name); + } else { + virBufferVSprintf(&buf, "lslv %s -field lvid", name); + } + virBufferVSprintf(&buf, "|sed -e 's/^LV IDENTIFIER://' -e 's/\\ //g'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + char *char_ptr = strchr(ret, '\n'); + + if (char_ptr) + *char_ptr = '\0'; + + if (memmove(key, ret, PATH_MAX) == NULL) + goto err; + + VIR_FREE(cmd); + VIR_FREE(ret); + return 0; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +static char * +phypGetStoragePoolDevice(virConnectPtr conn, char *name) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *ret = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lssp -detail -sp %s -field name'", name); + } else { + virBufferVSprintf(&buf, "lssp -detail -sp %s -field name", name); + } + virBufferVSprintf(&buf, "|sed '1d'|sed -e 's/\\ //g'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return NULL; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + char *char_ptr = strchr(ret, '\n'); + + if (char_ptr) + *char_ptr = '\0'; + + VIR_FREE(cmd); + return ret; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return NULL; +} + +static unsigned long int +phypGetStoragePoolSize(virConnectPtr conn, char *name) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int exit_status = 0; + int vios_id = phyp_driver->vios_id; + char *cmd = NULL; + char *ret = NULL; + int sp_size = 0; + char *char_ptr; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lssp -detail -sp %s -field size'", name); + } else { + virBufferVSprintf(&buf, "lssp -detail -sp %s -field size", name); + } + virBufferVSprintf(&buf, "|sed '1d'|sed -e 's/\\ //g'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + if (virStrToLong_i(ret, &char_ptr, 10, &sp_size) == -1) + goto err; + + VIR_FREE(cmd); + VIR_FREE(ret); + return sp_size; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +static int +phypBuildVolume(virConnectPtr conn, const char *lvname, const char *spname, + unsigned int capacity, char *key) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + int vios_id = phyp_driver->vios_id; + int system_type = phyp_driver->system_type; + char *managed_system = phyp_driver->managed_system; + char *cmd = NULL; + char *ret = NULL; + int exit_status = 0; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'mklv -lv %s %s %d'", lvname, spname, + capacity); + } else { + virBufferVSprintf(&buf, "mklv -lv %s %s %d", lvname, spname, + capacity); + } + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0) { + VIR_ERROR("%s\"%s\"", "Unable to create Volume. Reason: ", ret); + goto err; + } + + if (phypVolumeGetKey(conn, key, lvname) == -1) + goto err;; + + VIR_FREE(cmd); + VIR_FREE(ret); + return 0; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +virStorageVolPtr +phypStorageVolCreateXML(virStoragePoolPtr pool, const char *xml, + unsigned int flags ATTRIBUTE_UNUSED) +{ + + virStorageVolDefPtr voldef = NULL; + virStoragePoolDefPtr spdef = NULL; + virStorageVolPtr vol = NULL; + char *key = NULL; + + if (VIR_ALLOC(spdef) < 0) { + virReportOOMError(); + return NULL; + } + + if (VIR_ALLOC_N(key, PATH_MAX) < 0) { + virReportOOMError(); + return NULL; + } + + /* Filling spdef manually + * */ + if (pool->name != NULL) { + spdef->name = pool->name; + } else { + VIR_ERROR("%s", "Unable to determine storage pool's name."); + goto err; + } + + if (memmove(spdef->uuid, pool->uuid, VIR_UUID_BUFLEN) == NULL) { + VIR_ERROR("%s", "Unable to determine storage pool's uuid."); + goto err; + } + + if ((spdef->capacity = + phypGetStoragePoolSize(pool->conn, pool->name)) == -1) { + VIR_ERROR("%s", "Unable to determine storage pools's size."); + goto err; + } + + /* Information not avaliable */ + spdef->allocation = 0; + spdef->available = 0; + + spdef->source.ndevice = 1; + + /*XXX source adapter not working properly, should show hdiskX */ + if ((spdef->source.adapter = + phypGetStoragePoolDevice(pool->conn, pool->name)) == NULL) { + VIR_ERROR("%s", + "Unable to determine storage pools's source adapter."); + goto err; + } + + if ((voldef = virStorageVolDefParseString(spdef, xml)) == NULL) { + VIR_ERROR("%s", "Error parsing volume XML."); + goto err; + } + + /* checking if this name already exists on this system */ + if (phypVolumeLookupByName(pool, voldef->name) != NULL) { + VIR_ERROR("%s", "StoragePool name already exists."); + goto err; + } + + /* The key must be NULL, the Power Hypervisor creates a key + * in the moment you create the volume. + * */ + if (voldef->key) { + VIR_ERROR("%s", + "Key must be empty, Power Hypervisor will create one for you."); + goto err; + } + + if (voldef->capacity) { + VIR_ERROR("%s", "Capacity cannot be empty."); + goto err; + } + + if (phypBuildVolume + (pool->conn, voldef->name, spdef->name, voldef->capacity, + key) == -1) + goto err; + + if ((vol = + virGetStorageVol(pool->conn, pool->name, voldef->name, + key)) == NULL) + goto err; + + return vol; + + err: + virStorageVolDefFree(voldef); + virStoragePoolDefFree(spdef); + if (vol) + virUnrefStorageVol(vol); + return NULL; +} + +static char * +phypVolumeGetPhysicalVolumeByStoragePool(virStorageVolPtr vol, char *sp) +{ + virConnectPtr conn = vol->conn; + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *ret = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lssp -detail -sp %s -field pvname'", sp); + } else { + virBufferVSprintf(&buf, "lssp -detail -sp %s -field pvname", sp); + } + virBufferVSprintf(&buf, "|sed 1d"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return NULL; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + char *char_ptr = strchr(ret, '\n'); + + if (char_ptr) + *char_ptr = '\0'; + + VIR_FREE(cmd); + return ret; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return NULL; + +} + +virStorageVolPtr +phypVolumeLookupByPath(virConnectPtr conn, const char *volname) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *spname = NULL; + char *key = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lslv %s -field vgname'", volname); + } else { + virBufferVSprintf(&buf, "lslv %s -field vgname", volname); + } + virBufferVSprintf(&buf, + "|sed -e 's/^VOLUME\\ GROUP://g' -e 's/\\ //g'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return NULL; + } + cmd = virBufferContentAndReset(&buf); + + spname = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || spname == NULL) + return NULL; + + char *char_ptr = strchr(spname, '\n'); + + if (char_ptr) + *char_ptr = '\0'; + + if (VIR_ALLOC_N(key, PATH_MAX) < 0) { + virReportOOMError(); + return NULL; + } + + if (phypVolumeGetKey(conn, key, volname) == -1) + return NULL; + + return virGetStorageVol(conn, spname, volname, key); +} + +char * +phypVolumeGetXMLDesc(virStorageVolPtr vol, + unsigned int flags ATTRIBUTE_UNUSED) +{ + virStorageVolDef voldef; + memset(&voldef, 0, sizeof(virStorageVolDef)); + + virStoragePoolPtr sp = + phypStoragePoolLookupByName(vol->conn, vol->pool); + + if (!sp) + goto err; + + virStoragePoolDef pool; + memset(&pool, 0, sizeof(virStoragePoolDef)); + + if (VIR_ALLOC_N(voldef.key, PATH_MAX) < 0) { + virReportOOMError(); + return NULL; + } + + if (sp->name != NULL) { + pool.name = sp->name; + } else { + VIR_ERROR("%s", "Unable to determine storage sp's name."); + goto err; + } + + if (memmove(pool.uuid, sp->uuid, VIR_UUID_BUFLEN) == NULL) { + VIR_ERROR("%s", "Unable to determine storage sp's uuid."); + goto err; + } + + if ((pool.capacity = phypGetStoragePoolSize(sp->conn, sp->name)) == -1) { + VIR_ERROR("%s", "Unable to determine storage sps's size."); + goto err; + } + + /* Information not avaliable */ + pool.allocation = 0; + pool.available = 0; + + pool.source.ndevice = 1; + + if ((pool.source.adapter = + phypGetStoragePoolDevice(sp->conn, sp->name)) == NULL) { + VIR_ERROR("%s", + "Unable to determine storage sps's source adapter."); + goto err; + } + + if (vol->name != NULL) + voldef.name = vol->name; + else { + VIR_ERROR("%s", "Unable to determine storage pool's name."); + goto err; + } + + if (memmove(voldef.key, vol->key, PATH_MAX) == NULL) { + VIR_ERROR("%s", "Unable to determine volume's key."); + goto err; + } + + voldef.type = VIR_STORAGE_POOL_LOGICAL; + + return virStorageVolDefFormat(&pool, &voldef); + + err: + return NULL; +} + +/* The Volume Group path here will be treated as suggested in the + * email on the libvirt mailling list. As soon as I can't get the + * path for every volume, the path will be a representation in + * the form: + * + * /physical_volume/storage_pool/logical_volume + * + * */ +char * +phypVolumeGetPath(virStorageVolPtr vol) +{ + virConnectPtr conn = vol->conn; + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *sp = NULL; + char *path = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lslv %s -field vgname'", vol->name); + } else { + virBufferVSprintf(&buf, "lslv %s -field vgname", vol->name); + } + virBufferVSprintf(&buf, + "|sed -e 's/^VOLUME\\ GROUP://g' -e 's/\\ //g'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return NULL; + } + cmd = virBufferContentAndReset(&buf); + + sp = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || sp == NULL) + goto err; + + char *char_ptr = strchr(sp, '\n'); + + if (char_ptr) + *char_ptr = '\0'; + + char *pv = phypVolumeGetPhysicalVolumeByStoragePool(vol, sp); + + if (pv) { + if (virAsprintf(&path, "/%s/%s/%s", pv, sp, vol->name) < 0) { + virReportOOMError(); + goto err; + } + } else { + goto err; + } + + VIR_FREE(cmd); + return path; + + err: + VIR_FREE(cmd); + VIR_FREE(sp); + VIR_FREE(path); + return NULL; + +} + +virStorageVolPtr +phypVolumeLookupByName(virStoragePoolPtr pool, const char *volname) +{ + + char key[PATH_MAX]; + + if (phypVolumeGetKey(pool->conn, key, volname) == -1) + return NULL; + + return virGetStorageVol(pool->conn, pool->name, volname, key); +} + +int +phypStoragePoolListVolumes(virStoragePoolPtr pool, char **const volumes, + int nvolumes) +{ + virConnectPtr conn = pool->conn; + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + int got = 0; + int i; + char *cmd = NULL; + char *ret = NULL; + char *volumes_list = NULL; + char *char_ptr2 = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lsvg -lv %s -field lvname'", pool->name); + } else { + virBufferVSprintf(&buf, "lsvg -lv %s -field lvname", pool->name); + } + virBufferVSprintf(&buf, "|sed '1d'|sed '1d'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + /* I need to parse the textual return in order to get the volumes */ + if (exit_status < 0 || ret == NULL) + goto err; + else { + volumes_list = ret; + + while (got < nvolumes) { + char_ptr2 = strchr(volumes_list, '\n'); + + if (char_ptr2) { + *char_ptr2 = '\0'; + if ((volumes[got++] = strdup(volumes_list)) == NULL) { + virReportOOMError(); + goto err; + } + char_ptr2++; + volumes_list = char_ptr2; + } else + break; + } + } + + VIR_FREE(cmd); + VIR_FREE(ret); + return got; + + err: + for (i = 0; i < got; i++) + VIR_FREE(volumes[i]); + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +int +phypStoragePoolNumOfVolumes(virStoragePoolPtr pool) +{ + virConnectPtr conn = pool->conn; + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; + int exit_status = 0; + int nvolumes = 0; + char *cmd = NULL; + char *ret = NULL; + char *managed_system = phyp_driver->managed_system; + int vios_id = phyp_driver->vios_id; + char *char_ptr; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lsvg -lv %s -field lvname'", pool->name); + } else { + virBufferVSprintf(&buf, "lsvg -lv %s -field lvname", pool->name); + } + virBufferVSprintf(&buf, "|sed '1d'|sed '1d'|grep -c '^.*$'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + if (virStrToLong_i(ret, &char_ptr, 10, &nvolumes) == -1) + goto err; + + VIR_FREE(cmd); + VIR_FREE(ret); + return nvolumes; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +int +phypDestroyStoragePool(virStoragePoolPtr pool) +{ + virConnectPtr conn = pool->conn; + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + int vios_id = phyp_driver->vios_id; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + char *cmd = NULL; + char *ret = NULL; + int exit_status = 0; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'rmsp %s'", pool->name); + } else { + virBufferVSprintf(&buf, "'rmsp %s'", pool->name); + } + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + if (virAsprintf(&cmd, + "viosvrcmd -m %s --id %d -c " + "'rmsp %s'", managed_system, vios_id, + pool->name) < 0) { + virReportOOMError(); + goto err; + } + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0) { + VIR_ERROR("%s\"%s\"", "Unable to create Storage Pool. Reason: ", + ret); + goto err; + } + + VIR_FREE(cmd); + VIR_FREE(ret); + return 0; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +static int +phypBuildStoragePool(virConnectPtr conn, virStoragePoolDefPtr def) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + virStoragePoolSource source = def->source; + int vios_id = phyp_driver->vios_id; + int system_type = phyp_driver->system_type; + char *managed_system = phyp_driver->managed_system; + char *cmd = NULL; + char *ret = NULL; + int exit_status = 0; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'mksp -f %schild %s'", def->name, + source.adapter); + } else { + virBufferVSprintf(&buf, "mksp -f %schild %s", def->name, + source.adapter); + } + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0) { + VIR_ERROR("%s\"%s\"", "Unable to create Storage Pool. Reason: ", + ret); + goto err; + } + + VIR_FREE(cmd); + VIR_FREE(ret); + return 0; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; + +} + +virStoragePoolPtr +phypStoragePoolCreateXML(virConnectPtr conn, + const char *xml, + unsigned int flags ATTRIBUTE_UNUSED) +{ + + virStoragePoolDefPtr def = NULL; + virStoragePoolPtr sp = NULL; + + if (!(def = virStoragePoolDefParseString(xml))) + goto err; + + /* checking if this name already exists on this system */ + if (phypStoragePoolLookupByName(conn, def->name) != NULL) { + VIR_WARN0("StoragePool name already exists."); + goto err; + } + + /* checking if ID or UUID already exists on this system */ + if (phypGetStoragePoolLookUpByUUID(conn, def->uuid) != NULL) { + VIR_WARN0("StoragePool uuid already exists."); + goto err; + } + + if ((sp = virGetStoragePool(conn, def->name, def->uuid)) == NULL) + goto err; + + if (phypBuildStoragePool(conn, def) == -1) + goto err; + + return sp; + + err: + virStoragePoolDefFree(def); + if (sp) + virUnrefStoragePool(sp); + return NULL; +} + +char * +phypGetStoragePoolXMLDesc(virStoragePoolPtr pool, + unsigned int flags ATTRIBUTE_UNUSED) +{ + virStoragePoolDef def; + memset(&def, 0, sizeof(virStoragePoolDef)); + + if (pool->name != NULL) + def.name = pool->name; + else { + VIR_ERROR("%s", "Unable to determine storage pool's name."); + goto err; + } + + if (memmove(def.uuid, pool->uuid, VIR_UUID_BUFLEN) == NULL) { + VIR_ERROR("%s", "Unable to determine storage pool's uuid."); + goto err; + } + + if ((def.capacity = + phypGetStoragePoolSize(pool->conn, pool->name)) == -1) { + VIR_ERROR("%s", "Unable to determine storage pools's size."); + goto err; + } + + /* Information not avaliable */ + def.allocation = 0; + def.available = 0; + + def.source.ndevice = 1; + + /*XXX source adapter not working properly, should show hdiskX */ + if ((def.source.adapter = + phypGetStoragePoolDevice(pool->conn, pool->name)) == NULL) { + VIR_ERROR("%s", + "Unable to determine storage pools's source adapter."); + goto err; + } + + return virStoragePoolDefFormat(&def); + + err: + return NULL; +} + +static int +phypGetStoragePoolUUID(virConnectPtr conn, unsigned char *uuid, + const char *name) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + char *cmd = NULL; + char *ret = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lsdev -dev %s -attr vgserial_id'", name); + } else { + virBufferVSprintf(&buf, "lsdev -dev %s -attr vgserial_id", name); + } + virBufferVSprintf(&buf, "|sed '1d'|sed '1d'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + if (memmove(uuid, ret, VIR_UUID_BUFLEN) == NULL) + goto err; + + VIR_FREE(cmd); + VIR_FREE(ret); + return 0; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +virStoragePoolPtr +phypGetStoragePoolLookUpByUUID(virConnectPtr conn, + const unsigned char *uuid) +{ + virStoragePoolPtr sp = NULL; + int npools = 0; + int gotpools = 0; + char **pools = NULL; + unsigned int i = 0; + unsigned char *local_uuid = NULL; + + if (VIR_ALLOC_N(local_uuid, VIR_UUID_BUFLEN) < 0) { + virReportOOMError(); + goto err; + } + + if ((npools = phypNumOfStoragePools(conn)) == -1) { + virReportOOMError(); + goto err; + } + + if (VIR_ALLOC_N(pools, npools) < 0) { + virReportOOMError(); + goto err; + } + + if ((gotpools = phypListStoragePools(conn, pools, npools)) == -1) { + virReportOOMError(); + goto err; + } + + if (gotpools != npools) { + virReportOOMError(); + goto err; + } + + for (i = 0; i < gotpools; i++) { + if (phypGetStoragePoolUUID(conn, local_uuid, pools[i]) == -1) + continue; + + if (STREQLEN((char *) local_uuid, (char *) uuid, VIR_UUID_BUFLEN)) { + sp = virGetStoragePool(conn, pools[i], uuid); + VIR_FREE(local_uuid); + VIR_FREE(pools); + + if (sp) + return sp; + else + goto err; + } + } + + err: + VIR_FREE(local_uuid); + VIR_FREE(pools); + return NULL; +} + +virStoragePoolPtr +phypStoragePoolLookupByName(virConnectPtr conn, const char *name) +{ + unsigned char uuid[VIR_UUID_BUFLEN]; + + if (phypGetStoragePoolUUID(conn, uuid, name) == -1) + return NULL; + + return virGetStoragePool(conn, name, uuid); +} + +int +phypNumOfStoragePools(virConnectPtr conn) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; + int exit_status = 0; + int nsp = 0; + char *cmd = NULL; + char *ret = NULL; + char *managed_system = phyp_driver->managed_system; + int vios_id = phyp_driver->vios_id; + char *char_ptr; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lsvg'"); + } else { + virBufferVSprintf(&buf, "lsvg"); + } + virBufferVSprintf(&buf, "grep -c '^.*$'"); + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + if (exit_status < 0 || ret == NULL) + goto err; + + if (virStrToLong_i(ret, &char_ptr, 10, &nsp) == -1) + goto err; + + VIR_FREE(cmd); + VIR_FREE(ret); + return nsp; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + +int +phypListStoragePools(virConnectPtr conn, char **const pools, int npools) +{ + ConnectionData *connection_data = conn->networkPrivateData; + phyp_driverPtr phyp_driver = conn->privateData; + LIBSSH2_SESSION *session = connection_data->session; + char *managed_system = phyp_driver->managed_system; + int system_type = phyp_driver->system_type; + int vios_id = phyp_driver->vios_id; + int exit_status = 0; + int got = 0; + int i; + char *cmd = NULL; + char *ret = NULL; + char *storage_pools = NULL; + char *char_ptr2 = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + + if (system_type == HMC) { + virBufferVSprintf(&buf, "viosvrcmd -m %s --id %d -c ", + managed_system, vios_id); + virBufferVSprintf(&buf, "'lsvg'"); + } else { + virBufferVSprintf(&buf, "lsvg"); + } + + if (virBufferError(&buf)) { + virBufferFreeAndReset(&buf); + virReportOOMError(); + return -1; + } + cmd = virBufferContentAndReset(&buf); + + ret = phypExec(session, cmd, &exit_status, conn); + + /* I need to parse the textual return in order to get the storage pools */ + if (exit_status < 0 || ret == NULL) + goto err; + else { + storage_pools = ret; + + while (got < npools) { + char_ptr2 = strchr(storage_pools, '\n'); + + if (char_ptr2) { + *char_ptr2 = '\0'; + if ((pools[got++] = strdup(storage_pools)) == NULL) { + virReportOOMError(); + goto err; + } + char_ptr2++; + storage_pools = char_ptr2; + } else + break; + } + } + + VIR_FREE(cmd); + VIR_FREE(ret); + return got; + + err: + for (i = 0; i < got; i++) + VIR_FREE(pools[i]); + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} +virDrvOpenStatus +phypStorageOpen(virConnectPtr conn ATTRIBUTE_UNUSED, + virConnectAuthPtr auth ATTRIBUTE_UNUSED, + int flags ATTRIBUTE_UNUSED) +{ + return VIR_DRV_OPEN_SUCCESS; +} + +int +phypStorageClose(virConnectPtr conn ATTRIBUTE_UNUSED) +{ + return 0; +} + int phypBuildLpar(virConnectPtr conn, virDomainDefPtr def) { @@ -2360,6 +3990,10 @@ waitsocket(int socket_fd, LIBSSH2_SESSION * session) int phypRegister(void) { - virRegisterDriver(&phypDriver); + if (virRegisterDriver(&phypDriver) < 0) + return -1; + if (virRegisterStorageDriver(&phypStorageDriver) < 0) + return -1; + return 0; } diff --git a/src/phyp/phyp_driver.h b/src/phyp/phyp_driver.h index 80ff0c3..2606fe4 100644 --- a/src/phyp/phyp_driver.h +++ b/src/phyp/phyp_driver.h @@ -75,6 +75,58 @@ struct _phyp_driver { char *managed_system; }; + +/* + * Storage functions + * */ +virStorageVolPtr +phypStorageVolCreateXML(virStoragePoolPtr pool, const char *xmldesc, + unsigned int flags ATTRIBUTE_UNUSED); + +virStorageVolPtr phypVolumeLookupByPath (virConnectPtr pool, const char *path); + +char *phypVolumeGetXMLDesc(virStorageVolPtr vol, + unsigned int flags ATTRIBUTE_UNUSED); + +char *phypVolumeGetPath(virStorageVolPtr vol); + +virStorageVolPtr phypVolumeLookupByName(virStoragePoolPtr pool, + const char *name); + +int phypStoragePoolListVolumes(virStoragePoolPtr pool, + char **const volumes, int maxvolumes); + +int phypStoragePoolNumOfVolumes(virStoragePoolPtr pool); + +int phypDestroyStoragePool(virStoragePoolPtr pool); + +virStoragePoolPtr phypStoragePoolCreateXML(virConnectPtr conn, + const char *xml, + unsigned int flags + ATTRIBUTE_UNUSED); + +int phypNumOfStoragePools(virConnectPtr conn); + +int phypListStoragePools(virConnectPtr conn, char **const pools, + int npools); + +virStoragePoolPtr phypStoragePoolLookupByName(virConnectPtr conn, const char *name); + +virStoragePoolPtr phypGetStoragePoolLookUpByUUID(virConnectPtr conn, const unsigned char *uuid); + +char * phypGetStoragePoolXMLDesc(virStoragePoolPtr pool, unsigned int flags); + +virDrvOpenStatus phypStorageOpen(virConnectPtr conn ATTRIBUTE_UNUSED, + virConnectAuthPtr auth ATTRIBUTE_UNUSED, + int flags ATTRIBUTE_UNUSED); + +int phypStorageClose(virConnectPtr conn); + +/* + * Driver functions + * */ +int phypAttachDevice(virDomainPtr domain, const char *xml); + int phypCheckSPFreeSapce(virConnectPtr conn, int required_size, char *sp); int phypGetSystemType(virConnectPtr conn); -- 1.7.0.4

4 14

[libvirt] [PATCH 0/2] Avoid blocking during QEMU incoming migration
by Daniel P. Berrange 24 Jun '10

24 Jun '10

If you run a migration operation and attempt todo virsh list On the incoming destination, it will be blocked until migration completes. This not desirable, the job framework should avoid this happening, but the job was not maintained across the Prepare+Finish API calls. These two patches address that problem

2 4

[libvirt] [PATCH v2] [TCK] [REPOST] nwfilter: apply filters and check firewall rules
by Stefan Berger 24 Jun '10

24 Jun '10

V2: - Following Daniel Berrange's suggestions - if LIBVIRT_TCK_CONFIG is set, read the last occurrence of "^uri/s=" and assign the value to LIBVIRT_URI - check that LIBVIRT_URI is set to qemu:///system, otherwise skip test - if allowed, remove all VMs and nwfilters starting with tck- - rename all VMs and nwfilters created by this test program to start with 'tck-' - other: - terminate if sourcing the test-lib.sh from libvirt's tests dir is missing (would need to be copied) - redirect stderr to stdout whereever output is read into a variable This is a patch I previously posted for use in the tests/ directory of libvirt. Now I ported it to the TCK project and extended the script with output in the Test Anything Protocol (TAP) format. It now allows multiple output formats chosen via command line parameter supporting TAP (--tap-test), the output format used in the libvirt tests directory (the '.' and '!') (--libvirt-test) and one where all tests are displayed (--verbose). The program basically creates a filter called tck-testcase and two VMs where one of them references the tck-testcase filter and the other a filter called nwfiltertestfilter. The tck-testcase filter is then subsequently modified and the effect on iptables,ebtables and ip6tables verified against expected output for both VMs. The VMs are torn down at the end and the test filters removed. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- scripts/nwfilter/100-apply-verify.t | 10 scripts/nwfilter/nwfilter2vmtest.sh | 635 ++++++++++ scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall | 32 scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall | 30 scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall | 9 scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall | 24 scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall | 68 + scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall | 12 scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall | 19 scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall | 13 scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall | 12 scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall | 9 scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat | 73 + scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall | 26 scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/all-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml | 33 scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml | 12 scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml | 56 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml | 15 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml | 15 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml | 10 scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml | 34 scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml | 14 scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml | 43 scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml | 23 scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml | 33 scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml | 4 scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml | 18 61 files changed, 2059 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -0,0 +1,635 @@ +#!/bin/bash + +ORIG_IFNAME="vnet0" +ATTACH_IFNAME="attach0" +TESTFILTERNAME="nwfiltertestfilter" +TESTVM2FWALLDATA="nwfilterxml2fwallout/testvm.fwall.dat" + + +LIBVIRTD=`type -P ${PWD}/../daemon/libvirtd` +if [ "x${LIBVIRTD}x" == "xx" ]; then + LIBVIRTD=`type -P libvirtd` +fi + +VIRSH=`type -P ${PWD}/../tools/virsh` +if [ "x${VIRSH}x" == "xx" ]; then + VIRSH=`type -P virsh` +fi + +LD_LIBRARY_PATH="${PWD}../src/.libs/" + +uri="qemu:///system" +if [ "x${LIBVIRT_TCK_CONFIG}x" != "xx" ]; then + uri_exp=`cat ${LIBVIRT_TCK_CONFIG} | grep "^uri\s*=" | tail -n 1` + if [ "x${uri_exp}x" != "xx" ]; then + eval ${uri_exp} + fi +fi +LIBVIRT_URI=${uri} + +# Maybe no libvirtd was built +[ -z ${LIBVIRTD} ] && exit 0; + +FLAG_WAIT="$((1<<0))" +FLAG_ATTACH="$((1<<1))" +FLAG_VERBOSE="$((1<<2))" +FLAG_LIBVIRT_TEST="$((1<<3))" +FLAG_TAP_TEST="$((1<<4))" + +failctr=0 +passctr=0 +attachfailctr=0 +attachctr=0 + +TAP_FAIL_LIST="" +TAP_FAIL_CTR=0 +TAP_TOT_CTR=0 + +function usage() { + local cmd="$0" +cat <<EOF +Usage: ${cmd} [--help|-h|-?] [--noattach] [--wait] [--verbose] + [--libvirt-test] [--tap-test] + +Options: + --help,-h,-? : Display this help screen. + --noattach : Skip tests that attach and detach a network interface + --wait : Wait for the user to press the enter key once an error + was detected + --verbose : Verbose output + --libvirt-test : Use the libvirt test output format + --tap-test : TAP format output + +This test will create two virtual machines. The one virtual machine +will use a filter called '${TESTFILTERNAME}', and reference the filter +'clean-traffic' which should be available by default with every install. +The other virtual machine will reference the filter 'tck-testcase' and will +have its filter permanently updated. +EOF +} + + +function tap_fail() { + echo "not ok $1 - ${2:0:66}" + TAP_FAIL_LIST+="$1 " + ((TAP_FAIL_CTR++)) + ((TAP_TOT_CTR++)) +} + +function tap_pass() { + echo "ok $1 - ${2:0:70}" + ((TAP_TOT_CTR++)) +} + +function tap_final() { + local okay + + [ -n "${TAP_FAIL_LIST}" ] && echo "FAILED tests ${TAP_FAIL_LIST}" + + okay=`echo "($TAP_TOT_CTR-$TAP_FAIL_CTR)*100/$TAP_TOT_CTR" | bc -l` + echo "Failed ${TAP_FAIL_CTR}/${TAP_TOT_CTR} tests, ${okay:0:5}% okay" +} + +# A wrapper for mktemp in case it does not exist +# Echos the name of a temporary file. +function mktmpfile() { + local tmp + type -P mktemp > /dev/null + if [ $? -eq 0 ]; then + tmp=$(mktemp -t nwfvmtest.XXXXXX) + echo ${tmp} + else + while :; do + tmp="/tmp/nwfvmtest.${RANDOM}" + if [ ! -f ${tmp} ]; then + touch ${tmp} + chmod 666 ${tmp} + echo ${tmp} + break + fi + done + fi + return 0 +} + + +function checkExpectedOutput() { + local xmlfile="$1" + local fwallfile="$2" + local ifname="$3" + local flags="$4" + local skipregex="$5" + local regex="s/${ORIG_IFNAME}/${ifname}/g" + local cmd line tmpfile tmpfile2 skip + + tmpfile=`mktmpfile` + tmpfile2=`mktmpfile` + + exec 4<${fwallfile} + + read <&4 + line="${REPLY}" + + while [ "x${line}x" != "xx" ]; do + cmd=`echo ${line##\#} | sed ${regex}` + + skip=0 + if [ "x${skipregex}x" != "xx" ]; then + skip=`echo ${cmd} | grep -c -E ${skipregex}` + fi + + eval ${cmd} 2>&1 | tee ${tmpfile} 1>/dev/null + + rm ${tmpfile2} 2>/dev/null + touch ${tmpfile2} + + while [ 1 ]; do + read <&4 + line="${REPLY}" + + if [ "${line:0:1}" == "#" ] || [ "x${line}x" == "xx" ]; then + + if [ ${skip} -ne 0 ]; then + break + fi + + diff ${tmpfile} ${tmpfile2} >/dev/null + + if [ $? -ne 0 ]; then + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL ${xmlfile} : ${cmd}" + diff ${tmpfile} ${tmpfile2} + fi + ((failctr++)) + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "tmp files: $tmpfile, $tmpfile2" + echo "Press enter" + read + fi + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 1 + [ $((flags & FLAG_TAP_TEST)) -ne 0 ] && \ + tap_fail $((passctr+failctr)) "${xmlfile} : ${cmd}" + else + ((passctr++)) + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && \ + echo "PASS ${xmlfile} : ${cmd}" + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 0 + [ $((flags & FLAG_TAP_TEST)) -ne 0 ] && \ + tap_pass $((passctr+failctr)) "${xmlfile} : ${cmd}" + fi + + break + + fi + echo "${line}" | sed ${regex} >> ${tmpfile2} + done + done + + exec 4>&- + + rm -rf "${tmpfile}" "${tmpfile2}" 2>/dev/null +} + + +function doTest() { + local xmlfile="$1" + local fwallfile="$2" + local vm1name="$3" + local vm2name="$4" + local flags="$5" + local testnum="$6" + local linenums ctr=0 + local tmpfile b msg rc + + if [ ! -r "${xmlfile}" ]; then + echo "FAIL : Cannot access filter XML file ${xmlfile}." + return 1 + fi + + ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null + + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" "${flags}" \ + "" + + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" "" + + if [ $((flags & FLAG_ATTACH)) -ne 0 ]; then + + tmpfile=`mktmpfile` + + b=`{ ${VIRSH} dumpxml ${vm1name} | tr -d "\n"; echo; } | \ + sed "s/.*\<interface.*source bridge='$[a-zA-Z0-9_]\+$'.*<\/interface>.*/\1/"` + + cat >>${tmpfile} <<EOF +<interface type='bridge'> + <source bridge='${b}'/> + <mac address='52:54:00:11:22:33'/> + <target dev='${ATTACH_IFNAME}'/> + <filterref filter='tck-testcase'/> +</interface> +EOF + msg=`${VIRSH} attach-device "${vm1name}" "${tmpfile}" > /dev/null` + rc=$? + + ((attachctr++)) + + if [ $rc -eq 0 ]; then + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ + "${flags}" "(PRE|POST)ROUTING" + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" "(PRE|POST)ROUTING" + msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"` + if [ $? -ne 0 ]; then + echo "FAIL: Detach of interface failed." + fi + else + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + # In case of TAP, run the test anyway so we get to the full number + # of tests + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ + "${flags}" "" #"(PRE|POST)ROUTING" + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" #"(PRE|POST)ROUTING" + fi + + ((attachfailctr++)) + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL: Could not attach interface to vm ${vm1name}." + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter" + read + fi + fi + fi + + rm -rf ${tmpfile} + fi + + return 0 +} + + +function runTests() { + local vm1name="$1" + local vm2name="$2" + local xmldir="$3" + local fwalldir="$4" + local flags="$5" + local fwallfiles f c + local tap_total=0 ctr=0 + + pushd ${PWD} > /dev/null + cd ${fwalldir} + fwallfiles=`ls *.fwall` + popd > /dev/null + + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + # Need to count the number of total tests + for fil in ${fwallfiles}; do + c=$(grep -c "^#" ${fwalldir}/${fil}) + ((tap_total+=c)) + ((ctr++)) + done + c=$(grep -c "^#" "${TESTVM2FWALLDATA}") + ((tap_total+=c*ctr)) + [ $((flags & FLAG_ATTACH)) -ne 0 ] && ((tap_total*=2)) + echo "1..${tap_total}" + fi + + for fil in ${fwallfiles}; do + f=${fil%%.fwall} + doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}" "${vm1name}" \ + "${vm2name}" "${flags}" + done + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + test_final $((passctr+failctr)) $failctr + elif [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + tap_final + else + echo "" + echo "Summary: ${failctr} failures, ${passctr} passes," + if [ ${attachctr} -ne 0 ]; then + echo " ${attachfailctr} interface attachment failures with ${attachctr} attempts" + fi + fi +} + + +function createVM() { + local vmname="$1" + local filtername="$2" + local ipaddr="$3" + local macaddr="$4" + local flags="$5" + local res + local tmpfile='mktmpfile' + + cat > ${tmpfile} << EOF + <domain type='kvm'> + <name>${vmname}</name> + <memory>32768</memory> + <currentMemory>32768</currentMemory> + <vcpu>1</vcpu> + <os> + <type arch='x86_64' machine='pc-0.11'>hvm</type> + <boot dev='hd'/> + </os> + <features> + <acpi/> + <apic/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <interface type='bridge'> + <mac address='${macaddr}'/> + <source bridge='virbr0'/> + <filterref filter='${filtername}'> + <parameter name='IP' value='${ipaddr}'/> + </filterref> + <target dev='${vmname}'/> + </interface> + <console type='pty'> + </console> + <input type='mouse' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes'/> + </devices> + </domain> +EOF + + res=$(${VIRSH} define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define VM ${vmname} : ${res}" + return 1 + fi + + res=$(${VIRSH} start ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not start VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + $(${VIRSH} undefine ${vmname}) + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Created VM ${vmname}." + + rm -rf ${tmpfile} + + return 0 +} + + +function destroyVM() { + local vmname="$1" + local flags="$2" + local res + + res=$(${VIRSH} destroy ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not destroy VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + + res=$(${VIRSH} undefine ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not undefine VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Destroyed VM ${vmname}." + + return 0 +} + + +function createTestFilters() { + local flags="$1" + local tmpfile=`mktmpfile` + local res + + cat >${tmpfile} << EOF +<filter name="${TESTFILTERNAME}"> + <filterref filter='clean-traffic'/> + + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + + <rule action='drop' direction='inout' priority='1000'> + <all-ipv6/> + </rule> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + rm -rf ${tmpfile} + return 1 + fi + + cat >${tmpfile} << EOF +<filter name="tck-testcase"> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + rm -rf ${tmpfile} + return 1 + fi + + rm -rf ${tmpfile} + + return 0 +} + + +function deleteTestFilter() { + local flags="$1" + local res + + res=$(${VIRSH} nwfilter-undefine ${TESTFILTERNAME} 2>&1) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + res=$(${VIRSH} nwfilter-undefine tck-testcase 2>&1) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + return 0 +} + + +function main() { + local prgname="$0" + local vm1 vm2 + local xmldir="nwfilterxml2xmlin" + local fwalldir="nwfilterxml2fwallout" + local found=0 vms res + local filtername="tck-testcase" + local libvirtdpid=-1 + local flags OPWD + + ((flags=${FLAG_ATTACH})) + + while [ $# -ne 0 ]; do + case "$1" in + --help|-h|-\?) usage ${prgname}; exit 0;; + --noattach) ((flags ^= FLAG_ATTACH ));; + --wait) ((flags |= FLAG_WAIT ));; + --verbose) ((flags |= FLAG_VERBOSE ));; + --libvirt-test) ((flags |= FLAG_LIBVIRT_TEST ));; + --tap-test) ((flags |= FLAG_TAP_TEST ));; + *) usage ${prgname}; exit 1;; + esac + shift 1 + done + + if [ `uname` != "Linux" ]; then + echo "This script will only run on Linux." + exit 1; + fi + + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + if [ "${LIBVIRT_URI}" != "qemu:///system" ]; then + echo "1..0 # Skipped: Only valid for Qemu system driver" + exit 0 + fi + + for name in `virsh nwfilter-list | awk '{print $2}'` + do + case ${name} in + tck*) + if [ "x${LIBVIRT_TCK_AUTOCLEAN}" == "x1" ]; then + res=$(virsh nwfilter-undefine ${name} 2>&1) + if [ $? -ne 0 ]; then + echo "Bail out! Could not undefine nwfiler ${name}: ${res}" + exit 0 + fi + else + echo "Bail out! Filter ${name} already exists, use --force to clean" + exit 1 + fi + esac + done + + for name in `virsh nwfilter-list | awk '{print $2}'` + do + case ${name} in + tck*) + if [ "x${LIBVIRT_TCK_AUTOCLEAN}" == "x1" ]; then + res=$(virsh undefine ${name} 2>&1) + if [ $? -ne 0 ]; then + echo "Bail out! Could not undefine domain ${name}: ${res}" + exit 1 + fi + else + echo "Bail out! Domain ${name} already exists, use --force to clean" + exit 1 + fi + esac + done + fi + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + pushd ${PWD} > /dev/null + . test-lib.sh + if [ $? -ne 0 ]; then + exit 1 + fi + test_intro $this_test + popd > /dev/null + fi + + res=$(${VIRSH} capabilities 2>&1) + + if [ $? -ne 0 ]; then + if [ "x${LIBVIRTD}x" == "xx" ]; then + echo "Cannot find libvirtd. Exiting." + exit 1 + fi + + rm -rf pid-file 2>/dev/null + ${LIBVIRTD} --pid-file=pid-file 2>/dev/null 1>/dev/null & + libvirtdpid=$! + sleep 2 + + res=$(${VIRSH} capabilities 2>&1) + if [ $? -ne 0 ]; then + echo "Could not start the libvirt daemon : $res" + echo "Exiting." + exit 1 + fi + fi + + vm1="tck-testvm${RANDOM}" + vm2="tck-testvm${RANDOM}" + + createTestFilters "${flags}" + if [ $? -ne 0 ]; then + exit 1; + fi + + createVM "${vm1}" "tck-testcase" "10.2.2.2" "52:54:0:0:0:1" "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm1}. Exiting." + exit 1 + fi + + createVM "${vm2}" "${TESTFILTERNAME}" "10.1.1.1" "52:54:0:9f:33:da" \ + "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm2}. Exiting." + destroyVM "${vm1}" "${flags}" + exit 1 + fi + + runTests "${vm1}" "${vm2}" "${xmldir}" "${fwalldir}" "${flags}" + + destroyVM "${vm1}" "${flags}" + destroyVM "${vm2}" "${flags}" + deleteTestFilter "${flags}" + + [ ${libvirtdpid} -ge 0 ] && kill -9 ${libvirtdpid} + rm -rf pid-file 2>/dev/null + + return 0 +} + +main "$@" Index: libvirt-tck/scripts/nwfilter/100-apply-verify.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/100-apply-verify.t @@ -0,0 +1,10 @@ +#!/bin/bash + +pwd=$(dirname $0) + +pushd ${PWD} > /dev/null + +cd ${pwd} +bash ./nwfilter2vmtest.sh --tap-test --noattach + +popd > /dev/null \ No newline at end of file Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml @@ -0,0 +1,33 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat @@ -0,0 +1,73 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j I-vnet0-ipv4 +-p ARP -j I-vnet0-arp +-p 0x8035 -j I-vnet0-rarp +-p 0x835 -j ACCEPT +-j DROP +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j O-vnet0-ipv4 +-p ARP -j O-vnet0-arp +-p 0x8035 -j O-vnet0-rarp +-j DROP +#ebtables -t nat -L I-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p IPv4 --ip-src ! 10.1.1.1 -j DROP +#ebtables -t nat -L O-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-j ACCEPT +#ebtables -t nat -L I-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-mac-src ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-src ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ebtables -t nat -L O-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-p ARP --arp-op Reply --arp-mac-dst ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-dst ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml @@ -0,0 +1,12 @@ +<filter name='tck-testcase' chain='root'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + <rule action='drop' direction='out' priority='500'> + <icmp connlimit-above='1'/> + </rule> + <rule action='drop' direction='out' priority='500'> + <tcp connlimit-above='2'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <all/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml @@ -0,0 +1,56 @@ +<filter name='tck-testcase'> + <uuid>01a992d2-f8c8-7c27-f69b-ab0a9d377379</uuid> + + <rule action='accept' direction='in'> + <mac protocolid='0x1234'/> + </rule> + + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='0x123' srcportend='0x234' + dstportstart='0x3456' dstportend='0x4567' + dscp='0x32'/> + </rule> + + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='tcp' + srcportstart='0x111' srcportend='400' + dstportstart='0x3333' dstportend='65535'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='0x12' + protocoltype='0x56' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='0x22' + srcportstart='0x123' srcportend='400' + dstportstart='0x234' dstportend='0x444'/> + </rule> + + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x40' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml @@ -0,0 +1,15 @@ +<filter name='tck-testcase'> + <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid> +  + <rule action='accept' direction='in' priority='500'> + <icmp type='0'/> + </rule> +  + <rule action='accept' direction='out' priority='500'> + <icmp type='8'/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml @@ -0,0 +1,15 @@ +<filter name='tck-testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> +  + <rule action='accept' direction='in' priority='500'> + <icmp type='8'/> + </rule> +  + <rule action='accept' direction='out' priority='500'> + <icmp type='0'/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml @@ -0,0 +1,10 @@ +<filter name='tck-testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> + <rule action='accept' direction='out' priority='500'> + <icmp/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <all/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' type='255' code='255'/> + </rule> + <rule action='accept' direction='in'> + <icmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' type='256' code='256'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' type='255' code='255'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33' type='256' code='256'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <igmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml @@ -0,0 +1,34 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='out'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.128.0' + dstipaddr='10.1.2.3' dstipmask='255.255.255.0' + protocol='17' dscp='63' + /> + </rule> + + <rule action='accept' direction='in'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254' + dstipaddr='10.1.2.3' dstipmask='255.255.255.128' + protocol='255' dscp='64' + /> + </rule> + + <rule action='accept' direction='inout'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.127' + dstipaddr='10.1.2.3' dstipmask='255.255.255.254' + protocol='256' dscp='64' + /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml @@ -0,0 +1,14 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='drop' direction='inout'> +  + <all match='no' srcmacaddr='12:34:56:78:9a:bc'/> + </rule> + + <rule action='drop' direction='in'> +  + <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml @@ -0,0 +1,43 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='18' + /> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml @@ -0,0 +1,23 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='1536'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='15'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='65535'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml @@ -0,0 +1,33 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='rarp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml @@ -0,0 +1,4 @@ +<filter name='tck-testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in' statematch='false'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in' statematch='0'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall @@ -0,0 +1,32 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FORWARD --line-number | grep libvirt +1 libvirt-in all anywhere anywhere +2 libvirt-out all anywhere anywhere +3 libvirt-in-post all anywhere anywhere Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall @@ -0,0 +1,30 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD --line-number | grep libvirt +1 libvirt-in all -- anywhere anywhere +2 libvirt-out all -- anywhere anywhere +3 libvirt-in-post all -- anywhere anywhere Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall @@ -0,0 +1,24 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall @@ -0,0 +1,68 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p 0x1234 -j ACCEPT +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 +#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state NEW,ESTABLISHED +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 +ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall @@ -0,0 +1,26 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED +ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 +ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT +-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT +-p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall @@ -0,0 +1,19 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! 12:34:56:78:9A:BC +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! AA:AA:AA:AA:AA:AA +#iptables -L HI-vnet0 +Chain HI-vnet0 (1 references) +target prot opt source destination +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall @@ -0,0 +1,13 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | sed s/0x8035/RARP/g | grep -v "^Bridge" | grep -v "^$" +-p RARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0

1 0

[libvirt] [PATCH 0/3] Add controller support for the ESX driver
by Matthias Bolte 24 Jun '10

24 Jun '10

This series adds controller support for the ESX driver. Also adds required additions like the optional model attribute for the controller element to get rid of the disk driver name abuse and support for wide SCSI bus addresses. Matthias

3 11

[libvirt] [PATCH] esx: Use bool instead of int where appropriated
by Matthias Bolte 24 Jun '10

24 Jun '10

--- src/esx/esx_util.c | 10 ++-- src/esx/esx_util.h | 10 ++-- src/esx/esx_vmx.c | 126 +++++++++++++++++++++++++++------------------------ src/esx/esx_vmx.h | 2 +- 4 files changed, 78 insertions(+), 70 deletions(-) diff --git a/src/esx/esx_util.c b/src/esx/esx_util.c index 27c3a12..d79de2c 100644 --- a/src/esx/esx_util.c +++ b/src/esx/esx_util.c @@ -380,7 +380,7 @@ esxUtil_ResolveHostname(const char *hostname, int esxUtil_GetConfigString(virConfPtr conf, const char *name, char **string, - int optional) + bool optional) { virConfValuePtr value; @@ -427,7 +427,7 @@ esxUtil_GetConfigString(virConfPtr conf, const char *name, char **string, int esxUtil_GetConfigUUID(virConfPtr conf, const char *name, unsigned char *uuid, - int optional) + bool optional) { virConfValuePtr value; @@ -472,7 +472,7 @@ esxUtil_GetConfigUUID(virConfPtr conf, const char *name, unsigned char *uuid, int esxUtil_GetConfigLong(virConfPtr conf, const char *name, long long *number, - long long default_, int optional) + long long default_, bool optional) { virConfValuePtr value; @@ -520,8 +520,8 @@ esxUtil_GetConfigLong(virConfPtr conf, const char *name, long long *number, int -esxUtil_GetConfigBoolean(virConfPtr conf, const char *name, int *boolean_, - int default_, int optional) +esxUtil_GetConfigBoolean(virConfPtr conf, const char *name, bool *boolean_, + bool default_, bool optional) { virConfValuePtr value; diff --git a/src/esx/esx_util.h b/src/esx/esx_util.h index 26c456d..a1927a6 100644 --- a/src/esx/esx_util.h +++ b/src/esx/esx_util.h @@ -56,15 +56,15 @@ int esxUtil_ResolveHostname(const char *hostname, char *ipAddress, size_t ipAddress_length); int esxUtil_GetConfigString(virConfPtr conf, const char *name, char **string, - int optional); + bool optional); int esxUtil_GetConfigUUID(virConfPtr conf, const char *name, - unsigned char *uuid, int optional); + unsigned char *uuid, bool optional); int esxUtil_GetConfigLong(virConfPtr conf, const char *name, long long *number, - long long default_, int optional); + long long default_, bool optional); -int esxUtil_GetConfigBoolean(virConfPtr conf, const char *name, int *boolean_, - int default_, int optional); +int esxUtil_GetConfigBoolean(virConfPtr conf, const char *name, bool *boolean_, + bool default_, bool optional); #endif /* __ESX_UTIL_H__ */ diff --git a/src/esx/esx_vmx.c b/src/esx/esx_vmx.c index 032f5bc..e10e745 100644 --- a/src/esx/esx_vmx.c +++ b/src/esx/esx_vmx.c @@ -914,7 +914,7 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, int controller; int bus; int port; - int present; // boolean + bool present; int scsi_virtualDev[4] = { -1, -1, -1, -1 }; int unit; @@ -934,7 +934,7 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, /* vmx:config.version */ if (esxUtil_GetConfigLong(conf, "config.version", &config_version, 0, - 0) < 0) { + false) < 0) { goto cleanup; } @@ -947,7 +947,7 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, /* vmx:virtualHW.version */ if (esxUtil_GetConfigLong(conf, "virtualHW.version", &virtualHW_version, 0, - 0) < 0) { + false) < 0) { goto cleanup; } @@ -991,17 +991,17 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, /* vmx:uuid.bios -> def:uuid */ /* FIXME: Need to handle 'uuid.action = "create"' */ - if (esxUtil_GetConfigUUID(conf, "uuid.bios", def->uuid, 1) < 0) { + if (esxUtil_GetConfigUUID(conf, "uuid.bios", def->uuid, true) < 0) { goto cleanup; } /* vmx:displayName -> def:name */ - if (esxUtil_GetConfigString(conf, "displayName", &def->name, 1) < 0) { + if (esxUtil_GetConfigString(conf, "displayName", &def->name, true) < 0) { goto cleanup; } /* vmx:memsize -> def:maxmem */ - if (esxUtil_GetConfigLong(conf, "memsize", &memsize, 32, 1) < 0) { + if (esxUtil_GetConfigLong(conf, "memsize", &memsize, 32, true) < 0) { goto cleanup; } @@ -1015,7 +1015,8 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, def->maxmem = memsize * 1024; /* Scale from megabytes to kilobytes */ /* vmx:sched.mem.max -> def:memory */ - if (esxUtil_GetConfigLong(conf, "sched.mem.max", &memory, memsize, 1) < 0) { + if (esxUtil_GetConfigLong(conf, "sched.mem.max", &memory, memsize, + true) < 0) { goto cleanup; } @@ -1030,7 +1031,7 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, } /* vmx:numvcpus -> def:vcpus */ - if (esxUtil_GetConfigLong(conf, "numvcpus", &numvcpus, 1, 1) < 0) { + if (esxUtil_GetConfigLong(conf, "numvcpus", &numvcpus, 1, true) < 0) { goto cleanup; } @@ -1046,7 +1047,7 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, /* vmx:sched.cpu.affinity -> def:cpumask */ // VirtualMachine:config.cpuAffinity.affinitySet if (esxUtil_GetConfigString(conf, "sched.cpu.affinity", &sched_cpu_affinity, - 1) < 0) { + true) < 0) { goto cleanup; } @@ -1128,7 +1129,7 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, } /* vmx:guestOS -> def:os.arch */ - if (esxUtil_GetConfigString(conf, "guestOS", &guestOS, 1) < 0) { + if (esxUtil_GetConfigString(conf, "guestOS", &guestOS, true) < 0) { goto cleanup; } @@ -1370,7 +1371,7 @@ esxVMX_ParseConfig(esxVI_Context *ctx, virCapsPtr caps, const char *vmx, int esxVMX_ParseVNC(virConfPtr conf, virDomainGraphicsDefPtr *def) { - int enabled = 0; // boolean + bool enabled = false; long long port = 0; if (def == NULL || *def != NULL) { @@ -1379,7 +1380,7 @@ esxVMX_ParseVNC(virConfPtr conf, virDomainGraphicsDefPtr *def) } if (esxUtil_GetConfigBoolean(conf, "RemoteDisplay.vnc.enabled", &enabled, - 0, 1) < 0) { + false, true) < 0) { return -1; } @@ -1395,13 +1396,13 @@ esxVMX_ParseVNC(virConfPtr conf, virDomainGraphicsDefPtr *def) (*def)->type = VIR_DOMAIN_GRAPHICS_TYPE_VNC; if (esxUtil_GetConfigLong(conf, "RemoteDisplay.vnc.port", &port, -1, - 1) < 0 || + true) < 0 || esxUtil_GetConfigString(conf, "RemoteDisplay.vnc.ip", - &(*def)->data.vnc.listenAddr, 1) < 0 || + &(*def)->data.vnc.listenAddr, true) < 0 || esxUtil_GetConfigString(conf, "RemoteDisplay.vnc.keymap", - &(*def)->data.vnc.keymap, 1) < 0 || + &(*def)->data.vnc.keymap, true) < 0 || esxUtil_GetConfigString(conf, "RemoteDisplay.vnc.password", - &(*def)->data.vnc.passwd, 1) < 0) { + &(*def)->data.vnc.passwd, true) < 0) { goto failure; } @@ -1432,7 +1433,7 @@ esxVMX_ParseVNC(virConfPtr conf, virDomainGraphicsDefPtr *def) int -esxVMX_ParseSCSIController(virConfPtr conf, int controller, int *present, +esxVMX_ParseSCSIController(virConfPtr conf, int controller, bool *present, int *virtualDev) { char present_name[32]; @@ -1456,7 +1457,8 @@ esxVMX_ParseSCSIController(virConfPtr conf, int controller, int *present, snprintf(virtualDev_name, sizeof(virtualDev_name), "scsi%d.virtualDev", controller); - if (esxUtil_GetConfigBoolean(conf, present_name, present, 0, 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, present_name, present, false, + true) < 0) { goto failure; } @@ -1465,7 +1467,7 @@ esxVMX_ParseSCSIController(virConfPtr conf, int controller, int *present, } if (esxUtil_GetConfigString(conf, virtualDev_name, &virtualDev_string, - 1) < 0) { + true) < 0) { goto failure; } @@ -1542,16 +1544,16 @@ esxVMX_ParseDisk(esxVI_Context *ctx, virCapsPtr caps, virConfPtr conf, char *prefix = NULL; char present_name[32] = ""; - int present = 0; + bool present = false; char startConnected_name[32] = ""; - int startConnected = 0; + bool startConnected = false; char deviceType_name[32] = ""; char *deviceType = NULL; char clientDevice_name[32] = ""; - int clientDevice = 0; + bool clientDevice = false; char fileType_name[32] = ""; char *fileType = NULL; @@ -1560,7 +1562,7 @@ esxVMX_ParseDisk(esxVI_Context *ctx, virCapsPtr caps, virConfPtr conf, char *fileName = NULL; char writeThrough_name[32] = ""; - int writeThrough = 0; + bool writeThrough = false; if (def == NULL || *def != NULL) { ESX_ERROR(VIR_ERR_INTERNAL_ERROR, "%s", _("Invalid argument")); @@ -1685,13 +1687,14 @@ esxVMX_ParseDisk(esxVI_Context *ctx, virCapsPtr caps, virConfPtr conf, ESX_BUILD_VMX_NAME(writeThrough); /* vmx:present */ - if (esxUtil_GetConfigBoolean(conf, present_name, &present, 0, 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, present_name, &present, false, + true) < 0) { goto cleanup; } /* vmx:startConnected */ if (esxUtil_GetConfigBoolean(conf, startConnected_name, &startConnected, - 1, 1) < 0) { + true, true) < 0) { goto cleanup; } @@ -1701,13 +1704,13 @@ esxVMX_ParseDisk(esxVI_Context *ctx, virCapsPtr caps, virConfPtr conf, } /* vmx:deviceType -> def:type */ - if (esxUtil_GetConfigString(conf, deviceType_name, &deviceType, 1) < 0) { + if (esxUtil_GetConfigString(conf, deviceType_name, &deviceType, true) < 0) { goto cleanup; } /* vmx:clientDevice */ - if (esxUtil_GetConfigBoolean(conf, clientDevice_name, &clientDevice, 0, - 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, clientDevice_name, &clientDevice, false, + true) < 0) { goto cleanup; } @@ -1720,18 +1723,18 @@ esxVMX_ParseDisk(esxVI_Context *ctx, virCapsPtr caps, virConfPtr conf, } /* vmx:fileType -> def:type */ - if (esxUtil_GetConfigString(conf, fileType_name, &fileType, 1) < 0) { + if (esxUtil_GetConfigString(conf, fileType_name, &fileType, true) < 0) { goto cleanup; } /* vmx:fileName -> def:src, def:type */ - if (esxUtil_GetConfigString(conf, fileName_name, &fileName, 0) < 0) { + if (esxUtil_GetConfigString(conf, fileName_name, &fileName, false) < 0) { goto cleanup; } /* vmx:writeThrough -> def:cachemode */ - if (esxUtil_GetConfigBoolean(conf, writeThrough_name, &writeThrough, 0, - 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, writeThrough_name, &writeThrough, false, + true) < 0) { goto cleanup; } @@ -1893,10 +1896,10 @@ esxVMX_ParseEthernet(virConfPtr conf, int controller, virDomainNetDefPtr *def) char prefix[48] = ""; char present_name[48] = ""; - int present = 0; + bool present = false; char startConnected_name[48] = ""; - int startConnected = 0; + bool startConnected = false; char connectionType_name[48] = ""; char *connectionType = NULL; @@ -1953,13 +1956,14 @@ esxVMX_ParseEthernet(virConfPtr conf, int controller, virDomainNetDefPtr *def) ESX_BUILD_VMX_NAME(vnet); /* vmx:present */ - if (esxUtil_GetConfigBoolean(conf, present_name, &present, 0, 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, present_name, &present, false, + true) < 0) { goto cleanup; } /* vmx:startConnected */ - if (esxUtil_GetConfigBoolean(conf, startConnected_name, &startConnected, 1, - 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, startConnected_name, &startConnected, + true, true) < 0) { goto cleanup; } @@ -1970,15 +1974,16 @@ esxVMX_ParseEthernet(virConfPtr conf, int controller, virDomainNetDefPtr *def) /* vmx:connectionType -> def:type */ if (esxUtil_GetConfigString(conf, connectionType_name, &connectionType, - 1) < 0) { + true) < 0) { goto cleanup; } /* vmx:addressType, vmx:generatedAddress, vmx:address -> def:mac */ - if (esxUtil_GetConfigString(conf, addressType_name, &addressType, 1) < 0 || + if (esxUtil_GetConfigString(conf, addressType_name, &addressType, + true) < 0 || esxUtil_GetConfigString(conf, generatedAddress_name, &generatedAddress, - 1) < 0 || - esxUtil_GetConfigString(conf, address_name, &address, 1) < 0) { + true) < 0 || + esxUtil_GetConfigString(conf, address_name, &address, true) < 0) { goto cleanup; } @@ -2010,8 +2015,8 @@ esxVMX_ParseEthernet(virConfPtr conf, int controller, virDomainNetDefPtr *def) } /* vmx:virtualDev, vmx:features -> def:model */ - if (esxUtil_GetConfigString(conf, virtualDev_name, &virtualDev, 1) < 0 || - esxUtil_GetConfigLong(conf, features_name, &features, 0, 1) < 0) { + if (esxUtil_GetConfigString(conf, virtualDev_name, &virtualDev, true) < 0 || + esxUtil_GetConfigLong(conf, features_name, &features, 0, true) < 0) { goto cleanup; } @@ -2043,13 +2048,14 @@ esxVMX_ParseEthernet(virConfPtr conf, int controller, virDomainNetDefPtr *def) if ((connectionType == NULL || STRCASEEQ(connectionType, "bridged") || STRCASEEQ(connectionType, "custom")) && - esxUtil_GetConfigString(conf, networkName_name, &networkName, 0) < 0) { + esxUtil_GetConfigString(conf, networkName_name, &networkName, + false) < 0) { goto cleanup; } /* vmx:vnet -> def:data.ifname */ if (connectionType != NULL && STRCASEEQ(connectionType, "custom") && - esxUtil_GetConfigString(conf, vnet_name, &vnet, 0) < 0) { + esxUtil_GetConfigString(conf, vnet_name, &vnet, false) < 0) { goto cleanup; } @@ -2126,10 +2132,10 @@ esxVMX_ParseSerial(esxVI_Context *ctx, virConfPtr conf, int port, char prefix[48] = ""; char present_name[48] = ""; - int present = 0; + bool present = false; char startConnected_name[48] = ""; - int startConnected = 0; + bool startConnected = false; char fileType_name[48] = ""; char *fileType = NULL; @@ -2163,13 +2169,14 @@ esxVMX_ParseSerial(esxVI_Context *ctx, virConfPtr conf, int port, ESX_BUILD_VMX_NAME(fileName); /* vmx:present */ - if (esxUtil_GetConfigBoolean(conf, present_name, &present, 0, 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, present_name, &present, false, + true) < 0) { goto cleanup; } /* vmx:startConnected */ - if (esxUtil_GetConfigBoolean(conf, startConnected_name, &startConnected, 1, - 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, startConnected_name, &startConnected, + true, true) < 0) { goto cleanup; } @@ -2179,12 +2186,12 @@ esxVMX_ParseSerial(esxVI_Context *ctx, virConfPtr conf, int port, } /* vmx:fileType -> def:type */ - if (esxUtil_GetConfigString(conf, fileType_name, &fileType, 0) < 0) { + if (esxUtil_GetConfigString(conf, fileType_name, &fileType, false) < 0) { goto cleanup; } /* vmx:fileName -> def:data.file.path */ - if (esxUtil_GetConfigString(conf, fileName_name, &fileName, 0) < 0) { + if (esxUtil_GetConfigString(conf, fileName_name, &fileName, false) < 0) { goto cleanup; } @@ -2255,10 +2262,10 @@ esxVMX_ParseParallel(esxVI_Context *ctx, virConfPtr conf, int port, char prefix[48] = ""; char present_name[48] = ""; - int present = 0; + bool present = false; char startConnected_name[48] = ""; - int startConnected = 0; + bool startConnected = false; char fileType_name[48] = ""; char *fileType = NULL; @@ -2292,13 +2299,14 @@ esxVMX_ParseParallel(esxVI_Context *ctx, virConfPtr conf, int port, ESX_BUILD_VMX_NAME(fileName); /* vmx:present */ - if (esxUtil_GetConfigBoolean(conf, present_name, &present, 0, 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, present_name, &present, false, + true) < 0) { goto cleanup; } /* vmx:startConnected */ - if (esxUtil_GetConfigBoolean(conf, startConnected_name, &startConnected, 1, - 1) < 0) { + if (esxUtil_GetConfigBoolean(conf, startConnected_name, &startConnected, + true, true) < 0) { goto cleanup; } @@ -2308,12 +2316,12 @@ esxVMX_ParseParallel(esxVI_Context *ctx, virConfPtr conf, int port, } /* vmx:fileType -> def:type */ - if (esxUtil_GetConfigString(conf, fileType_name, &fileType, 0) < 0) { + if (esxUtil_GetConfigString(conf, fileType_name, &fileType, false) < 0) { goto cleanup; } /* vmx:fileName -> def:data.file.path */ - if (esxUtil_GetConfigString(conf, fileName_name, &fileName, 0) < 0) { + if (esxUtil_GetConfigString(conf, fileName_name, &fileName, false) < 0) { goto cleanup; } diff --git a/src/esx/esx_vmx.h b/src/esx/esx_vmx.h index 9b66ab8..b7522ad 100644 --- a/src/esx/esx_vmx.h +++ b/src/esx/esx_vmx.h @@ -72,7 +72,7 @@ int esxVMX_ParseVNC(virConfPtr conf, virDomainGraphicsDefPtr *def); int -esxVMX_ParseSCSIController(virConfPtr conf, int controller, int *present, +esxVMX_ParseSCSIController(virConfPtr conf, int controller, bool *present, int *virtualDev); int -- 1.7.0.4

2 2

[libvirt] [PATCH] Cleanup some LIBADD and CFLAGS
by Matthias Bolte 24 Jun '10

24 Jun '10

Move libnl to libvirt_util.la, because macvtap.c requires it. Add GnuTLS to libvirt_driver.la, because libvirt.c calls gcrypt functions. When built without loadable driver modules, then the remote driver pulls in GnuTLS. Move libgnu.la from libvirt_parthelper_CFLAGS to libvirt_parthelper_LDADD. --- src/Makefile.am | 13 ++++++------- 1 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index 5109302..ece18a6 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -418,8 +418,8 @@ libvirt_la_LIBADD = $(libvirt_la_BUILT_LIBADD) libvirt_la_BUILT_LIBADD = libvirt_util.la libvirt_util_la_SOURCES = \ $(UTIL_SOURCES) -libvirt_util_la_CFLAGS = $(CAPNG_CFLAGS) $(YAJL_CFLAGS) -libvirt_util_la_LIBADD = $(CAPNG_LIBS) $(YAJL_LIBS) $(LIB_PTHREAD) +libvirt_util_la_CFLAGS = $(CAPNG_CFLAGS) $(YAJL_CFLAGS) $(LIBNL_CFLAGS) +libvirt_util_la_LIBADD = $(CAPNG_LIBS) $(YAJL_LIBS) $(LIBNL_LIBS) $(LIB_PTHREAD) noinst_LTLIBRARIES += libvirt_conf.la @@ -439,9 +439,9 @@ noinst_LTLIBRARIES += libvirt_driver.la libvirt_la_BUILT_LIBADD += libvirt_driver.la libvirt_driver_la_SOURCES = $(DRIVER_SOURCES) -libvirt_driver_la_CFLAGS = $(NUMACTL_CFLAGS) \ +libvirt_driver_la_CFLAGS = $(NUMACTL_CFLAGS) $(GNUTLS_CFLAGS) \ -I@top_srcdir@/src/conf -libvirt_driver_la_LIBADD = $(NUMACTL_LIBS) +libvirt_driver_la_LIBADD = $(NUMACTL_LIBS) $(GNUTLS_LIBS) USED_SYM_FILES = libvirt_private.syms @@ -1001,7 +1001,6 @@ libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)$(LIBVIRT_SYMBOL_FILE) \ $(CYGWIN_EXTRA_LDFLAGS) $(MINGW_EXTRA_LDFLAGS) libvirt_la_BUILT_LIBADD += ../gnulib/lib/libgnu.la libvirt_la_LIBADD += $(LIBXML_LIBS) \ - $(LIBPCAP_LIBS) $(LIBNL_LIBS) \ $(DRIVER_MODULE_LIBS) \ $(CYGWIN_EXTRA_LIBADD) libvirt_la_CFLAGS = $(COVERAGE_CFLAGS) -DIN_LIBVIRT @@ -1038,8 +1037,8 @@ libexec_PROGRAMS += libvirt_parthelper libvirt_parthelper_SOURCES = $(STORAGE_HELPER_DISK_SOURCES) libvirt_parthelper_LDFLAGS = $(WARN_LDFLAGS) $(COVERAGE_LDFLAGS) -libvirt_parthelper_LDADD = $(LIBPARTED_LIBS) -libvirt_parthelper_CFLAGS = $(LIBPARTED_CFLAGS) ../gnulib/lib/libgnu.la +libvirt_parthelper_LDADD = $(LIBPARTED_LIBS) ../gnulib/lib/libgnu.la +libvirt_parthelper_CFLAGS = $(LIBPARTED_CFLAGS) endif endif EXTRA_DIST += $(STORAGE_HELPER_DISK_SOURCES) -- 1.7.0.4

2 2

[libvirt] [PATCH v2] [TCK] nwfilter: apply filters and check firewall rules
by Stefan Berger 24 Jun '10

24 Jun '10

V2: - Following Daniel Berrange's suggestions: - if LIBVIRT_TCK_CONFIG is set, grep for the last occurrence of "^uri/s*=" and assign the value to LIBVIRT_URI - check that LIBVIRT_URI is set to qemu:///system, otherwise skip test - if allowed, remove all VMs and nwfilters starting with tck- - rename all VMs and nwfilters created by this test program to start with 'tck-' - other: - terminate if sourcing the test-lib.sh from libvirt's tests dir is missing (would need to be copied) - redirect stderr to stdout whereever output is read into a variable This is a patch I previously posted for use in the tests/ directory of libvirt. Now I ported it to the TCK project and extended the script with output in the Test Anything Protocol (TAP) format. It now allows multiple output formats chosen via command line parameter supporting TAP (--tap-test), the output format used in the libvirt tests directory (the '.' and '!') (--libvirt-test) and one where all tests are displayed (--verbose). The program basically creates a filter called tck-testcase and two VMs where one of them references the tck-testcase filter and the other a filter called nwfiltertestfilter. The tck-testcase filter is then subsequently modified and the effect on iptables,ebtables and ip6tables verified against expected output for both VMs. The VMs are torn down at the end and the test filters removed. For all the tests to run successfully, the last outstanding patch that would need to go in is this one here: https://www.redhat.com/archives/libvir-list/2010-June/msg00326.html Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- scripts/nwfilter/100-apply-verify.t | 10 scripts/nwfilter/nwfilter2vmtest.sh | 635 ++++++++++ scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall | 32 scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall | 30 scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall | 9 scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall | 24 scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall | 68 + scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall | 12 scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall | 19 scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall | 13 scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall | 12 scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall | 9 scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat | 73 + scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall | 26 scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/all-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml | 33 scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml | 12 scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml | 56 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml | 15 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml | 15 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml | 10 scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml | 34 scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml | 14 scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml | 43 scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml | 23 scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml | 33 scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml | 4 scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml | 18 61 files changed, 2059 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -0,0 +1,635 @@ +#!/bin/bash + +ORIG_IFNAME="vnet0" +ATTACH_IFNAME="attach0" +TESTFILTERNAME="nwfiltertestfilter" +TESTVM2FWALLDATA="nwfilterxml2fwallout/testvm.fwall.dat" + + +LIBVIRTD=`type -P ${PWD}/../daemon/libvirtd` +if [ "x${LIBVIRTD}x" == "xx" ]; then + LIBVIRTD=`type -P libvirtd` +fi + +VIRSH=`type -P ${PWD}/../tools/virsh` +if [ "x${VIRSH}x" == "xx" ]; then + VIRSH=`type -P virsh` +fi + +LD_LIBRARY_PATH="${PWD}../src/.libs/" + +uri="qemu:///system" +if [ "x${LIBVIRT_TCK_CONFIG}x" != "xx" ]; then + uri_exp=`cat ${LIBVIRT_TCK_CONFIG} | grep "^uri\s*=" | tail -n 1` + if [ "x${uri_exp}x" != "xx" ]; then + eval ${uri_exp} + fi +fi +LIBVIRT_URI=${uri} + +# Maybe no libvirtd was built +[ -z ${LIBVIRTD} ] && exit 0; + +FLAG_WAIT="$((1<<0))" +FLAG_ATTACH="$((1<<1))" +FLAG_VERBOSE="$((1<<2))" +FLAG_LIBVIRT_TEST="$((1<<3))" +FLAG_TAP_TEST="$((1<<4))" + +failctr=0 +passctr=0 +attachfailctr=0 +attachctr=0 + +TAP_FAIL_LIST="" +TAP_FAIL_CTR=0 +TAP_TOT_CTR=0 + +function usage() { + local cmd="$0" +cat <<EOF +Usage: ${cmd} [--help|-h|-?] [--noattach] [--wait] [--verbose] + [--libvirt-test] [--tap-test] + +Options: + --help,-h,-? : Display this help screen. + --noattach : Skip tests that attach and detach a network interface + --wait : Wait for the user to press the enter key once an error + was detected + --verbose : Verbose output + --libvirt-test : Use the libvirt test output format + --tap-test : TAP format output + +This test will create two virtual machines. The one virtual machine +will use a filter called '${TESTFILTERNAME}', and reference the filter +'clean-traffic' which should be available by default with every install. +The other virtual machine will reference the filter 'tck-testcase' and will +have its filter permanently updated. +EOF +} + + +function tap_fail() { + echo "not ok $1 - ${2:0:66}" + TAP_FAIL_LIST+="$1 " + ((TAP_FAIL_CTR++)) + ((TAP_TOT_CTR++)) +} + +function tap_pass() { + echo "ok $1 - ${2:0:70}" + ((TAP_TOT_CTR++)) +} + +function tap_final() { + local okay + + [ -n "${TAP_FAIL_LIST}" ] && echo "FAILED tests ${TAP_FAIL_LIST}" + + okay=`echo "($TAP_TOT_CTR-$TAP_FAIL_CTR)*100/$TAP_TOT_CTR" | bc -l` + echo "Failed ${TAP_FAIL_CTR}/${TAP_TOT_CTR} tests, ${okay:0:5}% okay" +} + +# A wrapper for mktemp in case it does not exist +# Echos the name of a temporary file. +function mktmpfile() { + local tmp + type -P mktemp > /dev/null + if [ $? -eq 0 ]; then + tmp=$(mktemp -t nwfvmtest.XXXXXX) + echo ${tmp} + else + while :; do + tmp="/tmp/nwfvmtest.${RANDOM}" + if [ ! -f ${tmp} ]; then + touch ${tmp} + chmod 666 ${tmp} + echo ${tmp} + break + fi + done + fi + return 0 +} + + +function checkExpectedOutput() { + local xmlfile="$1" + local fwallfile="$2" + local ifname="$3" + local flags="$4" + local skipregex="$5" + local regex="s/${ORIG_IFNAME}/${ifname}/g" + local cmd line tmpfile tmpfile2 skip + + tmpfile=`mktmpfile` + tmpfile2=`mktmpfile` + + exec 4<${fwallfile} + + read <&4 + line="${REPLY}" + + while [ "x${line}x" != "xx" ]; do + cmd=`echo ${line##\#} | sed ${regex}` + + skip=0 + if [ "x${skipregex}x" != "xx" ]; then + skip=`echo ${cmd} | grep -c -E ${skipregex}` + fi + + eval ${cmd} 2>&1 | tee ${tmpfile} 1>/dev/null + + rm ${tmpfile2} 2>/dev/null + touch ${tmpfile2} + + while [ 1 ]; do + read <&4 + line="${REPLY}" + + if [ "${line:0:1}" == "#" ] || [ "x${line}x" == "xx" ]; then + + if [ ${skip} -ne 0 ]; then + break + fi + + diff ${tmpfile} ${tmpfile2} >/dev/null + + if [ $? -ne 0 ]; then + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL ${xmlfile} : ${cmd}" + diff ${tmpfile} ${tmpfile2} + fi + ((failctr++)) + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "tmp files: $tmpfile, $tmpfile2" + echo "Press enter" + read + fi + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 1 + [ $((flags & FLAG_TAP_TEST)) -ne 0 ] && \ + tap_fail $((passctr+failctr)) "${xmlfile} : ${cmd}" + else + ((passctr++)) + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && \ + echo "PASS ${xmlfile} : ${cmd}" + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 0 + [ $((flags & FLAG_TAP_TEST)) -ne 0 ] && \ + tap_pass $((passctr+failctr)) "${xmlfile} : ${cmd}" + fi + + break + + fi + echo "${line}" | sed ${regex} >> ${tmpfile2} + done + done + + exec 4>&- + + rm -rf "${tmpfile}" "${tmpfile2}" 2>/dev/null +} + + +function doTest() { + local xmlfile="$1" + local fwallfile="$2" + local vm1name="$3" + local vm2name="$4" + local flags="$5" + local testnum="$6" + local linenums ctr=0 + local tmpfile b msg rc + + if [ ! -r "${xmlfile}" ]; then + echo "FAIL : Cannot access filter XML file ${xmlfile}." + return 1 + fi + + ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null + + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" "${flags}" \ + "" + + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" "" + + if [ $((flags & FLAG_ATTACH)) -ne 0 ]; then + + tmpfile=`mktmpfile` + + b=`{ ${VIRSH} dumpxml ${vm1name} | tr -d "\n"; echo; } | \ + sed "s/.*\<interface.*source bridge='$[a-zA-Z0-9_]\+$'.*<\/interface>.*/\1/"` + + cat >>${tmpfile} <<EOF +<interface type='bridge'> + <source bridge='${b}'/> + <mac address='52:54:00:11:22:33'/> + <target dev='${ATTACH_IFNAME}'/> + <filterref filter='tck-testcase'/> +</interface> +EOF + msg=`${VIRSH} attach-device "${vm1name}" "${tmpfile}" > /dev/null` + rc=$? + + ((attachctr++)) + + if [ $rc -eq 0 ]; then + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ + "${flags}" "(PRE|POST)ROUTING" + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" "(PRE|POST)ROUTING" + msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"` + if [ $? -ne 0 ]; then + echo "FAIL: Detach of interface failed." + fi + else + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + # In case of TAP, run the test anyway so we get to the full number + # of tests + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ + "${flags}" "" #"(PRE|POST)ROUTING" + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" #"(PRE|POST)ROUTING" + fi + + ((attachfailctr++)) + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL: Could not attach interface to vm ${vm1name}." + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter" + read + fi + fi + fi + + rm -rf ${tmpfile} + fi + + return 0 +} + + +function runTests() { + local vm1name="$1" + local vm2name="$2" + local xmldir="$3" + local fwalldir="$4" + local flags="$5" + local fwallfiles f c + local tap_total=0 ctr=0 + + pushd ${PWD} > /dev/null + cd ${fwalldir} + fwallfiles=`ls *.fwall` + popd > /dev/null + + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + # Need to count the number of total tests + for fil in ${fwallfiles}; do + c=$(grep -c "^#" ${fwalldir}/${fil}) + ((tap_total+=c)) + ((ctr++)) + done + c=$(grep -c "^#" "${TESTVM2FWALLDATA}") + ((tap_total+=c*ctr)) + [ $((flags & FLAG_ATTACH)) -ne 0 ] && ((tap_total*=2)) + echo "1..${tap_total}" + fi + + for fil in ${fwallfiles}; do + f=${fil%%.fwall} + doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}" "${vm1name}" \ + "${vm2name}" "${flags}" + done + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + test_final $((passctr+failctr)) $failctr + elif [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + tap_final + else + echo "" + echo "Summary: ${failctr} failures, ${passctr} passes," + if [ ${attachctr} -ne 0 ]; then + echo " ${attachfailctr} interface attachment failures with ${attachctr} attempts" + fi + fi +} + + +function createVM() { + local vmname="$1" + local filtername="$2" + local ipaddr="$3" + local macaddr="$4" + local flags="$5" + local res + local tmpfile='mktmpfile' + + cat > ${tmpfile} << EOF + <domain type='kvm'> + <name>${vmname}</name> + <memory>32768</memory> + <currentMemory>32768</currentMemory> + <vcpu>1</vcpu> + <os> + <type arch='x86_64' machine='pc-0.11'>hvm</type> + <boot dev='hd'/> + </os> + <features> + <acpi/> + <apic/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <interface type='bridge'> + <mac address='${macaddr}'/> + <source bridge='virbr0'/> + <filterref filter='${filtername}'> + <parameter name='IP' value='${ipaddr}'/> + </filterref> + <target dev='${vmname}'/> + </interface> + <console type='pty'> + </console> + <input type='mouse' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes'/> + </devices> + </domain> +EOF + + res=$(${VIRSH} define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define VM ${vmname} : ${res}" + return 1 + fi + + res=$(${VIRSH} start ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not start VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + $(${VIRSH} undefine ${vmname}) + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Created VM ${vmname}." + + rm -rf ${tmpfile} + + return 0 +} + + +function destroyVM() { + local vmname="$1" + local flags="$2" + local res + + res=$(${VIRSH} destroy ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not destroy VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + + res=$(${VIRSH} undefine ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not undefine VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Destroyed VM ${vmname}." + + return 0 +} + + +function createTestFilters() { + local flags="$1" + local tmpfile=`mktmpfile` + local res + + cat >${tmpfile} << EOF +<filter name="${TESTFILTERNAME}"> + <filterref filter='clean-traffic'/> + + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + + <rule action='drop' direction='inout' priority='1000'> + <all-ipv6/> + </rule> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + rm -rf ${tmpfile} + return 1 + fi + + cat >${tmpfile} << EOF +<filter name="tck-testcase"> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + rm -rf ${tmpfile} + return 1 + fi + + rm -rf ${tmpfile} + + return 0 +} + + +function deleteTestFilter() { + local flags="$1" + local res + + res=$(${VIRSH} nwfilter-undefine ${TESTFILTERNAME} 2>&1) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + res=$(${VIRSH} nwfilter-undefine tck-testcase 2>&1) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + return 0 +} + + +function main() { + local prgname="$0" + local vm1 vm2 + local xmldir="nwfilterxml2xmlin" + local fwalldir="nwfilterxml2fwallout" + local found=0 vms res + local filtername="tck-testcase" + local libvirtdpid=-1 + local flags OPWD + + ((flags=${FLAG_ATTACH})) + + while [ $# -ne 0 ]; do + case "$1" in + --help|-h|-\?) usage ${prgname}; exit 0;; + --noattach) ((flags ^= FLAG_ATTACH ));; + --wait) ((flags |= FLAG_WAIT ));; + --verbose) ((flags |= FLAG_VERBOSE ));; + --libvirt-test) ((flags |= FLAG_LIBVIRT_TEST ));; + --tap-test) ((flags |= FLAG_TAP_TEST ));; + *) usage ${prgname}; exit 1;; + esac + shift 1 + done + + if [ `uname` != "Linux" ]; then + echo "This script will only run on Linux." + exit 1; + fi + + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + if [ "${LIBVIRT_URI}" != "qemu:///system" ]; then + echo "1..0 # Skipped: Only valid for Qemu system driver" + exit 0 + fi + + for name in `virsh nwfilter-list | awk '{print $2}'` + do + case ${name} in + tck*) + if [ "x${LIBVIRT_TCK_AUTOCLEAN}" == "x1" ]; then + res=$(virsh nwfilter-undefine ${name} 2>&1) + if [ $? -ne 0 ]; then + echo "Bail out! Could not undefine nwfiler ${name}: ${res}" + exit 0 + fi + else + echo "Bail out! Filter ${name} already exists, use --force to clean" + exit 1 + fi + esac + done + + for name in `virsh nwfilter-list | awk '{print $2}'` + do + case ${name} in + tck*) + if [ "x${LIBVIRT_TCK_AUTOCLEAN}" == "x1" ]; then + res=$(virsh undefine ${name} 2>&1) + if [ $? -ne 0 ]; then + echo "Bail out! Could not undefine domain ${name}: ${res}" + exit 1 + fi + else + echo "Bail out! Domain ${name} already exists, use --force to clean" + exit 1 + fi + esac + done + fi + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + pushd ${PWD} > /dev/null + . test-lib.sh + if [ $? -ne 0 ]; then + exit 1 + fi + test_intro $this_test + popd > /dev/null + fi + + res=$(${VIRSH} capabilities 2>&1) + + if [ $? -ne 0 ]; then + if [ "x${LIBVIRTD}x" == "xx" ]; then + echo "Cannot find libvirtd. Exiting." + exit 1 + fi + + rm -rf pid-file 2>/dev/null + ${LIBVIRTD} --pid-file=pid-file 2>/dev/null 1>/dev/null & + libvirtdpid=$! + sleep 2 + + res=$(${VIRSH} capabilities 2>&1) + if [ $? -ne 0 ]; then + echo "Could not start the libvirt daemon : $res" + echo "Exiting." + exit 1 + fi + fi + + vm1="tck-testvm${RANDOM}" + vm2="tck-testvm${RANDOM}" + + createTestFilters "${flags}" + if [ $? -ne 0 ]; then + exit 1; + fi + + createVM "${vm1}" "tck-testcase" "10.2.2.2" "52:54:0:0:0:1" "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm1}. Exiting." + exit 1 + fi + + createVM "${vm2}" "${TESTFILTERNAME}" "10.1.1.1" "52:54:0:9f:33:da" \ + "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm2}. Exiting." + destroyVM "${vm1}" "${flags}" + exit 1 + fi + + runTests "${vm1}" "${vm2}" "${xmldir}" "${fwalldir}" "${flags}" + + destroyVM "${vm1}" "${flags}" + destroyVM "${vm2}" "${flags}" + deleteTestFilter "${flags}" + + [ ${libvirtdpid} -ge 0 ] && kill -9 ${libvirtdpid} + rm -rf pid-file 2>/dev/null + + return 0 +} + +main "$@" Index: libvirt-tck/scripts/nwfilter/100-apply-verify.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/100-apply-verify.t @@ -0,0 +1,10 @@ +#!/bin/bash + +pwd=$(dirname $0) + +pushd ${PWD} > /dev/null + +cd ${pwd} +bash ./nwfilter2vmtest.sh --tap-test --noattach + +popd > /dev/null \ No newline at end of file Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml @@ -0,0 +1,33 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat @@ -0,0 +1,73 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j I-vnet0-ipv4 +-p ARP -j I-vnet0-arp +-p 0x8035 -j I-vnet0-rarp +-p 0x835 -j ACCEPT +-j DROP +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j O-vnet0-ipv4 +-p ARP -j O-vnet0-arp +-p 0x8035 -j O-vnet0-rarp +-j DROP +#ebtables -t nat -L I-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p IPv4 --ip-src ! 10.1.1.1 -j DROP +#ebtables -t nat -L O-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-j ACCEPT +#ebtables -t nat -L I-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-mac-src ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-src ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ebtables -t nat -L O-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-p ARP --arp-op Reply --arp-mac-dst ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-dst ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml @@ -0,0 +1,12 @@ +<filter name='tck-testcase' chain='root'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + <rule action='drop' direction='out' priority='500'> + <icmp connlimit-above='1'/> + </rule> + <rule action='drop' direction='out' priority='500'> + <tcp connlimit-above='2'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <all/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml @@ -0,0 +1,56 @@ +<filter name='tck-testcase'> + <uuid>01a992d2-f8c8-7c27-f69b-ab0a9d377379</uuid> + + <rule action='accept' direction='in'> + <mac protocolid='0x1234'/> + </rule> + + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='0x123' srcportend='0x234' + dstportstart='0x3456' dstportend='0x4567' + dscp='0x32'/> + </rule> + + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='tcp' + srcportstart='0x111' srcportend='400' + dstportstart='0x3333' dstportend='65535'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='0x12' + protocoltype='0x56' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='0x22' + srcportstart='0x123' srcportend='400' + dstportstart='0x234' dstportend='0x444'/> + </rule> + + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x40' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml @@ -0,0 +1,15 @@ +<filter name='tck-testcase'> + <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid> +  + <rule action='accept' direction='in' priority='500'> + <icmp type='0'/> + </rule> +  + <rule action='accept' direction='out' priority='500'> + <icmp type='8'/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml @@ -0,0 +1,15 @@ +<filter name='tck-testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> +  + <rule action='accept' direction='in' priority='500'> + <icmp type='8'/> + </rule> +  + <rule action='accept' direction='out' priority='500'> + <icmp type='0'/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml @@ -0,0 +1,10 @@ +<filter name='tck-testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> + <rule action='accept' direction='out' priority='500'> + <icmp/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <all/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' type='255' code='255'/> + </rule> + <rule action='accept' direction='in'> + <icmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' type='256' code='256'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' type='255' code='255'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33' type='256' code='256'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <igmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml @@ -0,0 +1,34 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='out'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.128.0' + dstipaddr='10.1.2.3' dstipmask='255.255.255.0' + protocol='17' dscp='63' + /> + </rule> + + <rule action='accept' direction='in'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254' + dstipaddr='10.1.2.3' dstipmask='255.255.255.128' + protocol='255' dscp='64' + /> + </rule> + + <rule action='accept' direction='inout'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.127' + dstipaddr='10.1.2.3' dstipmask='255.255.255.254' + protocol='256' dscp='64' + /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml @@ -0,0 +1,14 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='drop' direction='inout'> +  + <all match='no' srcmacaddr='12:34:56:78:9a:bc'/> + </rule> + + <rule action='drop' direction='in'> +  + <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml @@ -0,0 +1,43 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='18' + /> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml @@ -0,0 +1,23 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='1536'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='15'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='65535'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml @@ -0,0 +1,33 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='rarp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml @@ -0,0 +1,4 @@ +<filter name='tck-testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in' statematch='false'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in' statematch='0'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall @@ -0,0 +1,32 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FORWARD --line-number | grep libvirt +1 libvirt-in all anywhere anywhere +2 libvirt-out all anywhere anywhere +3 libvirt-in-post all anywhere anywhere Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall @@ -0,0 +1,30 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD --line-number | grep libvirt +1 libvirt-in all -- anywhere anywhere +2 libvirt-out all -- anywhere anywhere +3 libvirt-in-post all -- anywhere anywhere Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall @@ -0,0 +1,24 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall @@ -0,0 +1,68 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p 0x1234 -j ACCEPT +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 +#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state NEW,ESTABLISHED +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 +ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall @@ -0,0 +1,26 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED +ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 +ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT +-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT +-p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall @@ -0,0 +1,19 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! 12:34:56:78:9A:BC +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! AA:AA:AA:AA:AA:AA +#iptables -L HI-vnet0 +Chain HI-vnet0 (1 references) +target prot opt source destination +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall @@ -0,0 +1,13 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | sed s/0x8035/RARP/g | grep -v "^Bridge" | grep -v "^$" +-p RARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0

2 1

[libvirt] [PATCH v2 0/2] Fix problems on using lxc with cgroup ns subsystem
by Ryota Ozaki 24 Jun '10

24 Jun '10

The patch set fixes two problems of lxc that happen when ns subsystem is enabled with memory subsystem at the same time. The fist problem is that cgroup subdirectories that are automatically created by ns subsystem remain after domain shutdown. The second problem is that memory usage is not properly accounted. v2 fixes a bunch of defects pointed out by Eric Blake. Changes from v1: - correct readdir error handling - avoid stack-allocating PATH_MAX, use virAsprintf() instead - add missing closedir() - ensure _() in the string of VIR_ERROR - change the flag of virCgroupMakeGroup from int to bool - fix typo in commit log - change some 'child' to 'descendant' in commit log to make representation proper Ryota Ozaki (2): cgroup: Change virCgroupRemove to remove all descendant groups at first cgroup: Enable memory.use_hierarchy of cgroup for domain src/util/cgroup.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 114 insertions(+), 8 deletions(-)

2 5

[libvirt] [PATCH 0/2] virsh: document and improve cdrom-change semantics
by Eric Blake 23 Jun '10

23 Jun '10

http://bugzilla.redhat.com/601143 complained that there was no documentation of the fact that 'attach-disk' on a floppy or cdrom is really way to change the contents of the media in that disk, rather than a request to add a second virtual device. Back in March, we changed things to add a new command to make better sense at the API level, but didn't expose it well in virsh. Eric Blake (2): virsh: document attach-disk better virsh: introduce change-disk command tools/virsh.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++- tools/virsh.pod | 24 ++++++++++- 2 files changed, 141 insertions(+), 5 deletions(-)

2 7

[libvirt] network: allow tftp port if tftp is defined
by apevec＠gmail.com 23 Jun '10

23 Jun '10

From: Alan Pevec <apevec(a)redhat.com> Libvirt managed virtual network can provide TFTP service, in which case port 69/udp needs to be opened. 1/2 bridge_driver.c: fix file description 2/2 network: allow tftp port if tftp is defined

3 5

[libvirt] [PATCH] Add missing parameter in python Disk IO error callback
by Daniel P. Berrange 23 Jun '10

23 Jun '10

The IO error callback was forgetting to pass the action parameter, causing a stack trace when IO errors arrive * python/libvirt-override-virConnect.py: Add missing action parameter in IO error callback --- python/libvirt-override-virConnect.py | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/python/libvirt-override-virConnect.py b/python/libvirt-override-virConnect.py index df39b79..1a1cdd0 100644 --- a/python/libvirt-override-virConnect.py +++ b/python/libvirt-override-virConnect.py @@ -94,7 +94,7 @@ cb = cbData["cb"] opaque = cbData["opaque"] - cb(self, virDomain(self, _obj=dom), srcPath, devAlias, opaque) + cb(self, virDomain(self, _obj=dom), srcPath, devAlias, action, opaque) return 0 except AttributeError: pass -- 1.6.6.1

2 1

[libvirt] [PATCH 0/2][RESEND] Fix problems on using lxc with cgroup ns subsystem
by Ryota Ozaki 23 Jun '10

23 Jun '10

The patch set fixes two problems of lxc that happen when ns subsystem is enabled with memory subsystem at the same time. The fist problem is that cgroup subdirectories that are automatically created by ns subsystem remain after domain shutdown. The second problem is that memory usage is not properly accounted. Ryota Ozaki (2): cgroup: Change virCgroupRemove to remove all child groups at first cgroup: Enable memory.use_hierarchy of cgroup for domain

2 8

[libvirt] [PATCH] Improve some error messages about unsupported APIs/URIs
by Daniel P. Berrange 23 Jun '10

23 Jun '10

If there is no driver for a URI we report "no hypervisor driver available" This is bad because not all virt drivers are hypervisors (ie container based virt). If there is no driver support for an API we report "this function is not supported by the hypervisor" This is bad for the same reason, and additionally because it is also used for the network, interface & storage drivers. * src/util/virterror.c: Improve error messages --- src/util/virterror.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/util/virterror.c b/src/util/virterror.c index 96dd1e7..9f632ec 100644 --- a/src/util/virterror.c +++ b/src/util/virterror.c @@ -760,15 +760,15 @@ virErrorMsg(virErrorNumber error, const char *info) break; case VIR_ERR_NO_SUPPORT: if (info == NULL) - errmsg = _("this function is not supported by the hypervisor"); + errmsg = _("this function is not supported by the connection driver"); else - errmsg = _("this function is not supported by the hypervisor: %s"); + errmsg = _("this function is not supported by the connection driver: %s"); break; case VIR_ERR_NO_CONNECT: if (info == NULL) - errmsg = _("no hypervisor driver available"); + errmsg = _("no connection driver available"); else - errmsg = _("no hypervisor driver available for %s"); + errmsg = _("no connection driver available for %s"); break; case VIR_ERR_INVALID_CONN: if (info == NULL) -- 1.6.6.1

5 8

[libvirt] [PATCH] Fix several undefined symbol errors in loadable driver modules
by Matthias Bolte 23 Jun '10

23 Jun '10

Link all loadable driver modules to libvirt.la and libgnu.la. Add several missing symbols to libvirt_private.syms in order to have them properly exported. --- src/Makefile.am | 25 ++++++++++++++++++++++--- src/libvirt_private.syms | 25 +++++++++++++++++++++++++ tests/Makefile.am | 6 +++++- 3 files changed, 52 insertions(+), 4 deletions(-) diff --git a/src/Makefile.am b/src/Makefile.am index ece18a6..588adf5 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -456,6 +456,7 @@ libvirt_driver_test_la_CFLAGS = \ -I@top_srcdir@/src/conf if WITH_DRIVER_MODULES libvirt_driver_test_la_LDFLAGS = -module -avoid-version +libvirt_driver_test_la_LIBADD = libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_test_la_SOURCES = $(TEST_DRIVER_SOURCES) endif @@ -475,6 +476,7 @@ libvirt_driver_remote_la_LDFLAGS = libvirt_driver_remote_la_LIBADD = $(GNUTLS_LIBS) $(SASL_LIBS) if WITH_DRIVER_MODULES libvirt_driver_remote_la_LDFLAGS += -module -avoid-version +libvirt_driver_remote_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_remote_la_SOURCES = $(REMOTE_DRIVER_SOURCES) @@ -525,6 +527,7 @@ libvirt_driver_xen_la_LDFLAGS = libvirt_driver_xen_la_LIBADD = $(XEN_LIBS) if WITH_DRIVER_MODULES libvirt_driver_xen_la_LDFLAGS += -module -avoid-version +libvirt_driver_xen_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_xen_la_SOURCES = $(XEN_DRIVER_SOURCES) endif @@ -539,6 +542,10 @@ endif libvirt_driver_phyp_la_LIBADD = $(LIBSSH2_LIBS) libvirt_driver_phyp_la_CFLAGS = $(LIBSSH2_CFLAGS) \ -I@top_srcdir@/src/conf +if WITH_DRIVER_MODULES +libvirt_driver_phyp_la_LDFLAGS = -module -avoid-version +libvirt_driver_phyp_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la +endif libvirt_driver_phyp_la_SOURCES = $(PHYP_DRIVER_SOURCES) endif @@ -553,6 +560,7 @@ libvirt_driver_openvz_la_CFLAGS = \ -I@top_srcdir@/src/conf if WITH_DRIVER_MODULES libvirt_driver_openvz_la_LDFLAGS = -module -avoid-version +libvirt_driver_openvz_la_LIBADD = libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_openvz_la_SOURCES = $(OPENVZ_DRIVER_SOURCES) endif @@ -566,10 +574,11 @@ libvirt_la_BUILT_LIBADD += libvirt_driver_vbox.la endif libvirt_driver_vbox_la_CFLAGS = \ -I@top_srcdir@/src/conf +libvirt_driver_vbox_la_LIBADD = $(DLOPEN_LIBS) if WITH_DRIVER_MODULES libvirt_driver_vbox_la_LDFLAGS = -module -avoid-version +libvirt_driver_vbox_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif -libvirt_driver_vbox_la_LIBADD = $(DLOPEN_LIBS) libvirt_driver_vbox_la_SOURCES = $(VBOX_DRIVER_SOURCES) endif @@ -586,6 +595,7 @@ libvirt_driver_xenapi_la_LDFLAGS = libvirt_driver_xenapi_la_LIBADD = $(LIBXENSERVER_LIBS) $(LIBCURL_LIBS) if WITH_DRIVER_MODULES libvirt_driver_xenapi_la_LDFLAGS += -module -avoid-version +libvirt_driver_xenapi_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_xenapi_la_SOURCES = $(XENAPI_DRIVER_SOURCES) endif @@ -604,6 +614,7 @@ libvirt_driver_qemu_la_LDFLAGS = libvirt_driver_qemu_la_LIBADD = $(NUMACTL_LIBS) if WITH_DRIVER_MODULES libvirt_driver_qemu_la_LDFLAGS += -module -avoid-version +libvirt_driver_qemu_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_qemu_la_SOURCES = $(QEMU_DRIVER_SOURCES) @@ -629,6 +640,7 @@ libvirt_driver_lxc_la_CFLAGS = \ -I@top_srcdir@/src/conf if WITH_DRIVER_MODULES libvirt_driver_lxc_la_LDFLAGS = -module -avoid-version +libvirt_driver_lxc_la_LIBADD = libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_lxc_la_SOURCES = $(LXC_DRIVER_SOURCES) @@ -654,6 +666,7 @@ libvirt_driver_uml_la_LDFLAGS = libvirt_driver_uml_la_LIBADD = $(NUMACTL_LIBS) if WITH_DRIVER_MODULES libvirt_driver_uml_la_LDFLAGS += -module -avoid-version +libvirt_driver_uml_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_uml_la_SOURCES = $(UML_DRIVER_SOURCES) endif @@ -673,6 +686,7 @@ libvirt_driver_one_la_LIBADD = $(XMLRPC_LIBS) #libvirt_driver_one_la_CFLAGS = "-DWITH_ONE" if WITH_DRIVER_MODULES libvirt_driver_one_la_LDFLAGS += -module -avoid-version +libvirt_driver_one_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_one_la_SOURCES = $(ONE_DRIVER_SOURCES) endif @@ -696,6 +710,7 @@ libvirt_driver_esx_la_LDFLAGS = libvirt_driver_esx_la_LIBADD = $(LIBCURL_LIBS) if WITH_DRIVER_MODULES libvirt_driver_esx_la_LDFLAGS += -module -avoid-version +libvirt_driver_esx_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_esx_la_SOURCES = $(ESX_DRIVER_SOURCES) libvirt_driver_esx_la_DEPENDENCIES = $(ESX_DRIVER_GENERATED) @@ -713,6 +728,7 @@ libvirt_driver_network_la_CFLAGS = \ -I@top_srcdir@/src/conf if WITH_DRIVER_MODULES libvirt_driver_network_la_LDFLAGS = -module -avoid-version +libvirt_driver_network_la_LIBADD = libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_network_la_SOURCES = $(NETWORK_DRIVER_SOURCES) endif @@ -734,6 +750,7 @@ libvirt_driver_interface_la_LDFLAGS = libvirt_driver_interface_la_LIBADD = $(NETCF_LIBS) if WITH_DRIVER_MODULES libvirt_driver_interface_la_LDFLAGS += -module -avoid-version +libvirt_driver_interface_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_interface_la_SOURCES = $(INTERFACE_DRIVER_SOURCES) endif @@ -750,7 +767,7 @@ libvirt_driver_secret_la_CFLAGS = \ -I@top_srcdir@/src/conf if WITH_DRIVER_MODULES libvirt_driver_secret_la_LDFLAGS = -module -avoid-version -libvirt_driver_secret_la_LIBADD = ../gnulib/lib/libgnu.la +libvirt_driver_secret_la_LIBADD = libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_secret_la_SOURCES = $(SECRET_DRIVER_SOURCES) endif @@ -771,6 +788,7 @@ noinst_LTLIBRARIES += libvirt_driver_storage.la endif if WITH_DRIVER_MODULES libvirt_driver_storage_la_LDFLAGS += -module -avoid-version +libvirt_driver_storage_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_storage_la_SOURCES += $(STORAGE_DRIVER_SOURCES) libvirt_driver_storage_la_SOURCES += $(STORAGE_DRIVER_FS_SOURCES) @@ -826,6 +844,7 @@ endif if WITH_DRIVER_MODULES libvirt_driver_nodedev_la_LDFLAGS += -module -avoid-version +libvirt_driver_nodedev_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif endif @@ -843,7 +862,7 @@ libvirt_driver_nwfilter_la_LDFLAGS = libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) if WITH_DRIVER_MODULES libvirt_driver_nwfilter_la_LDFLAGS += -module -avoid-version -libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la +libvirt_driver_nwfilter_la_LIBADD += libvirt.la ../gnulib/lib/libgnu.la endif libvirt_driver_nwfilter_la_SOURCES = $(NWFILTER_DRIVER_SOURCES) endif diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 4e61e55..b6d36a2 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -4,6 +4,11 @@ # +# authhelper.h +virRequestUsername; +virRequestPassword; + + # bitmap.h virBitmapAlloc; virBitmapFree; @@ -17,6 +22,8 @@ virBufferVSprintf; virBufferEscapeString; virBufferAdd; virBufferAddChar; +virBufferStrcat; +virBufferUse; virBufferContentAndReset; virBufferError; virBufferURIEncodeString; @@ -139,7 +146,9 @@ virDomainDeleteConfig; virDomainDeviceDefFree; virDomainDeviceDefParse; virDomainDeviceTypeToString; +virDomainDiskTypeToString; virDomainDiskBusTypeToString; +virDomainDiskCacheTypeToString; virDomainDiskDefFree; virDomainDiskDeviceTypeToString; virDomainDiskInsert; @@ -222,6 +231,7 @@ virDomainSnapshotHasChildren; virDomainSnapshotObjUnref; virDomainSnapshotDefParseString; virDomainSnapshotDefFormat; +virDomainSnapshotDefFree; virDomainSnapshotAssignDef; virDomainObjAssignDef; @@ -494,6 +504,8 @@ virNodeDeviceObjListFree; virNodeDeviceDefFree; virNodeDevCapsDefFree; virNodeDeviceDefFormat; +virNodeDeviceDefParseFile; +virNodeDeviceDefParseNode; virNodeDeviceDefParseString; virNodeDeviceObjLock; virNodeDeviceObjUnlock; @@ -633,6 +645,7 @@ virStorageFileIsSharedFS; # threads.h virMutexInit; +virMutexInitRecursive; virMutexDestroy; virMutexLock; virMutexUnlock; @@ -645,13 +658,20 @@ virCondSignal; virCondBroadcast; # util.h +virBuildPathInternal; +virDirCreate; +virFileOperation; virFileReadAll; virFileWriteStr; +virFileStripSuffix; +virFork; virStrToLong_i; virStrToLong_ll; virStrToLong_ull; virStrToLong_ui; virStrToDouble; +virStrcpy; +virStrncpy; virFileLinkPointsTo; virFileResolveLink; saferead; @@ -687,6 +707,7 @@ virParseVersionString; virPipeReadUntilEOF; virAsprintf; virRun; +virRunWithHook; virSkipSpaces; virKillProcess; virGetUserDirectory; @@ -697,6 +718,10 @@ virFileFindMountPoint; virFileWaitForDevices; virFileMatchesNameSuffix; virArgvToString; +virRandom; +virRandomInitialize; +virIndexToDiskName; + # interface.h ifaceCtrl; diff --git a/tests/Makefile.am b/tests/Makefile.am index a3661f6..a6a8fea 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -39,6 +39,10 @@ LDADDS = \ $(LIBSOCKET) \ $(COVERAGE_LDFLAGS) +if WITH_DRIVER_MODULES +LDADDS += ../src/libvirt.la +endif + EXTRA_DIST = \ oomtrace.pl \ test-lib.sh \ @@ -329,7 +333,7 @@ nodeinfotest_LDADD = $(LDADDS) statstest_SOURCES = \ statstest.c testutils.h testutils.c -statstest_LDADD = $(LDADDS) +statstest_LDADD = ../src/libvirt_driver_xen.la $(LDADDS) if WITH_SECDRIVER_SELINUX seclabeltest_SOURCES = \ -- 1.7.0.4

3 5

[libvirt] Comments on the libvirt java changes
by Bryan Kearney 23 Jun '10

23 Jun '10

Luis: I have looked over the patches which you have posted up at http://github.com/LuisCM/libvirt-java-0.4.6/commits/master. First and formost, thank you for your interest in libvirt and hte java bindings. A couple of minor comments. It would be easier for me if the repo did not have a version number, and if it were just a clone of the main repo with changes on top of it. Second, please try and remove trailing white spaces from flies you check in. Most IDE's allow this by default. Finally, please try and seperate out style/formatting chnages from functional ones. It makes it easier to know what to bring in. Now.. Commit fc394b15e6e1f0f5135bdfd3335b6cc26b635ae7 =============================================== This was a big change, but the pattern I see is: 1) Make everything final 2) ( xxxx ) instead of (xxx) 3) Comment clean up. 4) Explict use of this. Is that correct? Are there other items in there? If so, on (1) what is the reason for maknig everything final? Is this a performance choice? I personally tend to make nothing private since it limits what others can do with the code. Final seems to add in similar contraints. Commit 44055c0ab13c56190e9cc00f71b71e23b2fc7c9b =============================================== This looks like adding some better toStrings. Is that correct? -- bk

1 0

[libvirt] how to setup libvirt development environment...
by Avdhoot Joshi 22 Jun '10

22 Jun '10

Hi, Installed RHEL 5.5 on AMD Opteron. [root@wlng-ppcore-nd3 ~]# uname -a Linux wlng-ppcore-nd3 2.6.18-194.el5 #1 SMP Tue Mar 16 21:52:39 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux [root@wlng-ppcore-nd3 ~]# virsh version Compiled against library: libvir 0.6.3 Using library: libvir 0.6.3 Using API: QEMU 0.6.3 Running hypervisor: QEMU 0.9.1 This is the default version of virsh using libvirt 0.6.3. Downloaded libvirt 0.8.1, configured it as follows: $ configure $ make $ make install What should be done so that virsh uses the latest 0.8.1 libvirtd binary, how to completely stop 0.6.3? I want to execute a program using virDomainMemoryStats which is not available in 0.6.3 libvirt. Thanks, Avdhoot

2 1

[libvirt] [PATCH] Don't leak open fd to virsh in libvirt-guests init script
by Jiri Denemark 22 Jun '10

22 Jun '10

Running virsh while having /var/lib/libvirt/libvirt-guests file open makes SELinux emit messages about preventing virsh from reading that file. Since virsh doesn't really want to read anything, it's better to run it with /dev/null on stdin to prevent those messages. --- daemon/libvirt-guests.init.in | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/daemon/libvirt-guests.init.in b/daemon/libvirt-guests.init.in index 17e6824..f99c070 100644 --- a/daemon/libvirt-guests.init.in +++ b/daemon/libvirt-guests.init.in @@ -61,7 +61,7 @@ run_virsh() { conn="-c $uri" fi - virsh $conn "$@" + virsh $conn "$@" </dev/null } run_virsh_c() { -- 1.7.1

2 2

[libvirt] [PATCH v3] nwfilter: fix loadable module support
by Stefan Berger 22 Jun '10

22 Jun '10

Following Daniel Berrange's multiple helpful suggestions for improving this patch and introducing another driver interface, I now wrote the below patch where the nwfilter driver registers the functions to instantiate and teardown the nwfilters with a function in conf/domain_nwfilter.c called virDomainConfNWFilterRegister. Previous helper functions that were called from qemu_driver.c and qemu_conf.c were move into conf/domain_nwfilter.h with slight renaming done for consistency. Those functions now call the function expored by domain_nwfilter.c, which in turn call the functions of the new driver interface, if available. V3: no more inline functions Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- src/Makefile.am | 3 + src/conf/domain_nwfilter.c | 61 +++++++++++++++++++++++++++++++++ src/conf/domain_nwfilter.h | 43 +++++++++++++++++++++++ src/libvirt_private.syms | 5 ++ src/nwfilter/nwfilter_driver.c | 23 ++++++++++++ src/nwfilter/nwfilter_gentech_driver.h | 17 --------- src/qemu/qemu_conf.c | 17 ++++----- src/qemu/qemu_driver.c | 10 ++--- 8 files changed, 148 insertions(+), 31 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.h +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h @@ -67,21 +67,4 @@ void virNWFilterDomainFWUpdateCB(void *p const char *name ATTRIBUTE_UNUSED, void *data); - -/* tear down an interface's filter before tearing down the interface */ -static inline void -virNWFilterTearNWFilter(virDomainNetDefPtr net) { - if ((net->filter) && (net->ifname)) - virNWFilterTeardownFilter(net); -} - - -static inline void -virNWFilterTearVMNWFilters(virDomainObjPtr vm) { - int i; - - for (i = 0; i < vm->def->nnets; i++) - virNWFilterTearNWFilter(vm->def->nets[i]); -} - #endif Index: libvirt-acl/src/qemu/qemu_conf.c =================================================================== --- libvirt-acl.orig/src/qemu/qemu_conf.c +++ libvirt-acl/src/qemu/qemu_conf.c @@ -54,7 +54,7 @@ #include "network.h" #include "macvtap.h" #include "cpu/cpu.h" -#include "nwfilter/nwfilter_gentech_driver.h" +#include "domain_nwfilter.h" #define VIR_FROM_THIS VIR_FROM_QEMU @@ -1514,9 +1514,10 @@ int qemudExtractVersion(struct qemud_dri /** * qemudPhysIfaceConnect: * @conn: pointer to virConnect object + * @driver: pointer to the qemud_driver * @net: pointer to he VM's interface description with direct device type - * @linkdev: The name of the physical interface to link the macvtap to - * @brmode: The mode to put the macvtap device into + * @qemuCmdFlags: flags for qemu + * @vmuuid: The UUID of the VM (needed by 802.1Qbh) * * Returns a filedescriptor on success or -1 in case of error. */ @@ -1555,7 +1556,7 @@ qemudPhysIfaceConnect(virConnectPtr conn if (rc >= 0) { if ((net->filter) && (net->ifname)) { - err = virNWFilterInstantiateFilter(conn, net); + err = virDomainConfNWFilterInstantiate(conn, net); if (err) { close(rc); rc = -1; @@ -1688,7 +1689,7 @@ qemudNetworkIfaceConnect(virConnectPtr c if (tapfd >= 0) { if ((net->filter) && (net->ifname)) { - err = virNWFilterInstantiateFilter(conn, net); + err = virDomainConfNWFilterInstantiate(conn, net); if (err) { close(tapfd); tapfd = -1; @@ -4207,7 +4208,7 @@ int qemudBuildCommandLine(virConnectPtr goto error; if (VIR_REALLOC_N(*vmfds, (*nvmfds)+1) < 0) { - virNWFilterTearNWFilter(net); + virDomainConfNWFilterTeardown(net); close(tapfd); goto no_memory; } @@ -4226,7 +4227,7 @@ int qemudBuildCommandLine(virConnectPtr goto error; if (VIR_REALLOC_N(*vmfds, (*nvmfds)+1) < 0) { - virNWFilterTearNWFilter(net); + virDomainConfNWFilterTeardown(net); close(tapfd); goto no_memory; } @@ -4766,7 +4767,7 @@ int qemudBuildCommandLine(virConnectPtr virReportOOMError(); error: for (i = 0; i <= last_good_net; i++) - virNWFilterTearNWFilter(def->nets[i]); + virDomainConfNWFilterTeardown(def->nets[i]); if (vmfds && *vmfds) { for (i = 0; i < *nvmfds; i++) Index: libvirt-acl/src/qemu/qemu_driver.c =================================================================== --- libvirt-acl.orig/src/qemu/qemu_driver.c +++ libvirt-acl/src/qemu/qemu_driver.c @@ -81,7 +81,7 @@ #include "xml.h" #include "cpu/cpu.h" #include "macvtap.h" -#include "nwfilter/nwfilter_gentech_driver.h" +#include "domain_nwfilter.h" #include "hooks.h" #include "storage_file.h" @@ -3576,7 +3576,7 @@ static int qemudStartVMDaemon(virConnect VIR_FREE(progenv); if (ret == -1) /* The VM failed to start; tear filters before taps */ - virNWFilterTearVMNWFilters(vm); + virDomainConfVMNWFilterTeardown(vm); if (vmfds) { for (i = 0 ; i < nvmfds ; i++) { @@ -3668,7 +3668,7 @@ static void qemudShutdownVMDaemon(struct * reporting so we don't squash a legit error. */ orig_err = virSaveLastError(); - virNWFilterTearVMNWFilters(vm); + virDomainConfVMNWFilterTeardown(vm); if (driver->macFilter) { def = vm->def; @@ -7640,7 +7640,7 @@ cleanup: VIR_WARN0("Unable to release PCI address on NIC"); if (ret != 0) - virNWFilterTearNWFilter(net); + virDomainConfNWFilterTeardown(net); VIR_FREE(nicstr); VIR_FREE(netstr); @@ -8609,7 +8609,7 @@ qemudDomainDetachNetDevice(struct qemud_ } qemuDomainObjExitMonitorWithDriver(driver, vm); - virNWFilterTearNWFilter(detach); + virDomainConfNWFilterTeardown(detach); #if WITH_MACVTAP if (detach->type == VIR_DOMAIN_NET_TYPE_DIRECT) { Index: libvirt-acl/src/Makefile.am =================================================================== --- libvirt-acl.orig/src/Makefile.am +++ libvirt-acl/src/Makefile.am @@ -97,7 +97,8 @@ DRIVER_SOURCES = \ # Domain driver generic impl APIs DOMAIN_CONF_SOURCES = \ conf/capabilities.c conf/capabilities.h \ - conf/domain_conf.c conf/domain_conf.h + conf/domain_conf.c conf/domain_conf.h \ + conf/domain_nwfilter.c conf/domain_nwfilter.h DOMAIN_EVENT_SOURCES = \ conf/domain_event.c conf/domain_event.h Index: libvirt-acl/src/conf/domain_nwfilter.h =================================================================== --- /dev/null +++ libvirt-acl/src/conf/domain_nwfilter.h @@ -0,0 +1,43 @@ +/* + * domain_nwfilter.h: + * + * Copyright (C) 2010 IBM Corporation + * Copyright (C) 2010 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Stefan Berger <stefanb(a)us.ibm.com> + */ +#ifndef DOMAIN_NWFILTER_H +# define DOMAIN_NWFILTER_H + +typedef int (*virDomainConfInstantiateNWFilter)(virConnectPtr conn, + virDomainNetDefPtr net); +typedef void (*virDomainConfTeardownNWFilter)(virDomainNetDefPtr net); + +typedef struct { + virDomainConfInstantiateNWFilter instantiateFilter; + virDomainConfTeardownNWFilter teardownFilter; +} virDomainConfNWFilterDriver; +typedef virDomainConfNWFilterDriver *virDomainConfNWFilterDriverPtr; + +void virDomainConfNWFilterRegister(virDomainConfNWFilterDriverPtr driver); + +int virDomainConfNWFilterInstantiate(virConnectPtr conn, + virDomainNetDefPtr net); +void virDomainConfNWFilterTeardown(virDomainNetDefPtr net); +void virDomainConfVMNWFilterTeardown(virDomainObjPtr vm); + +#endif /* DOMAIN_NWFILTER_H */ Index: libvirt-acl/src/conf/domain_nwfilter.c =================================================================== --- /dev/null +++ libvirt-acl/src/conf/domain_nwfilter.c @@ -0,0 +1,61 @@ +/* + * domain_nwfilter.c: + * + * Copyright (C) 2010 IBM Corporation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Stefan Berger <stefanb(a)us.ibm.com> + */ + +#include <config.h> + +#include "internal.h" + +#include "datatypes.h" +#include "domain_conf.h" +#include "domain_nwfilter.h" + +static virDomainConfNWFilterDriverPtr nwfilterDriver; + +void +virDomainConfNWFilterRegister(virDomainConfNWFilterDriverPtr driver) { + nwfilterDriver = driver; +} + +int +virDomainConfNWFilterInstantiate(virConnectPtr conn, + virDomainNetDefPtr net) { + if (nwfilterDriver != NULL) + return nwfilterDriver->instantiateFilter(conn, net); + /* driver module not available -- don't indicate failure */ + return 0; +} + +void +virDomainConfNWFilterTeardown(virDomainNetDefPtr net) { + if (nwfilterDriver != NULL) + nwfilterDriver->teardownFilter(net); +} + +void +virDomainConfVMNWFilterTeardown(virDomainObjPtr vm) { + int i; + + if (nwfilterDriver != NULL) { + for (i = 0; i < vm->def->nnets; i++) + virDomainConfNWFilterTeardown(vm->def->nets[i]); + } +} Index: libvirt-acl/src/libvirt_private.syms =================================================================== --- libvirt-acl.orig/src/libvirt_private.syms +++ libvirt-acl/src/libvirt_private.syms @@ -264,6 +264,11 @@ virDomainEventDispatchDefaultFunc; virDomainEventDispatch; virDomainEventQueueDispatch; +# domain_nwfilter.h +virDomainConfNWFilterRegister; +virDomainConfNWFilterInstantiate; +virDomainConfNWFilterTeardown; +virDomainConfVMNWFilterTeardown; # ebtables.h ebtablesAddForwardAllowIn; Index: libvirt-acl/src/nwfilter/nwfilter_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_driver.c @@ -33,6 +33,7 @@ #include "datatypes.h" #include "memory.h" #include "domain_conf.h" +#include "domain_nwfilter.h" #include "nwfilter_driver.h" #include "nwfilter_gentech_driver.h" @@ -410,6 +411,20 @@ cleanup: } +static int +nwfilterInstantiateFilter(virConnectPtr conn, + virDomainNetDefPtr net) { + return virNWFilterInstantiateFilter(conn, net); +} + + +static void +nwfilterTeardownFilter(virDomainNetDefPtr net) { + if ((net->ifname) && (net->filter)) + virNWFilterTeardownFilter(net); +} + + static virNWFilterDriver nwfilterDriver = { .name = "nwfilter", .open = nwfilterOpen, @@ -432,8 +447,16 @@ static virStateDriver stateDriver = { .active = nwfilterDriverActive, }; + +static virDomainConfNWFilterDriver domainNWFilterDriver = { + .instantiateFilter = nwfilterInstantiateFilter, + .teardownFilter = nwfilterTeardownFilter, +}; + + int nwfilterRegister(void) { virRegisterNWFilterDriver(&nwfilterDriver); virRegisterStateDriver(&stateDriver); + virDomainConfNWFilterRegister(&domainNWFilterDriver); return 0; }

3 8

[libvirt] New release 0.4.6
by Luis Carlos Moreira da Costa 21 Jun '10

21 Jun '10

/Dear List, / /Thu Jun 17 2010 Luis Carlos Moreira da Costa <tcljava(a)gmail.com>/ / * Refactored the all code of the libvirt. * Modify the method toString() to String.format in all classes contains. * Add final in classes, methods and attributes. * Alter of test JUnit. * Add .project and .classpath in Eclipse Galileo IDE./ */ Atention: And eventually transforming it to an OSGi version!/* /Luís Carlos Moreira da Costa Eclipse RAP, RCP, eRCP, GMF, OSGI, Spring-DM and Pentaho Developer Regional Communities/Brazil http://wiki.eclipse.org/Regional_Communities/Brazil/

2 1

[libvirt] [PATCH 0/4] Change per-connection hashes to be indexed by UUIDs
by Jiri Denemark 21 Jun '10

21 Jun '10

While working at the area, I also made few other cleanups... Jiri Denemark (4): Index hashes by UUID instead of name Remove unnecessary check for non-NULL uuid Do not free static buffer with UUID Misc cleanups src/datatypes.c | 83 ++++++++++++++++++++++++++++-------------------------- 1 files changed, 43 insertions(+), 40 deletions(-)

3 11

[libvirt] [PATCH] Allow one-or-more <boot dev="..."/> entries
by Philipp Hahn 21 Jun '10

21 Jun '10

According to docs/formatdomain.html.in, "The boot element can be repeated multiple times to setup a priority list of boot devices to try in turn." The Relax-NG schema required / allowed exactly one entry. Signed-off-by: Philipp Hahn <hahn(a)univention.de> --- docs/schemas/domain.rng | 4 +++- 1 files changed, 3 insertions(+), 1 deletions(-)

3 2

[libvirt] [PATCH] virsh: remove a doubled up include for errno.h
by Justin Clift 21 Jun '10

21 Jun '10

--- Noticed a doubled up include for errno.h. Pretty sure it's not needed. tools/virsh.c | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index 3057115..0bf7443 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -28,7 +28,6 @@ #include <time.h> #include <limits.h> #include <assert.h> -#include <errno.h> #include <sys/stat.h> #include <inttypes.h> #include <signal.h> -- 1.7.0.1

3 2

[libvirt] Suggest to enter freeze for 0.8.2 this week-end
by Daniel Veillard 19 Jun '10

19 Jun '10

As previously suggested, I think it's time to get a new release going, and if we want to have it by end of the month it would be good to enter feature freeze over the week-end. I am seeing some un-ack'ed patches on list though so maybe we need to be a bit flexible, but the general principle is that we would ACK and push only bug fixes and not new feature starting from Monday. This doesn't affect documentation :-) Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/

3 3

[libvirt] [PATCH] [TCK] nwfilter: apply filters and check firewall rules
by Stefan Berger 18 Jun '10

18 Jun '10

Hi! This is a patch I previously posted for use in the tests/ directory of libvirt. Now I ported it to the TCK project and extended the script with output in the Test Anything Protocol (TAP) format. It now allows multiple output formats chosen via command line parameter supporting TAP (--tap-test), the output format used in the libvirt tests directory (the '.' and '!') (--libvirt-test) and one where all tests are displayed (--verbose). The program basically creates a filter called testcase and two VMs where one of them references the testcase filter and the other a filter called nwfiltertestfilter. The testcase filter is then subsequently modified and the effect on iptables,ebtables and ip6tables verified against expected output for both VMs. The VMs are torn down at the end and the test filters removed. For all the tests to run successfully, the last outstanding patch that would need to go in is this one here: https://www.redhat.com/archives/libvir-list/2010-June/msg00326.html Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- scripts/nwfilter/100-apply-verify.t | 10 scripts/nwfilter/nwfilter2vmtest.sh | 581 ++++++++++ scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall | 32 scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall | 30 scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall | 9 scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall | 24 scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall | 68 + scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall | 23 scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall | 12 scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall | 19 scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall | 13 scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall | 12 scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall | 9 scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat | 73 + scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall | 26 scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 28 scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall | 26 scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/all-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml | 33 scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml | 12 scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml | 56 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml | 15 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml | 15 scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml | 10 scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml | 34 scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml | 14 scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml | 43 scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml | 23 scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml | 33 scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml | 18 scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml | 4 scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml | 22 scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml | 19 scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml | 18 61 files changed, 2005 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -0,0 +1,581 @@ +#!/bin/bash + +ORIG_IFNAME="vnet0" +ATTACH_IFNAME="attach0" +TESTFILTERNAME="nwfiltertestfilter" +TESTVM2FWALLDATA="nwfilterxml2fwallout/testvm.fwall.dat" + +LIBVIRTD=`type -P ${PWD}/../daemon/libvirtd` +if [ "x${LIBVIRTD}x" == "xx" ]; then + LIBVIRTD=`type -P libvirtd` +fi + +VIRSH=`type -P ${PWD}/../tools/virsh` +if [ "x${VIRSH}x" == "xx" ]; then + VIRSH=`type -P virsh` +fi + +LD_LIBRARY_PATH="${PWD}../src/.libs/" + +# Maybe no libvirtd was built +[ -z ${LIBVIRTD} ] && exit 0; + +FLAG_WAIT="$((1<<0))" +FLAG_ATTACH="$((1<<1))" +FLAG_VERBOSE="$((1<<2))" +FLAG_LIBVIRT_TEST="$((1<<3))" +FLAG_TAP_TEST="$((1<<4))" + +failctr=0 +passctr=0 +attachfailctr=0 +attachctr=0 + +TAP_FAIL_LIST="" +TAP_FAIL_CTR=0 +TAP_TOT_CTR=0 + +function usage() { + local cmd="$0" +cat <<EOF +Usage: ${cmd} [--help|-h|-?] [--noattach] [--wait] [--verbose] + [--libvirt-test] [--tap-test] + +Options: + --help,-h,-? : Display this help screen. + --noattach : Skip tests that attach and detach a network interface + --wait : Wait for the user to press the enter key once an error + was detected + --verbose : Verbose output + --libvirt-test : Use the libvirt test output format + --tap-test : TAP format output + +This test will create two virtual machines. The one virtual machine +will use a filter called '${TESTFILTERNAME}', and reference the filter +'clean-traffic' which should be available by default with every install. +The other virtual machine will reference the filter 'testcase' and will +have its filter permanently updated. +EOF +} + + +function tap_fail() { + echo "not ok $1 - ${2:0:66}" + TAP_FAIL_LIST+="$1 " + ((TAP_FAIL_CTR++)) + ((TAP_TOT_CTR++)) +} + +function tap_pass() { + echo "ok $1 - ${2:0:70}" + ((TAP_TOT_CTR++)) +} + +function tap_final() { + local okay + + [ -n "${TAP_FAIL_LIST}" ] && echo "FAILED tests ${TAP_FAIL_LIST}" + + okay=`echo "($TAP_TOT_CTR-$TAP_FAIL_CTR)*100/$TAP_TOT_CTR" | bc -l` + echo "Failed ${TAP_FAIL_CTR}/${TAP_TOT_CTR} tests, ${okay:0:5}% okay" +} + +# A wrapper for mktemp in case it does not exist +# Echos the name of a temporary file. +function mktmpfile() { + local tmp + type -P mktemp > /dev/null + if [ $? -eq 0 ]; then + tmp=$(mktemp -t nwfvmtest.XXXXXX) + echo ${tmp} + else + while :; do + tmp="/tmp/nwfvmtest.${RANDOM}" + if [ ! -f ${tmp} ]; then + touch ${tmp} + chmod 666 ${tmp} + echo ${tmp} + break + fi + done + fi + return 0 +} + + +function checkExpectedOutput() { + local xmlfile="$1" + local fwallfile="$2" + local ifname="$3" + local flags="$4" + local skipregex="$5" + local regex="s/${ORIG_IFNAME}/${ifname}/g" + local cmd line tmpfile tmpfile2 skip + + tmpfile=`mktmpfile` + tmpfile2=`mktmpfile` + + exec 4<${fwallfile} + + read <&4 + line="${REPLY}" + + while [ "x${line}x" != "xx" ]; do + cmd=`echo ${line##\#} | sed ${regex}` + + skip=0 + if [ "x${skipregex}x" != "xx" ]; then + skip=`echo ${cmd} | grep -c -E ${skipregex}` + fi + + eval ${cmd} 2>&1 | tee ${tmpfile} 1>/dev/null + + rm ${tmpfile2} 2>/dev/null + touch ${tmpfile2} + + while [ 1 ]; do + read <&4 + line="${REPLY}" + + if [ "${line:0:1}" == "#" ] || [ "x${line}x" == "xx" ]; then + + if [ ${skip} -ne 0 ]; then + break + fi + + diff ${tmpfile} ${tmpfile2} >/dev/null + + if [ $? -ne 0 ]; then + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL ${xmlfile} : ${cmd}" + diff ${tmpfile} ${tmpfile2} + fi + ((failctr++)) + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "tmp files: $tmpfile, $tmpfile2" + echo "Press enter" + read + fi + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 1 + [ $((flags & FLAG_TAP_TEST)) -ne 0 ] && \ + tap_fail $((passctr+failctr)) "${xmlfile} : ${cmd}" + else + ((passctr++)) + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && \ + echo "PASS ${xmlfile} : ${cmd}" + [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $((passctr+failctr)) "" 0 + [ $((flags & FLAG_TAP_TEST)) -ne 0 ] && \ + tap_pass $((passctr+failctr)) "${xmlfile} : ${cmd}" + fi + + break + + fi + echo "${line}" | sed ${regex} >> ${tmpfile2} + done + done + + exec 4>&- + + rm -rf "${tmpfile}" "${tmpfile2}" 2>/dev/null +} + + +function doTest() { + local xmlfile="$1" + local fwallfile="$2" + local vm1name="$3" + local vm2name="$4" + local flags="$5" + local testnum="$6" + local linenums ctr=0 + local tmpfile b msg rc + + if [ ! -r "${xmlfile}" ]; then + echo "FAIL : Cannot access filter XML file ${xmlfile}." + return 1 + fi + + ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null + + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" "${flags}" \ + "" + + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" "" + + if [ $((flags & FLAG_ATTACH)) -ne 0 ]; then + + tmpfile=`mktmpfile` + + b=`{ ${VIRSH} dumpxml ${vm1name} | tr -d "\n"; echo; } | \ + sed "s/.*\<interface.*source bridge='$[a-zA-Z0-9_]\+$'.*<\/interface>.*/\1/"` + + cat >>${tmpfile} <<EOF +<interface type='bridge'> + <source bridge='${b}'/> + <mac address='52:54:00:11:22:33'/> + <target dev='${ATTACH_IFNAME}'/> + <filterref filter='testcase'/> +</interface> +EOF + msg=`${VIRSH} attach-device "${vm1name}" "${tmpfile}" > /dev/null` + rc=$? + + ((attachctr++)) + + if [ $rc -eq 0 ]; then + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ + "${flags}" "(PRE|POST)ROUTING" + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" "(PRE|POST)ROUTING" + msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"` + if [ $? -ne 0 ]; then + echo "FAIL: Detach of interface failed." + fi + else + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + # In case of TAP, run the test anyway so we get to the full number + # of tests + checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ + "${flags}" "" #"(PRE|POST)ROUTING" + checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ + "${vm2name}" "${flags}" #"(PRE|POST)ROUTING" + fi + + ((attachfailctr++)) + if [ $((flags & FLAG_VERBOSE)) -ne 0 ]; then + echo "FAIL: Could not attach interface to vm ${vm1name}." + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter" + read + fi + fi + fi + + rm -rf ${tmpfile} + fi + + return 0 +} + + +function runTests() { + local vm1name="$1" + local vm2name="$2" + local xmldir="$3" + local fwalldir="$4" + local flags="$5" + local fwallfiles f c + local tap_total=0 ctr=0 + + pushd ${PWD} > /dev/null + cd ${fwalldir} + fwallfiles=`ls *.fwall` + popd > /dev/null + + if [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + # Need to count the number of total tests + for fil in ${fwallfiles}; do + c=$(grep -c "^#" ${fwalldir}/${fil}) + ((tap_total+=c)) + ((ctr++)) + done + c=$(grep -c "^#" "${TESTVM2FWALLDATA}") + ((tap_total+=c*ctr)) + [ $((flags & FLAG_ATTACH)) -ne 0 ] && ((tap_total*=2)) + echo "1..${tap_total}" + fi + + for fil in ${fwallfiles}; do + f=${fil%%.fwall} + doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}" "${vm1name}" \ + "${vm2name}" "${flags}" + done + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + test_final $((passctr+failctr)) $failctr + elif [ $((flags & FLAG_TAP_TEST)) -ne 0 ]; then + tap_final + else + echo "" + echo "Summary: ${failctr} failures, ${passctr} passes," + if [ ${attachctr} -ne 0 ]; then + echo " ${attachfailctr} interface attachment failures with ${attachctr} attempts" + fi + fi +} + + +function createVM() { + local vmname="$1" + local filtername="$2" + local ipaddr="$3" + local macaddr="$4" + local flags="$5" + local res + local tmpfile='mktmpfile' + + cat > ${tmpfile} << EOF + <domain type='kvm'> + <name>${vmname}</name> + <memory>32768</memory> + <currentMemory>32768</currentMemory> + <vcpu>1</vcpu> + <os> + <type arch='x86_64' machine='pc-0.11'>hvm</type> + <boot dev='hd'/> + </os> + <features> + <acpi/> + <apic/> + </features> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <emulator>/usr/bin/qemu-kvm</emulator> + <interface type='bridge'> + <mac address='${macaddr}'/> + <source bridge='virbr0'/> + <filterref filter='${filtername}'> + <parameter name='IP' value='${ipaddr}'/> + </filterref> + <target dev='${vmname}'/> + </interface> + <console type='pty'> + </console> + <input type='mouse' bus='ps2'/> + <graphics type='vnc' port='-1' autoport='yes'/> + </devices> + </domain> +EOF + + res=$(${VIRSH} define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define VM ${vmname} : ${res}" + return 1 + fi + + res=$(${VIRSH} start ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not start VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + $(${VIRSH} undefine ${vmname}) + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Created VM ${vmname}." + + rm -rf ${tmpfile} + + return 0 +} + + +function destroyVM() { + local vmname="$1" + local flags="$2" + local res + + res=$(${VIRSH} destroy ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not destroy VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + + res=$(${VIRSH} undefine ${vmname}) + if [ $? -ne 0 ]; then + echo "Could not undefine VM ${vmname} : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + + [ $((flags & FLAG_VERBOSE)) -ne 0 ] && echo "Destroyed VM ${vmname}." + + return 0 +} + + +function createTestFilters() { + local flags="$1" + local tmpfile=`mktmpfile` + local res + + cat >${tmpfile} << EOF +<filter name="${TESTFILTERNAME}"> + <filterref filter='clean-traffic'/> + + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + + <rule action='drop' direction='inout' priority='1000'> + <all-ipv6/> + </rule> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + rm -rf ${tmpfile} + return 1 + fi + + cat >${tmpfile} << EOF +<filter name="testcase"> +</filter> +EOF + res=$(${VIRSH} nwfilter-define ${tmpfile}) + if [ $? -ne 0 ]; then + echo "Could not define filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + rm -rf ${tmpfile} + return 1 + fi + + rm -rf ${tmpfile} + + return 0 +} + + +function deleteTestFilter() { + local flags="$1" + local res + + res=$(${VIRSH} nwfilter-undefine ${TESTFILTERNAME}) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + res=$(${VIRSH} nwfilter-undefine testcase) + if [ $? -ne 0 ]; then + echo "Could not undefine filter : ${res}" + if [ $((flags & FLAG_WAIT)) -ne 0 ]; then + echo "Press enter." + read + fi + return 1 + fi + return 0 +} + + +function main() { + local prgname="$0" + local vm1 vm2 + local xmldir="nwfilterxml2xmlin" + local fwalldir="nwfilterxml2fwallout" + local found=0 vms res + local filtername="testcase" + local libvirtdpid=-1 + local flags OPWD + + ((flags=${FLAG_ATTACH})) + + while [ $# -ne 0 ]; do + case "$1" in + --help|-h|-\?) usage ${prgname}; exit 0;; + --noattach) ((flags ^= FLAG_ATTACH ));; + --wait) ((flags |= FLAG_WAIT ));; + --verbose) ((flags |= FLAG_VERBOSE ));; + --libvirt-test) ((flags |= FLAG_LIBVIRT_TEST ));; + --tap-test) ((flags |= FLAG_TAP_TEST ));; + *) usage ${prgname}; exit 1;; + esac + shift 1 + done + + if [ `uname` != "Linux" ]; then + echo "This script will only run on Linux." + exit 1; + fi + + if [ $((flags & FLAG_LIBVIRT_TEST)) -ne 0 ]; then + pushd ${PWD} > /dev/null + . test-lib.sh + test_intro $this_test + popd > /dev/null + fi + + res=$(${VIRSH} capabilities 2>/dev/null 1>/dev/null) + + if [ $? -ne 0 ]; then + if [ "x${LIBVIRTD}x" == "xx" ]; then + echo "Cannot find libvirtd. Exiting." + exit 1 + fi + + rm -rf pid-file 2>/dev/null + ${LIBVIRTD} --pid-file=pid-file 2>/dev/null 1>/dev/null & + libvirtdpid=$! + sleep 2 + + res=$(${VIRSH} capabilities 2>/dev/null 1>/dev/null) + if [ $? -ne 0 ]; then + echo "Could not start the libvirt daemon : $res" + echo "Exiting." + exit 1 + fi + fi + + vm1="testvm${RANDOM}" + vm2="testvm${RANDOM}" + + createTestFilters "${flags}" + if [ $? -ne 0 ]; then + exit 1; + fi + + createVM "${vm1}" "testcase" "10.2.2.2" "52:54:0:0:0:1" "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm1}. Exiting." + exit 1 + fi + + createVM "${vm2}" "${TESTFILTERNAME}" "10.1.1.1" "52:54:0:9f:33:da" \ + "${flags}" + if [ $? -ne 0 ]; then + echo "Could not create VM ${vm2}. Exiting." + destroyVM "${vm1}" "${flags}" + exit 1 + fi + + runTests "${vm1}" "${vm2}" "${xmldir}" "${fwalldir}" "${flags}" + + destroyVM "${vm1}" "${flags}" + destroyVM "${vm2}" "${flags}" + deleteTestFilter "${flags}" + + [ ${libvirtdpid} -ge 0 ] && kill -9 ${libvirtdpid} + rm -rf pid-file 2>/dev/null + + return 0 +} + +main "$@" Index: libvirt-tck/scripts/nwfilter/100-apply-verify.t =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/100-apply-verify.t @@ -0,0 +1,10 @@ +#!/bin/bash + +pwd=$(dirname $0) + +pushd ${PWD} > /dev/null + +cd ${pwd} +bash ./nwfilter2vmtest.sh --tap-test --noattach + +popd > /dev/null \ No newline at end of file Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/arp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/arp-test.xml @@ -0,0 +1,33 @@ +<filter name='testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/testvm.fwall.dat @@ -0,0 +1,73 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j I-vnet0-ipv4 +-p ARP -j I-vnet0-arp +-p 0x8035 -j I-vnet0-rarp +-p 0x835 -j ACCEPT +-j DROP +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -j O-vnet0-ipv4 +-p ARP -j O-vnet0-arp +-p 0x8035 -j O-vnet0-rarp +-j DROP +#ebtables -t nat -L I-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p IPv4 --ip-src ! 10.1.1.1 -j DROP +#ebtables -t nat -L O-vnet0-ipv4 | grep -v "^Bridge" | grep -v "^$" +-j ACCEPT +#ebtables -t nat -L I-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-s ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-mac-src ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-src ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ebtables -t nat -L O-vnet0-arp | grep -v "^Bridge" | grep -v "^$" +-p ARP --arp-op Reply --arp-mac-dst ! 52:54:0:9f:33:da -j DROP +-p ARP --arp-ip-dst ! 10.1.1.1 -j DROP +-p ARP --arp-op Request -j ACCEPT +-p ARP --arp-op Reply -j ACCEPT +-j DROP +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ah-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/all-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/conntrack-test.xml @@ -0,0 +1,12 @@ +<filter name='testcase' chain='root'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + <rule action='drop' direction='out' priority='500'> + <icmp connlimit-above='1'/> + </rule> + <rule action='drop' direction='out' priority='500'> + <tcp connlimit-above='2'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <all/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/esp-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/hex-data-test.xml @@ -0,0 +1,56 @@ +<filter name='testcase'> + <uuid>01a992d2-f8c8-7c27-f69b-ab0a9d377379</uuid> + + <rule action='accept' direction='in'> + <mac protocolid='0x1234'/> + </rule> + + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='0x123' srcportend='0x234' + dstportstart='0x3456' dstportend='0x4567' + dscp='0x32'/> + </rule> + + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='tcp' + srcportstart='0x111' srcportend='400' + dstportstart='0x3333' dstportend='65535'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='0x12' + protocoltype='0x56' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='0x22' + srcportstart='0x123' srcportend='400' + dstportstart='0x234' dstportend='0x444'/> + </rule> + + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x40' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction-test.xml @@ -0,0 +1,15 @@ +<filter name='testcase'> + <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid> +  + <rule action='accept' direction='in' priority='500'> + <icmp type='0'/> + </rule> +  + <rule action='accept' direction='out' priority='500'> + <icmp type='8'/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction2-test.xml @@ -0,0 +1,15 @@ +<filter name='testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> +  + <rule action='accept' direction='in' priority='500'> + <icmp type='8'/> + </rule> +  + <rule action='accept' direction='out' priority='500'> + <icmp type='0'/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-direction3-test.xml @@ -0,0 +1,10 @@ +<filter name='testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> + <rule action='accept' direction='out' priority='500'> + <icmp/> + </rule> +  + <rule action='drop' direction='inout' priority='600'> + <all/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmp-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' type='255' code='255'/> + </rule> + <rule action='accept' direction='in'> + <icmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' type='256' code='256'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/icmpv6-test.xml @@ -0,0 +1,19 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' type='255' code='255'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33' type='256' code='256'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/igmp-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <igmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ip-test.xml @@ -0,0 +1,34 @@ +<filter name='testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='out'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.128.0' + dstipaddr='10.1.2.3' dstipmask='255.255.255.0' + protocol='17' dscp='63' + /> + </rule> + + <rule action='accept' direction='in'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254' + dstipaddr='10.1.2.3' dstipmask='255.255.255.128' + protocol='255' dscp='64' + /> + </rule> + + <rule action='accept' direction='inout'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.127' + dstipaddr='10.1.2.3' dstipmask='255.255.255.254' + protocol='256' dscp='64' + /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipt-no-macspoof-test.xml @@ -0,0 +1,14 @@ +<filter name='testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='drop' direction='inout'> +  + <all match='no' srcmacaddr='12:34:56:78:9a:bc'/> + </rule> + + <rule action='drop' direction='in'> +  + <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipv6-test.xml @@ -0,0 +1,43 @@ +<filter name='testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='18' + /> + </rule> + +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/mac-test.xml @@ -0,0 +1,23 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='1536'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='15'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='65535'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/rarp-test.xml @@ -0,0 +1,33 @@ +<filter name='testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='rarp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-rule-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ref-test.xml @@ -0,0 +1,4 @@ +<filter name='testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/sctp-test.xml @@ -0,0 +1,22 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/tcp-test.xml @@ -0,0 +1,22 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in' statematch='false'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in' statematch='0'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-ipv6-test.xml @@ -0,0 +1,22 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udp-test.xml @@ -0,0 +1,22 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65536'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-ipv6-test.xml @@ -0,0 +1,19 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='129' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/udplite-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ah-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-ipv6-test.fwall @@ -0,0 +1,32 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FORWARD --line-number | grep libvirt +1 libvirt-in all anywhere anywhere +2 libvirt-out all anywhere anywhere +3 libvirt-in-post all anywhere anywhere Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/all-test.fwall @@ -0,0 +1,30 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD --line-number | grep libvirt +1 libvirt-in all -- anywhere anywhere +2 libvirt-out all -- anywhere anywhere +3 libvirt-in-post all -- anywhere anywhere Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/conntrack-test.fwall @@ -0,0 +1,24 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 1 +DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #conn/32 > 2 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 |tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/esp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall @@ -0,0 +1,68 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p 0x1234 -j ACCEPT +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 state NEW,ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x22udp spts:564:1092 dpts:291:400 state ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x22udp spts:291:400 dpts:564:1092 +#iptables -L libvirt-host-in -n | grep HI-vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep FI-vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 tcp spts:32:33 dpts:256:4369 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::/128 tcp spts:256:4369 dpts:32:33 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction2-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW,ESTABLISHED +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 +DROP icmp -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-direction3-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 +DROP all -- 0.0.0.0/0 0.0.0.0/0 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmp-test.fwall @@ -0,0 +1,23 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21icmp type 255 code 255 state NEW,ESTABLISHED +ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02icmp type 12 code 11 +ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/icmpv6-test.fwall @@ -0,0 +1,26 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED +RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21ipv6-icmp type 255 code 255 state NEW,ESTABLISHED +ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02ipv6-icmp type 12 code 11 +ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/igmp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ip-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT +-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT +-p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall @@ -0,0 +1,19 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! 12:34:56:78:9A:BC +DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! AA:AA:AA:AA:AA:AA +#iptables -L HI-vnet0 +Chain HI-vnet0 (1 references) +target prot opt source destination +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall @@ -0,0 +1,13 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT +-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/mac-test.fwall @@ -0,0 +1,12 @@ +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-d aa:bb:cc:dd:ee:ff -j ACCEPT +-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/rarp-test.fwall @@ -0,0 +1,9 @@ +#ebtables -t nat -L libvirt-I-vnet0 | sed s/0x8035/RARP/g | grep -v "^Bridge" | grep -v "^$" +-p RARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype 0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT +-p RARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT +-p RARP -s 1:2:3:4:5:6 -j ACCEPT +#ebtables -t nat -L PREROUTING | grep vnet0 +-i vnet0 -j libvirt-I-vnet0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/sctp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21sctp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fsctp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp spts:100:1111 dpts:20:21 +ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/tcp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21tcp spts:20:21 dpts:100:1111 +ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3ftcp spts:255:256 dpt:65535 +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp spts:100:1111 dpts:20:21 +ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp ::/0 ::/0 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535 dpts:255:256 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udp-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 state ESTABLISHED +RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21udp spts:20:21 dpts:100:1111 state NEW,ESTABLISHED +ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x3fudp spts:255:256 dpt:65535 state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp spts:100:1111 dpts:20:21 +ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535 dpts:255:256 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-ipv6-test.fwall @@ -0,0 +1,28 @@ +#ip6tables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21state ESTABLISHED +RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21state ESTABLISHED +#ip6tables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state ESTABLISHED +ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#ip6tables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21 +ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21 +#ip6tables -L INPUT -n --line-numbers | grep libvirt +1 libvirt-host-in all ::/0 ::/0 +#ip6tables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-in-post -n | grep vnet0 +ACCEPT all ::/0 ::/0 PHYSDEV match --physdev-in vnet0 +#ip6tables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all ::/0 ::/0 [goto] PHYSDEV match --physdev-out vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/udplite-test.fwall @@ -0,0 +1,26 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21 +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0

2 3

[libvirt] [PATCH] nwfilter: extensions of docs with advanced filtering topics
by Stefan Berger 18 Jun '10

18 Jun '10

As requested, here a couple of paragraphs about the recently added statematch attribute and some advanced (and tricky) traffic filtering topics. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- docs/formatnwfilter.html.in | 117 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) Index: libvirt-acl/docs/formatnwfilter.html.in =================================================================== --- libvirt-acl.orig/docs/formatnwfilter.html.in +++ libvirt-acl/docs/formatnwfilter.html.in @@ -277,6 +277,13 @@ Valid values are in the range of 0 to 1000. If this attribute is not provided, the value 500 will automatically be assigned. </li> + <li> + statematch -- optional; possible values are '0' or 'false' to + turn the underlying connection state matching off; default is 'true' + <br> + Also read the section on <a href="#nwfelemsRulesAdv">advanced configuration</a> + topics. + </li> </ul> <p> The above example indicates that the traffic of type <code>ip</code> @@ -1117,6 +1124,116 @@ <br><br> </p> + <h3><a name="nwfelemsRulesAdv">Advanced Filter Configuration Topics</a></h3> + <p> + The following sections discuss advanced filter configuration + topics. + </p> + <h4><a name="nwfelemsRulesAdvTracking">Connection tracking</a></h4> + <p> + The network filtering subsystem (on Linux) makes use of the connection + tracking support of iptables. This helps in enforcing the + directionality of network traffic (state match) as well as + counting and limiting the number of simultaneous connections towards + a VM. As an example, if a VM has TCP port 8080 + open, clients may connect to it on port 8080. The tracking of the + connection then prevents the client from initiating a connection from + (TCP client) port 8080 to the host back (after previously having + gained access to the VM). More importantly, tracking helps to prevent + remote attackers to establish a connection back to a VM for example + if the user inside the VM has established a connection to + port 80 on an attacker site, then the attacker won't be able to + initiate a connection from TCP port 80 towards the VM. + By default the connection state match that enables the enforcement + of directionality of traffic is turned on. <br> + The following shows an example XML fragement where this feature has been + turned off for incoming connections to TCP port 12345. + </p> +<pre> + [...] + <rule direction='in' action='accept' statematch='false'> + <tcp dstportstart='12345'/> + </rule> + [...] +</pre> + <p> + This now allows incoming traffic to TCP port 12345, but would also + enable the initiation from (client) TCP port 12345 within the VM, + which may or may not be desirable. + </p> + + <h4><a name="nwfelemsRulesAdvLimiting">Limiting Number of Connections</a></h4> + <p> + To limit the number of connections a VM may establish, a rule must + be provided that sets a limit of connections for a given + type of traffic. If for example a VM + is supposed to be allowed to only ping one other IP address at a time + and is supposed to have only one active incoming ssh connection at a + time, the following XML fragment can be used to achieve this. + </p> +<pre> + [...] + <rule action='drop' direction='in' priority='400'> + <tcp connlimit-above='1'/> + </rule> + <rule action='accept' direction='in' priority='500'> + <tcp dstportstart='22'/> + </rule> + <rule action='drop' direction='out' priority='400'> + <icmp connlimit-above='1'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <icmp/> + </rule> + <rule action='accept' direction='out' priority='500'> + <udp dstportstart='53'/> + </rule> + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + [...] +</pre> + <p> + Note that the rule for the limit has to logically appear + before the rule for accepting the traffic.<br> + An additional rule for letting DNS traffic to port 22 + go out the VM has been added to avoid ssh sessions not + getting established for reasons related to DNS lookup failures + by the ssh daemon. Leaving this rule out may otherwise lead to + fun-filled debugging joy. + <br><br> + Lot of care must be taken with timeouts related + to tracking of traffic. An ICMP ping that + the user may have terminated inside the VM may have a long + timeout in the host's connection tracking system and therefore + not allow another ICMP ping to go through for a while. Therefore, + the timeouts have to be tuned in the host's sysfs, i.e., + </p> + +<pre> + echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_timeout +</pre> + <p> + sets the ICMP connection tracking timeout to 3 seconds. The + effect of this is that once one ping is terminated, another + one can start after 3 seconds.<br> + Further, we want to point out that a client that for whatever + reason has not properly closed a TCP connection may cause a + connection to be held open for a longer period of time, + depending to what timeout the <code>TCP established</code> state + timeout has been set to on the host. Also, idle connections may time + out in the connection tracking system but can be reactivated once + packets are exchanged. However, a newly initated connection may force + an idle connection into TCP backoff if the number of allowed connections + is set to a too low limit, the new connection is established + and hits (not exceeds) the limit of allowed connections and for + example a key is pressed on the old ssh session, which now has become + unresponsive due to traffic being dropped. + Therefore, the limit of connections should be rather high so that + fluctuations in new TCP connections don't cause odd + traffic behavior in relaton to idle connections. + </p> + <h2><a name="nwfcli">Command line tools</a></h2> <p> The libvirt command line tool <code>virsh</code> has been extended

2 2

[libvirt] [PATCH] libvirt-java-0.4.5 where libvirt-java-0.4.6 Refactored and Modify
by Luis Carlos Moreira da Costa 18 Jun '10

18 Jun '10

Thu Jun 17 2010 Luis Carlos Moreira da Costa <tcljava(a)gmail.com> * Refactored the all code of the libvirt. * Modify the method toString() to Strng.format in all classes. * Add final in classes, methods and attributes. * Alter of test Junit. * Modify and alter javadoc the methods. * Add .project and .classpath in Eclipse Galileo IDE. *Luís Carlos Moreira da Costa* *Engenharia & Tecnologia** **---------------------------------------------------------** **ALOG Data Centers do Brasil** **Excelência em Projetos de Hosting* Rua Dr. Miguel Couto, 58 -- Centro CEP 01008-010 -- São Paulo (SP) Telefone: (11) 3524-4970 (11) 8476-0040 *http://www.alog.com.br* <http://www.alog.com.br/>

2 1

[libvirt] [PATCH 2/2] virsh: add new --details option to vol-list
by Justin Clift 18 Jun '10

18 Jun '10

This patch adds a new --details option to the virsh vol-list command, making its output more useful to people who use virsh for significant lengths of time. --- Output from the new option (hopefully this doesn't wrap): virsh # pool-list Name State Autostart ----------------------------------------- default active yes image_dir active yes tmp active no virsh # vol-list default Name Path --------------------------------------------------------------------------------------------- CentOS-5.5-x86_64-bin-DVD-1of2.iso /var/lib/libvirt/images/CentOS-5.5-x86_64-bin-DVD-1of2.iso CentOS-5.5-x86_64-bin-DVD-2of2.iso /var/lib/libvirt/images/CentOS-5.5-x86_64-bin-DVD-2of2.iso virsh # vol-list image_dir Name Path ------------------------------------------------------------------------- snap1.img /export/backend/centos_home/jc/tmp/images/snap1.img testimage1 /export/backend/centos_home/jc/tmp/images/testimage1 virsh # vol-list tmp Name Path ------------------------------------------ disk1.img /tmp/images/disk1.img disk2.img /tmp/images/disk2.img disk3.img /tmp/images/disk3.img disk4.img /tmp/images/disk4.img disk5.img /tmp/images/disk5.img disk6.img /tmp/images/disk6.img virsh # vol-list default --details Name Type Capacity Allocation Path ---------------------------------------------------------------- CentOS-5.5-x86_64-bin-DVD-1of2.iso file 4.09 GB 4.10 GB /var/lib/libvirt/images/CentOS-5.5-x86_64-bin-DVD-1of2.iso CentOS-5.5-x86_64-bin-DVD-2of2.iso file 412.33 MB 412.74 MB /var/lib/libvirt/images/CentOS-5.5-x86_64-bin-DVD-2of2.iso virsh # vol-list image_dir --details Name Type Capacity Allocation Path ---------------------------------------------------------- snap1.img file 20.00 GB 140.00 KB /export/backend/centos_home/jc/tmp/images/snap1.img testimage1 file 20.00 GB 20.02 GB /export/backend/centos_home/jc/tmp/images/testimage1 virsh # vol-list tmp --details Name Type Capacity Allocation Path ------------------------------------------------------------- disk1.img file 20.00 GB 136.00 KB /tmp/images/disk1.img disk2.img file 20.00 GB 136.00 KB /tmp/images/disk2.img disk3.img file 20.00 GB 136.00 KB /tmp/images/disk3.img disk4.img file 20.00 GB 136.00 KB /tmp/images/disk4.img disk5.img file 20.00 GB 136.00 KB /tmp/images/disk5.img disk6.img file 20.00 GB 136.00 KB /tmp/images/disk6.img virsh # Much more practical than running vol-info individually on each volume. tools/virsh.c | 212 ++++++++++++++++++++++++++++++++++++++++++++++++------- tools/virsh.pod | 4 +- 2 files changed, 189 insertions(+), 27 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index afa84e6..7a12e15 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -6047,67 +6047,227 @@ static const vshCmdInfo info_vol_list[] = { static const vshCmdOptDef opts_vol_list[] = { {"pool", VSH_OT_DATA, VSH_OFLAG_REQ, N_("pool name or uuid")}, + {"details", VSH_OT_BOOL, 0, N_("display extended details for volumes")}, {NULL, 0, 0, NULL} }; static int cmdVolList(vshControl *ctl, const vshCmd *cmd ATTRIBUTE_UNUSED) { + virStorageVolInfo **volumeInfos = NULL; virStoragePoolPtr pool; - int maxactive = 0, i; + int details = vshCommandOptBool(cmd, "details"); + int maxName = 0, maxPath = 0; + int numVolumes = 0, i; char **activeNames = NULL; + char **volumePaths = NULL; + /* Check the connection to libvirtd daemon is still working */ if (!vshConnectionUsability(ctl, ctl->conn, TRUE)) return FALSE; + /* Look up the pool information given to us by the user */ if (!(pool = vshCommandOptPool(ctl, cmd, "pool", NULL))) return FALSE; - maxactive = virStoragePoolNumOfVolumes(pool); - if (maxactive < 0) { + /* Determine the number of volumes in the pool */ + numVolumes = virStoragePoolNumOfVolumes(pool); + if (numVolumes < 0) { virStoragePoolFree(pool); vshError(ctl, "%s", _("Failed to list active vols")); return FALSE; } - if (maxactive) { - activeNames = vshMalloc(ctl, sizeof(char *) * maxactive); - if ((maxactive = virStoragePoolListVolumes(pool, activeNames, - maxactive)) < 0) { + /* Retrieve the list of volume names in the pool */ + if (numVolumes) { + activeNames = vshMalloc(ctl, sizeof(char *) * numVolumes); + if ((numVolumes = virStoragePoolListVolumes(pool, activeNames, + numVolumes)) < 0) { vshError(ctl, "%s", _("Failed to list active vols")); VIR_FREE(activeNames); virStoragePoolFree(pool); return FALSE; } - qsort(&activeNames[0], maxactive, sizeof(char *), namesorter); + /* Sort the volume names */ + qsort(&activeNames[0], numVolumes, sizeof(char *), namesorter); } - vshPrintExtra(ctl, "%-20s %-40s\n", _("Name"), _("Path")); - vshPrintExtra(ctl, "-----------------------------------------\n"); - for (i = 0; i < maxactive; i++) { - virStorageVolPtr vol = virStorageVolLookupByName(pool, activeNames[i]); - char *path; + /* Set aside memory for volume information pointers */ + volumePaths = vshMalloc(ctl, sizeof(char *) * numVolumes); + volumeInfos = vshMalloc(ctl, sizeof(virStorageVolInfo *) * numVolumes); - /* this kind of work with vols is not atomic operation */ - if (!vol) { - VIR_FREE(activeNames[i]); - continue; - } + /* Collect the rest of the volume information for display */ + for (i = 0; i < numVolumes; i++) { + int stringLength; + virStorageVolPtr vol = virStorageVolLookupByName(pool, + activeNames[i]); - if ((path = virStorageVolGetPath(vol)) == NULL) { - virStorageVolFree(vol); - continue; + /* Retrieve the volume path */ + if ((volumePaths[i] = virStorageVolGetPath(vol)) == NULL) { + /* Something went wrong retrieving a volume path, cope with it */ + volumePaths[i] = vshStrdup(ctl, _("unknown")); } + /* Keep the length of path string if longest so far */ + stringLength = strlen(volumePaths[i]); + if (stringLength > maxPath) + maxPath = stringLength; + + /* Keep the length of name string if longest so far */ + stringLength = strlen(activeNames[i]); + if (stringLength > maxName) + maxName = stringLength; + + /* Retrieve the volume capacity and allocation */ + volumeInfos[i] = vshMalloc(ctl, sizeof(virStorageVolInfo)); + if (virStorageVolGetInfo(vol, volumeInfos[i]) != 0) { + /* Something went wrong retrieving volume info, cope with it */ + volumeInfos[i] = NULL; + } - vshPrint(ctl, "%-20s %-40s\n", - virStorageVolGetName(vol), - path); - VIR_FREE(path); + /* Cleanup memory allocation */ virStorageVolFree(vol); - VIR_FREE(activeNames[i]); } + + /* Display the volume information */ + vshDebug(ctl, 5, "Longest name string = %d chars\n", maxName); + vshDebug(ctl, 5, "Longest path string = %d chars\n", maxPath); + if (details) { + virBuffer formatStr = VIR_BUFFER_INITIALIZER; + + /* Is the output too long to fit on one line? */ + if ((maxName + maxPath + 30) < 80) { + virBuffer headerStr = VIR_BUFFER_INITIALIZER; + + /* Output is not too long - use one line per entry */ + virBufferVSprintf(&formatStr, + "%%-%us %%-6s %%-10s %%-10s %%-%us\n", + maxName < 5 ? 5 : maxName, + maxPath); + virBufferVSprintf(&headerStr, + virBufferContentAndReset(&formatStr), + _("Name"), _("Type"), _("Capacity"), + _("Allocation"), _("Path")); + unsigned int headerLength = strlen(headerStr.d); + vshPrintExtra(ctl, "%s", virBufferContentAndReset(&headerStr)); + + /* Display an underline of appropriate length */ + for (i = 0; i < headerLength - 1; i++) + vshPrintExtra(ctl, "-"); + vshPrintExtra(ctl, "\n"); + + /* Define output format - one line per row of volume info */ + virBufferVSprintf(&formatStr, + "%%-%us %%-6s %%-10s %%-10s %%-%us\n", + maxName < 5 ? 5 : maxName, + maxPath); + } else { + /* Output IS too long - use two lines per entry */ + virBufferVSprintf(&formatStr, + "%%-%us %%-6s %%-10s %%-10s\n %%-%us\n", + maxName < 5 ? 5 : maxName, + maxPath); + vshPrintExtra(ctl, virBufferContentAndReset(&formatStr), + _("Name"), _("Type"), _("Capacity"), + _("Allocation"), _("Path")); + + /* Display an underline of appropriate length */ + if ((maxName + 30) > (maxPath + 6)) { + /* 30 = # chars in the header not including the name field + * 6 = Padding number picked out of the air that seems + * to work ok + */ + for (i = 0; i < maxName + 30; i++) + vshPrintExtra(ctl, "-"); + } else { + for (i = 0; i < maxPath + 6; i++) + vshPrintExtra(ctl, "-"); + } + vshPrintExtra(ctl, "\n"); + + /* Define output format - two lines per row of volume info */ + virBufferVSprintf(&formatStr, + "%%-%us %%-6s %%-10s %%-10s\n %%-%us\n", + maxName < 5 ? 5 : maxName, + maxPath); + } + + /* Display the volume detail rows */ + for (i = 0; i < numVolumes; i++) { + /* Do we have detailed sizing info? */ + if (volumeInfos[i] != NULL) { + /* We have detailed sizing info */ + double capVal, allocVal; + const char *capUnit, *allocUnit; + virBuffer capBufStr = VIR_BUFFER_INITIALIZER; + virBuffer allocBufStr = VIR_BUFFER_INITIALIZER; + + /* Determine the capacity value to show */ + capVal = prettyCapacity(volumeInfos[i]->capacity, &capUnit); + virBufferVSprintf(&capBufStr, "%.2lf %s", capVal, capUnit); + + /* Determine the allocation value to show */ + allocVal = prettyCapacity(volumeInfos[i]->allocation, + &allocUnit); + virBufferVSprintf(&allocBufStr, "%.2lf %s", allocVal, + allocUnit); + + /* Output volume details, showing all volume info */ + vshPrintExtra(ctl, formatStr.d, + activeNames[i], + volumeInfos[i]->type == VIR_STORAGE_VOL_FILE ? + _("file") : _("block"), + virBufferContentAndReset(&capBufStr), + virBufferContentAndReset(&allocBufStr), + volumePaths[i]); + + /* Cleanup memory allocation */ + VIR_FREE(volumeInfos[i]); + } else { + /* We don't have detailed sizing info, so output + * what we have */ + vshPrintExtra(ctl, formatStr.d, + activeNames[i], + _("unknown"), + _("unknown"), + _("unknown"), + volumePaths[i]); + } + + /* Cleanup memory allocation for this volume */ + VIR_FREE(volumePaths[i]); + VIR_FREE(activeNames[i]); + } + } else { + /* Only basic volume information needs to be shown */ + if (maxName < 20) /* Minimum column widths in the output */ + maxName = 20; + if (maxPath < 4) /* Minimum column widths in the output */ + maxPath = 4; + virBuffer outputStr = VIR_BUFFER_INITIALIZER; + virBufferVSprintf(&outputStr, "%%-%us %%-%us\n", maxName, maxPath); + + /* Output header */ + vshPrintExtra(ctl, outputStr.d, _("Name"), _("Path")); + + /* Display underline */ + for (i = 0; i < maxName + maxPath + 1; i++) + vshPrintExtra(ctl, "-"); + vshPrintExtra(ctl, "\n"); + + /* Output the volume information rows */ + for (i = 0; i < numVolumes; i++) { + vshPrint(ctl, outputStr.d, activeNames[i], volumePaths[i]); + } + + /* Cleanup memory allocation */ + virBufferFreeAndReset(&outputStr); + } + + /* Cleanup remaining memory allocation */ + VIR_FREE(volumePaths); + VIR_FREE(volumeInfos); VIR_FREE(activeNames); virStoragePoolFree(pool); return TRUE; diff --git a/tools/virsh.pod b/tools/virsh.pod index 8432b44..0f387e6 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -839,10 +839,12 @@ Returns basic information about the given storage volume. I<--pool> I<pool-or-uuid> is the name or UUID of the storage pool the volume is in. I<vol-name-or-key-or-path> is the name or key or path of the volume to return information for. -=item B<vol-list> I<--pool> I<pool-or-uuid> +=item B<vol-list> I<--pool> I<pool-or-uuid> optional I<--details> Return the list of volumes in the given storage pool. I<--pool> I<pool-or-uuid> is the name or UUID of the storage pool. +The I<--details> option instructs virsh to additionally display volume +persistence and capacity related information where available. =item B<vol-pool> I<vol-key-or-path> -- 1.7.0.1

2 3

[libvirt] [PATCH v2] qemu: Fix crash on failed VM startup
by Cole Robinson 18 Jun '10

18 Jun '10

If VM startup fails early enough (can't find a referenced USB device), libvirtd will crash trying to clear the VNC port bit, since port = 0, which overflows us out of the bitmap bounds. Fix this by being more defensive in the bitmap operations, and only clearing a previously set VNC port. v2: Add safety check to all relevant bitmap ops. Signed-off-by: Cole Robinson <crobinso(a)redhat.com> --- src/qemu/qemu_driver.c | 2 +- src/util/bitmap.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index c8cd50a..f5a1310 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -3741,7 +3741,7 @@ retry: if ((vm->def->ngraphics == 1) && vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && vm->def->graphics[0]->data.vnc.autoport && - vm->def->graphics[0]->data.vnc.port != -1) { + vm->def->graphics[0]->data.vnc.port >= QEMU_VNC_PORT_MIN) { if (virBitmapClearBit(driver->reservedVNCPorts, vm->def->graphics[0]->data.vnc.port - \ QEMU_VNC_PORT_MIN) < 0) { diff --git a/src/util/bitmap.c b/src/util/bitmap.c index 69094a5..cef3fc4 100644 --- a/src/util/bitmap.c +++ b/src/util/bitmap.c @@ -100,7 +100,7 @@ void virBitmapFree(virBitmapPtr bitmap) */ int virBitmapSetBit(virBitmapPtr bitmap, size_t b) { - if (b > bitmap->size - 1) + if (bitmap->size <= b) return -1; bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] |= (1 << VIR_BITMAP_BIT_OFFSET(b)); @@ -118,7 +118,7 @@ int virBitmapSetBit(virBitmapPtr bitmap, size_t b) */ int virBitmapClearBit(virBitmapPtr bitmap, size_t b) { - if (b > bitmap->size - 1) + if (bitmap->size <= b) return -1; bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] &= ~(1 << VIR_BITMAP_BIT_OFFSET(b)); @@ -140,7 +140,7 @@ int virBitmapGetBit(virBitmapPtr bitmap, size_t b, bool *result) { uint32_t bit; - if (b > bitmap->size - 1) + if (bitmap->size <= b) return -1; bit = bitmap->map[VIR_BITMAP_UNIT_OFFSET(b)] & -- 1.6.6.1

3 3

[libvirt] [PATCH] Fix description of virStorageVolGetInfo()
by Philipp Hahn 18 Jun '10

18 Jun '10

Probably a copy-paste-bug in python/libvirt-override-api.xml: virStorageVolGetInfo() extracts information about a "storage volume", not the "storage pool" as virStoragePoolGetInfo() does. Signed-off-by: Philipp Hahn <hahn(a)univention.de> --- python/libvirt-override-api.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)

3 2

[libvirt] [PATCHv2 0/2] virsh: add new --details option flag to pool-list and vol-list
by Justin Clift 18 Jun '10

18 Jun '10

Hi all, The following two patches add a new "--details" option flag to the virsh pool-list and vol-list commands. Adding these because trying to get sizing information for large numbers of pools or volumes is presently difficult, having to run the pool-info or vol-info command on each one individually. This shows the required info much more easily. :) + The first patch is for the pool-list command, and was pretty straightforward. + The second patch is for the vol-list command, and has been rewritten from the first submission. If the --details option is not specified, then the output is exactly as it has been historically, with only name and path info and the same fixed column widths. If the --details option is given now, additional info is shown and all column widths are sized to their widest string. Additionally the code in the 2nd version of the second patch is cleaner structured than the first version. Decent examples of the output from each command are in their email comments. Open for suggestions and better ideas of course. :) Regards and best wishes, Justin Clift -- Salasaga - Open Source eLearning IDE http://www.salasaga.org

1 0

[libvirt] 1. Domain Destroy , 2. Domain boot on a different host and 3. Domain start time
by IKI-サガル　バルウェ 18 Jun '10

18 Jun '10

Hello, Firstly, I have some confusion about the libvirt API "virDomainDestroy" method. here is the link to API: http://libvirt.org/html/libvirt-libvirt.html#virDomainDestroy Does this method completely removes the domain from the system? I have confusion because the "virsh destroy" tool option performs a forced shutdown and does not destroy/delete/remove the domain. So, what does "virDomainDestroy" method do exactly? Also, if it comletely removes the domain, then is there any other method to perform a force shutdown of the domain. I know the "virDomainShutdown" method performs a normal shutdown. Secondly, Is it possible to boot a domain on a completely different physical host with the same Hypervisor configuration? For. E.g: if I have a domain on a host 192.168.101.1 running Xen with a Domain "test" in shutdown state. If I have to start/boot the domain "test" on a different physical host, running Xen say 192.168.101.2, is it possible using libvirt API? If not, then is there any other method to do it? Thirdly, Is there a method to get the total running time of a domain? I mean, the amount of time since the domain had been booted. Currently, I can fetch the CPU time. But, is this the exact amount of time the domain is ON? i.e. If the domain is in a "IDLE" state, the CPU time does not increase. But what I want is the amount of time the domain was ON(including the idle time). So, If I can get the start time of the domain, I can calculate the duration. Sorry for the long mail and description. Any help would be greatly appreciated. Thanks and Regards Sagar Barve

2 4

[libvirt] [PATCH] virsh: add --uuid option to vol-pool
by Justin Clift 17 Jun '10

17 Jun '10

Adds an optional switch, --uuid, for telling the virsh vol-pool command to return the pool UUID rather than pool name. --- Just added for flexibility. tools/virsh.c | 13 +++++++++++-- tools/virsh.pod | 8 +++++--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index 7d8ae0e..7e65942 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -6049,6 +6049,7 @@ static const vshCmdInfo info_vol_pool[] = { }; static const vshCmdOptDef opts_vol_pool[] = { + {"uuid", VSH_OT_BOOL, 0, N_("return the pool uuid rather than pool name")}, {"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("volume key or path")}, {NULL, 0, 0, NULL} }; @@ -6058,6 +6059,7 @@ cmdVolPool(vshControl *ctl, const vshCmd *cmd) { virStoragePoolPtr pool; virStorageVolPtr vol; + char uuid[VIR_UUID_STRING_BUFLEN]; /* Check the connection to libvirtd daemon is still working */ if (!vshConnectionUsability(ctl, ctl->conn, TRUE)) @@ -6077,8 +6079,15 @@ cmdVolPool(vshControl *ctl, const vshCmd *cmd) return FALSE; } - /* Return the name of the parent storage pool */ - vshPrint(ctl, "%s\n", virStoragePoolGetName(pool)); + /* Return the requested details of the parent storage pool */ + if (vshCommandOptBool(cmd, "uuid")) { + /* Retrieve and return pool UUID string */ + if (virStoragePoolGetUUIDString(pool, &uuid[0]) == 0) + vshPrint(ctl, "%s\n", uuid); + } else { + /* Return the storage pool name */ + vshPrint(ctl, "%s\n", virStoragePoolGetName(pool)); + } /* Cleanup */ virStorageVolFree(vol); diff --git a/tools/virsh.pod b/tools/virsh.pod index e83ea4d..8ef0e96 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -839,10 +839,12 @@ I<vol-name-or-key-or-path> is the name or key or path of the volume to return in Return the list of volumes in the given storage pool. I<--pool> I<pool-or-uuid> is the name or UUID of the storage pool. -=item B<vol-pool> I<vol-key-or-path> +=item B<vol-pool> [optional I<--uuid>] I<vol-key-or-path> -Return the pool for a given volume. -I<vol-key-or-path> is the key or path of the volume to return the pool name for. +Return the pool name or UUID for a given volume. By default, the pool name is +returned. If the I<--uuid> option is given, the pool UUID is returned instead. +I<vol-key-or-path> is the key or path of the volume to return the pool +information for. =item B<vol-path> [optional I<--pool> I<pool-or-uuid>] I<vol-name-or-key> -- 1.7.0.1

3 2

[libvirt] [PATCH v2] nwfilter: add XML attribute to control match target
by Stefan Berger 17 Jun '10

17 Jun '10

This patch adds an optional XML attribute to a nwfilter rule to give the user control over whether the rule is supposed to be using the state match or not. A rule may now look like shown in the XML below with the statematch attribute either having value '0' or 'false' (case-insensitive). [...] <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> [...] I am also extending the nwfilter schema and add this attribute to a test case. V2: - Following D. Berrange's suggestion I inverted the logic from 'nomatch' XML attribute to statematch attribute Signed-off-by: Stefan Berger --- docs/schemas/nwfilter.rng | 10 ++++++++++ src/conf/nwfilter_conf.c | 10 ++++++++++ src/conf/nwfilter_conf.h | 5 +++++ src/nwfilter/nwfilter_ebiptables_driver.c | 3 +++ tests/nwfilterxml2xmlin/tcp-test.xml | 4 ++-- tests/nwfilterxml2xmlout/tcp-test.xml | 4 ++-- 6 files changed, 32 insertions(+), 4 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1498,6 +1498,9 @@ iptablesCreateRuleInstance(virNWFilterDe needState = 0; } + if ((rule->flags & RULE_FLAG_NO_STATEMATCH)) + needState = 0; + chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -1580,6 +1580,7 @@ virNWFilterRuleParse(xmlNodePtr node) char *action; char *direction; char *prio; + char *statematch; int found; int found_i = 0; unsigned int priority; @@ -1595,6 +1596,7 @@ virNWFilterRuleParse(xmlNodePtr node) action = virXMLPropString(node, "action"); direction = virXMLPropString(node, "direction"); prio = virXMLPropString(node, "priority"); + statematch= virXMLPropString(node, "statematch"); if (!action) { virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, @@ -1633,6 +1635,10 @@ virNWFilterRuleParse(xmlNodePtr node) } } + if (statematch && + (STREQ(statematch, "0") || STRCASEEQ(statematch, "false"))) + ret->flags |= RULE_FLAG_NO_STATEMATCH; + cur = node->children; found = 0; @@ -1677,6 +1683,7 @@ cleanup: VIR_FREE(prio); VIR_FREE(action); VIR_FREE(direction); + VIR_FREE(statematch); return ret; @@ -2532,6 +2539,9 @@ virNWFilterRuleDefFormat(virNWFilterRule virNWFilterRuleDirectionTypeToString(def->tt), def->priority); + if ((def->flags & RULE_FLAG_NO_STATEMATCH)) + virBufferAddLit(&buf, " statematch='false'"); + i = 0; while (virAttr[i].id) { if (virAttr[i].prtclType == def->prtclType) { Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -345,11 +345,16 @@ enum virNWFilterEbtablesTableType { # define MAX_RULE_PRIORITY 1000 +enum virNWFilterRuleFlags { + RULE_FLAG_NO_STATEMATCH = (1 << 0), +}; + typedef struct _virNWFilterRuleDef virNWFilterRuleDef; typedef virNWFilterRuleDef *virNWFilterRuleDefPtr; struct _virNWFilterRuleDef { unsigned int priority; + enum virNWFilterRuleFlags flags; int action; /*enum virNWFilterRuleActionType*/ int tt; /*enum virNWFilterRuleDirectionType*/ enum virNWFilterRuleProtocolType prtclType; Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -299,6 +299,11 @@ <ref name='priority-type'/> </attribute> </optional> + <optional> + <attribute name="statematch"> + <ref name='statematch-type'/> + </attribute> + </optional> </define> <define name="match-attribute"> @@ -816,4 +821,9 @@ <param name="maxInclusive">1000</param> </data> </define> + <define name='statematch-type'> + <data type="string"> + <param name="pattern">([Ff][Aa][Ll][Ss][Ee]|0)</param> + </data> + </define> </grammar> Index: libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlin/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlin/tcp-test.xml @@ -5,14 +5,14 @@ dstipaddr='10.1.2.3' dstipmask='255.255.255.255' dscp='2'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' statematch='false'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in'> + <rule action='accept' direction='in' statematch='0'> <tcp srcmacaddr='1:2:3:4:5:6' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' Index: libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmlout/tcp-test.xml +++ libvirt-acl/tests/nwfilterxml2xmlout/tcp-test.xml @@ -3,10 +3,10 @@ <rule action='accept' direction='out' priority='500'> <tcp srcmacaddr='01:02:03:04:05:06' dstipaddr='10.1.2.3' dstipmask='32' dscp='2'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' statematch='false'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='33' srcportstart='20' srcportend='21' dstportstart='100' dstportend='1111'/> </rule> - <rule action='accept' direction='in' priority='500'> + <rule action='accept' direction='in' priority='500' statematch='false'> <tcp srcmacaddr='01:02:03:04:05:06' srcipaddr='10.1.2.3' srcipmask='32' dscp='63' srcportstart='255' srcportend='256' dstportstart='65535'/> </rule> </filter>

3 4

[libvirt] [PATCH] virsh: ensure persistence and autostart are shown for dominfo and pool-info
by Justin Clift 17 Jun '10

17 Jun '10

This patch adds the persistence status (yes/no) to the output of the virsh dominfo and pool-info commands. This patch also adds the autostart status to the output of the virsh pool-info command. Red Hat BZ for this: https://bugzilla.redhat.com/show_bug.cgi?id=603696 --- tools/virsh.c | 28 ++++++++++++++++++++++++++++ 1 files changed, 28 insertions(+), 0 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index 56e1bd7..90fd59e 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -1903,6 +1903,7 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd) virDomainPtr dom; virSecurityModel secmodel; virSecurityLabel seclabel; + int persistent = 0; int ret = TRUE, autostart; unsigned int id; char *str, uuid[VIR_UUID_STRING_BUFLEN]; @@ -1956,6 +1957,15 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd) ret = FALSE; } + /* Check and display whether the domain is persistent or not */ + persistent = virDomainIsPersistent(dom); + vshDebug(ctl, 5, "Domain persistent flag value: %d\n", persistent); + if (persistent < 0) + vshPrint(ctl, "%-15s %s\n", _("Persistent:"), _("unknown")); + else + vshPrint(ctl, "%-15s %s\n", _("Persistent:"), persistent ? _("yes") : _("no")); + + /* Check and display whether the domain autostarts or not */ if (!virDomainGetAutostart(dom, &autostart)) { vshPrint(ctl, "%-15s %s\n", _("Autostart:"), autostart ? _("enable") : _("disable") ); @@ -5134,6 +5144,8 @@ cmdPoolInfo(vshControl *ctl, const vshCmd *cmd) { virStoragePoolInfo info; virStoragePoolPtr pool; + int autostart = 0; + int persistent = 0; int ret = TRUE; char uuid[VIR_UUID_STRING_BUFLEN]; @@ -5174,6 +5186,22 @@ cmdPoolInfo(vshControl *ctl, const vshCmd *cmd) break; } + /* Check and display whether the pool is persistent or not */ + persistent = virStoragePoolIsPersistent(pool); + vshDebug(ctl, 5, "Pool persistent flag value: %d\n", persistent); + if (persistent < 0) + vshPrint(ctl, "%-15s %s\n", _("Persistent:"), _("unknown")); + else + vshPrint(ctl, "%-15s %s\n", _("Persistent:"), persistent ? _("yes") : _("no")); + + /* Check and display whether the pool is autostarted or not */ + virStoragePoolGetAutostart(pool, &autostart); + vshDebug(ctl, 5, "Pool autostart flag value: %d\n", autostart); + if (autostart < 0) + vshPrint(ctl, "%-15s %s\n", _("Autostart:"), _("no autostart")); + else + vshPrint(ctl, "%-15s %s\n", _("Autostart:"), autostart ? _("yes") : _("no")); + if (info.state == VIR_STORAGE_POOL_RUNNING || info.state == VIR_STORAGE_POOL_DEGRADED) { val = prettyCapacity(info.capacity, &unit); -- 1.7.0.1

3 8

[libvirt] [PATCH] Adding support for IVM
by Eduardo Otubo 17 Jun '10

17 Jun '10

Adding support for the IBM IVM Virtualization system under Power Hypervisor. --- src/phyp/phyp_driver.c | 644 ++++++++++++++++++++++++++++++++++-------------- src/phyp/phyp_driver.h | 8 + 2 files changed, 471 insertions(+), 181 deletions(-) diff --git a/src/phyp/phyp_driver.c b/src/phyp/phyp_driver.c index f8bea42..787b93d 100644 --- a/src/phyp/phyp_driver.c +++ b/src/phyp/phyp_driver.c @@ -66,6 +66,9 @@ virReportErrorHelper(NULL, VIR_FROM_PHYP, code, __FILE__, __FUNCTION__, \ __LINE__, __VA_ARGS__) +#define HMC 0 +#define IVM 127 + /* * URI: phyp://user@[hmc|ivm]/managed_system * */ @@ -82,7 +85,7 @@ phypOpen(virConnectPtr conn, uuid_tablePtr uuid_table = NULL; phyp_driverPtr phyp_driver = NULL; char *char_ptr; - char *managed_system; + char *managed_system = NULL; if (!conn || !conn->uri) return VIR_DRV_OPEN_DECLINED; @@ -96,12 +99,6 @@ phypOpen(virConnectPtr conn, return VIR_DRV_OPEN_ERROR; } - if (conn->uri->path == NULL) { - PHYP_ERROR(VIR_ERR_INTERNAL_ERROR, - "%s", _("Missing managed system name in phyp:// URI")); - return VIR_DRV_OPEN_ERROR; - } - if (VIR_ALLOC(phyp_driver) < 0) { virReportOOMError(); goto failure; @@ -117,36 +114,39 @@ phypOpen(virConnectPtr conn, goto failure; } - len = strlen(conn->uri->path) + 1; + if (conn->uri->path) { + len = strlen(conn->uri->path) + 1; - if (VIR_ALLOC_N(string, len) < 0) { - virReportOOMError(); - goto failure; - } + if (VIR_ALLOC_N(string, len) < 0) { + virReportOOMError(); + goto failure; + } - /* need to shift one byte in order to remove the first "/" of URI component */ - if (conn->uri->path[0] == '/') - managed_system = strdup(conn->uri->path + 1); - else - managed_system = strdup(conn->uri->path); + /* need to shift one byte in order to remove the first "/" of URI component */ + if (conn->uri->path[0] == '/') + managed_system = strdup(conn->uri->path + 1); + else + managed_system = strdup(conn->uri->path); - if (!managed_system) { - virReportOOMError(); - goto failure; - } + if (!managed_system) { + virReportOOMError(); + goto failure; + } - /* here we are handling only the first component of the path, - * so skipping the second: - * */ - char_ptr = strchr(managed_system, '/'); + /* here we are handling only the first component of the path, + * so skipping the second: + * */ + char_ptr = strchr(managed_system, '/'); - if (char_ptr) - *char_ptr = '\0'; + if (char_ptr) + *char_ptr = '\0'; - if (escape_specialcharacters(conn->uri->path, string, len) == -1) { - PHYP_ERROR(VIR_ERR_INTERNAL_ERROR, - "%s", _("Error parsing 'path'. Invalid characters.")); - goto failure; + if (escape_specialcharacters(conn->uri->path, string, len) == -1) { + PHYP_ERROR(VIR_ERR_INTERNAL_ERROR, + "%s", + _("Error parsing 'path'. Invalid characters.")); + goto failure; + } } if ((session = openSSHSession(conn, auth, &internal_socket)) == NULL) { @@ -160,7 +160,9 @@ phypOpen(virConnectPtr conn, uuid_table->nlpars = 0; uuid_table->lpars = NULL; - phyp_driver->managed_system = managed_system; + if (conn->uri->path) + phyp_driver->managed_system = managed_system; + phyp_driver->uuid_table = uuid_table; if ((phyp_driver->caps = phypCapsInit()) == NULL) { virReportOOMError(); @@ -169,12 +171,18 @@ phypOpen(virConnectPtr conn, conn->privateData = phyp_driver; conn->networkPrivateData = connection_data; - if (phypUUIDTable_Init(conn) == -1) + + if ((phyp_driver->system_type = phypGetSystemType(conn)) == -1) goto failure; - if ((phyp_driver->vios_id = phypGetVIOSPartitionID(conn)) == -1) + if (phypUUIDTable_Init(conn) == -1) goto failure; + if (phyp_driver->system_type == HMC) { + if ((phyp_driver->vios_id = phypGetVIOSPartitionID(conn)) == -1) + goto failure; + } + return VIR_DRV_OPEN_SUCCESS; failure: @@ -280,7 +288,8 @@ openSSHSession(virConnectPtr conn, virConnectAuthPtr auth, username = virRequestUsername(auth, NULL, conn->uri->server); if (username == NULL) { - PHYP_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Username request failed")); + PHYP_ERROR(VIR_ERR_AUTH_FAILED, "%s", + _("Username request failed")); goto err; } } @@ -360,7 +369,8 @@ openSSHSession(virConnectPtr conn, virConnectAuthPtr auth, password = virRequestPassword(auth, username, conn->uri->server); if (password == NULL) { - PHYP_ERROR(VIR_ERR_AUTH_FAILED, "%s", _("Password request failed")); + PHYP_ERROR(VIR_ERR_AUTH_FAILED, "%s", + _("Password request failed")); goto disconnect; } @@ -488,22 +498,58 @@ phypExec(LIBSSH2_SESSION * session, char *cmd, int *exit_status, return virBufferContentAndReset(&tex_ret); } +int +phypGetSystemType(virConnectPtr conn) +{ + ConnectionData *connection_data = conn->networkPrivateData; + LIBSSH2_SESSION *session = connection_data->session; + char *cmd = NULL; + char *ret = NULL; + int exit_status = 0; + + if (virAsprintf(&cmd, "lshmc -V") < 0) { + virReportOOMError(); + goto err; + } + ret = phypExec(session, cmd, &exit_status, conn); + + VIR_FREE(cmd); + VIR_FREE(ret); + return exit_status; + + err: + VIR_FREE(cmd); + VIR_FREE(ret); + return -1; +} + /* return the lpar_id given a name and a managed system name */ static int phypGetLparID(LIBSSH2_SESSION * session, const char *managed_system, const char *name, virConnectPtr conn) { + phyp_driverPtr phyp_driver = conn->privateData; + int system_type = phyp_driver->system_type; int exit_status = 0; int lpar_id = 0; char *char_ptr; char *cmd = NULL; char *ret = NULL; - if (virAsprintf(&cmd, - "lssyscfg -r lpar -m %s --filter lpar_names=%s -F lpar_id", - managed_system, name) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "lssyscfg -r lpar -m %s --filter lpar_names=%s -F lpar_id", + managed_system, name) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lssyscfg -r lpar --filter lpar_names=%s -F lpar_id", + name) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -529,15 +575,26 @@ static char * phypGetLparNAME(LIBSSH2_SESSION * session, const char *managed_system, unsigned int lpar_id, virConnectPtr conn) { + phyp_driverPtr phyp_driver = conn->privateData; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; int exit_status = 0; - if (virAsprintf(&cmd, - "lssyscfg -r lpar -m %s --filter lpar_ids=%d -F name", - managed_system, lpar_id) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "lssyscfg -r lpar -m %s --filter lpar_ids=%d -F name", + managed_system, lpar_id) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lssyscfg -r lpar --filter lpar_ids=%d -F name", + lpar_id) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -595,6 +652,8 @@ phypGetLparMem(virConnectPtr conn, const char *managed_system, int lpar_id, { ConnectionData *connection_data = conn->networkPrivateData; LIBSSH2_SESSION *session = connection_data->session; + phyp_driverPtr phyp_driver = conn->privateData; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; char *char_ptr; @@ -604,21 +663,40 @@ phypGetLparMem(virConnectPtr conn, const char *managed_system, int lpar_id, if (type != 1 && type != 0) goto err; - if (type) { - if (virAsprintf(&cmd, - "lshwres -m %s -r mem --level lpar -F curr_mem " - "--filter lpar_ids=%d", - managed_system, lpar_id) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (type) { + if (virAsprintf(&cmd, + "lshwres -m %s -r mem --level lpar -F curr_mem " + "--filter lpar_ids=%d", + managed_system, lpar_id) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lshwres -m %s -r mem --level lpar -F " + "curr_max_mem --filter lpar_ids=%d", + managed_system, lpar_id) < 0) { + virReportOOMError(); + goto err; + } } } else { - if (virAsprintf(&cmd, - "lshwres -m %s -r mem --level lpar -F " - "curr_max_mem --filter lpar_ids=%d", - managed_system, lpar_id) < 0) { - virReportOOMError(); - goto err; + if (type) { + if (virAsprintf(&cmd, + "lshwres -r mem --level lpar -F curr_mem " + "--filter lpar_ids=%d", lpar_id) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lshwres -r mem --level lpar -F " + "curr_max_mem --filter lpar_ids=%d", + lpar_id) < 0) { + virReportOOMError(); + goto err; + } } } @@ -667,27 +745,49 @@ phypGetLparCPUGeneric(virConnectPtr conn, const char *managed_system, { ConnectionData *connection_data = conn->networkPrivateData; LIBSSH2_SESSION *session = connection_data->session; + phyp_driverPtr phyp_driver = conn->privateData; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; char *char_ptr; int exit_status = 0; int vcpus = 0; - if (type) { - if (virAsprintf(&cmd, - "lshwres -m %s -r proc --level lpar -F " - "curr_max_procs --filter lpar_ids=%d", - managed_system, lpar_id) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (type) { + if (virAsprintf(&cmd, + "lshwres -m %s -r proc --level lpar -F " + "curr_max_procs --filter lpar_ids=%d", + managed_system, lpar_id) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lshwres -m %s -r proc --level lpar -F " + "curr_procs --filter lpar_ids=%d", + managed_system, lpar_id) < 0) { + virReportOOMError(); + goto err; + } } } else { - if (virAsprintf(&cmd, - "lshwres -m %s -r proc --level lpar -F " - "curr_procs --filter lpar_ids=%d", - managed_system, lpar_id) < 0) { - virReportOOMError(); - goto err; + if (type) { + if (virAsprintf(&cmd, + "lshwres -r proc --level lpar -F " + "curr_max_procs --filter lpar_ids=%d", + lpar_id) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lshwres -r proc --level lpar -F " + "curr_procs --filter lpar_ids=%d", + lpar_id) < 0) { + virReportOOMError(); + goto err; + } } } ret = phypExec(session, cmd, &exit_status, conn); @@ -719,18 +819,30 @@ phypGetRemoteSlot(virConnectPtr conn, const char *managed_system, { ConnectionData *connection_data = conn->networkPrivateData; LIBSSH2_SESSION *session = connection_data->session; + phyp_driverPtr phyp_driver = conn->privateData; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; char *char_ptr; int remote_slot = 0; int exit_status = 0; - if (virAsprintf(&cmd, - "lshwres -m %s -r virtualio --rsubtype scsi -F " - "remote_slot_num --filter lpar_names=%s", - managed_system, lpar_name) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "lshwres -m %s -r virtualio --rsubtype scsi -F " + "remote_slot_num --filter lpar_names=%s", + managed_system, lpar_name) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lshwres -r virtualio --rsubtype scsi -F " + "remote_slot_num --filter lpar_names=%s", + lpar_name) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -761,6 +873,8 @@ phypGetBackingDevice(virConnectPtr conn, const char *managed_system, { ConnectionData *connection_data = conn->networkPrivateData; LIBSSH2_SESSION *session = connection_data->session; + phyp_driverPtr phyp_driver = conn->privateData; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; int remote_slot = 0; @@ -772,12 +886,22 @@ phypGetBackingDevice(virConnectPtr conn, const char *managed_system, phypGetRemoteSlot(conn, managed_system, lpar_name)) == -1) goto err; - if (virAsprintf(&cmd, - "lshwres -m %s -r virtualio --rsubtype scsi -F " - "backing_devices --filter slots=%d", - managed_system, remote_slot) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "lshwres -m %s -r virtualio --rsubtype scsi -F " + "backing_devices --filter slots=%d", + managed_system, remote_slot) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lshwres -r virtualio --rsubtype scsi -F " + "backing_devices --filter slots=%d", + remote_slot) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -834,6 +958,7 @@ phypGetLparState(virConnectPtr conn, unsigned int lpar_id) ConnectionData *connection_data = conn->networkPrivateData; phyp_driverPtr phyp_driver = conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; int exit_status = 0; @@ -841,11 +966,20 @@ phypGetLparState(virConnectPtr conn, unsigned int lpar_id) char *managed_system = phyp_driver->managed_system; int state = VIR_DOMAIN_NOSTATE; - if (virAsprintf(&cmd, - "lssyscfg -r lpar -m %s -F state --filter lpar_ids=%d", - managed_system, lpar_id) < 0) { - virReportOOMError(); - goto cleanup; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "lssyscfg -r lpar -m %s -F state --filter lpar_ids=%d", + managed_system, lpar_id) < 0) { + virReportOOMError(); + goto cleanup; + } + } else { + if (virAsprintf(&cmd, + "lssyscfg -r lpar -F state --filter lpar_ids=%d", + lpar_id) < 0) { + virReportOOMError(); + goto cleanup; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -877,6 +1011,7 @@ phypGetVIOSPartitionID(virConnectPtr conn) ConnectionData *connection_data = conn->networkPrivateData; phyp_driverPtr phyp_driver = conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; int exit_status = 0; @@ -884,11 +1019,21 @@ phypGetVIOSPartitionID(virConnectPtr conn) char *char_ptr; char *managed_system = phyp_driver->managed_system; - if (virAsprintf(&cmd, - "lssyscfg -m %s -r lpar -F lpar_id,lpar_env|grep " - "vioserver|sed -s 's/,.*$//g'", managed_system) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "lssyscfg -m %s -r lpar -F lpar_id,lpar_env|grep " + "vioserver|sed -s 's/,.*$//g'", + managed_system) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lssyscfg -r lpar -F lpar_id,lpar_env|grep " + "vioserver|sed -s 's/,.*$//g'") < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -915,6 +1060,7 @@ phypDiskType(virConnectPtr conn, char *backing_device) phyp_driverPtr phyp_driver = conn->privateData; ConnectionData *connection_data = conn->networkPrivateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *cmd = NULL; char *ret = NULL; int exit_status = 0; @@ -923,12 +1069,22 @@ phypDiskType(virConnectPtr conn, char *backing_device) int vios_id = phyp_driver->vios_id; int disk_type = -1; - if (virAsprintf(&cmd, - "viosvrcmd -m %s -p %d -c \"lssp -field name type " - "-fmt , -all|grep %s|sed -e 's/^.*,//g'\"", - managed_system, vios_id, backing_device) < 0) { - virReportOOMError(); - goto cleanup; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "viosvrcmd -m %s -p %d -c \"lssp -field name type " + "-fmt , -all|grep %s|sed -e 's/^.*,//g'\"", + managed_system, vios_id, backing_device) < 0) { + virReportOOMError(); + goto cleanup; + } + } else { + if (virAsprintf(&cmd, + "viosvrcmd -p %d -c \"lssp -field name type " + "-fmt , -all|grep %s|sed -e 's/^.*,//g'\"", + vios_id, backing_device) < 0) { + virReportOOMError(); + goto cleanup; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -966,6 +1122,7 @@ phypNumDomainsGeneric(virConnectPtr conn, unsigned int type) ConnectionData *connection_data = conn->networkPrivateData; phyp_driverPtr phyp_driver = conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; int exit_status = 0; int ndom = 0; char *char_ptr; @@ -976,16 +1133,29 @@ phypNumDomainsGeneric(virConnectPtr conn, unsigned int type) if (type == 0) state = "|grep Running"; - else if (type == 1) - state = "|grep \"Not Activated\""; - else + else if (type == 1) { + if (system_type == HMC) { + state = "|grep \"Not Activated\""; + } else { + state = "|grep \"Open Firmware\""; + } + } else state = " "; - if (virAsprintf(&cmd, - "lssyscfg -r lpar -m %s -F lpar_id,state %s |grep -c " - "^[0-9]*", managed_system, state) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf(&cmd, + "lssyscfg -r lpar -m %s -F lpar_id,state %s |grep -c " + "^[0-9]*", managed_system, state) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, + "lssyscfg -r lpar -F lpar_id,state %s |grep -c " + "^[0-9]*", state) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -1032,6 +1202,7 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids, ConnectionData *connection_data = conn->networkPrivateData; phyp_driverPtr phyp_driver = conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *managed_system = phyp_driver->managed_system; int exit_status = 0; int got = 0; @@ -1049,13 +1220,24 @@ phypListDomainsGeneric(virConnectPtr conn, int *ids, int nids, memset(id_c, 0, 10); - if (virAsprintf - (&cmd, - "lssyscfg -r lpar -m %s -F lpar_id,state %s | sed -e 's/,.*$//g'", - managed_system, state) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf + (&cmd, + "lssyscfg -r lpar -m %s -F lpar_id,state %s | sed -e 's/,.*$//g'", + managed_system, state) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf + (&cmd, + "lssyscfg -r lpar -F lpar_id,state %s | sed -e 's/,.*$//g'", + state) < 0) { + virReportOOMError(); + goto err; + } } + ret = phypExec(session, cmd, &exit_status, conn); /* I need to parse the textual return in order to get the ret */ @@ -1103,6 +1285,7 @@ phypListDefinedDomains(virConnectPtr conn, char **const names, int nnames) ConnectionData *connection_data = conn->networkPrivateData; phyp_driverPtr phyp_driver = conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *managed_system = phyp_driver->managed_system; int exit_status = 0; int got = 0; @@ -1112,12 +1295,22 @@ phypListDefinedDomains(virConnectPtr conn, char **const names, int nnames) char *domains = NULL; char *char_ptr2 = NULL; - if (virAsprintf - (&cmd, - "lssyscfg -r lpar -m %s -F name,state | grep \"Not Activated\" | " - "sed -e 's/,.*$//g'", managed_system) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf + (&cmd, + "lssyscfg -r lpar -m %s -F name,state | grep \"Not Activated\" | " + "sed -e 's/,.*$//g'", managed_system) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf + (&cmd, + "lssyscfg -r lpar -F name,state | grep \"Open Firmware\" | " + "sed -e 's/,.*$//g'") < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -1272,17 +1465,28 @@ phypDomainResume(virDomainPtr dom) ConnectionData *connection_data = dom->conn->networkPrivateData; phyp_driverPtr phyp_driver = dom->conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *managed_system = phyp_driver->managed_system; int exit_status = 0; char *cmd = NULL; char *ret = NULL; - if (virAsprintf - (&cmd, - "chsysstate -m %s -r lpar -o on --id %d -f %s", - managed_system, dom->id, dom->name) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf + (&cmd, + "chsysstate -m %s -r lpar -o on --id %d -f %s", + managed_system, dom->id, dom->name) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf + (&cmd, + "chsysstate -r lpar -o on --id %d -f %s", + dom->id, dom->name) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, dom->conn); @@ -1304,21 +1508,31 @@ static int phypDomainShutdown(virDomainPtr dom) { ConnectionData *connection_data = dom->conn->networkPrivateData; - phyp_driverPtr phyp_driver = dom->conn->privateData; + virConnectPtr conn = dom->conn; LIBSSH2_SESSION *session = connection_data->session; + phyp_driverPtr phyp_driver = conn->privateData; + int system_type = phyp_driver->system_type; char *managed_system = phyp_driver->managed_system; int exit_status = 0; char *cmd = NULL; char *ret = NULL; - if (virAsprintf - (&cmd, - "chsysstate -m %s -r lpar -o shutdown --id %d", - managed_system, dom->id) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf + (&cmd, + "chsysstate -m %s -r lpar -o shutdown --id %d", + managed_system, dom->id) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf + (&cmd, + "chsysstate -r lpar -o shutdown --id %d", dom->id) < 0) { + virReportOOMError(); + goto err; + } } - ret = phypExec(session, cmd, &exit_status, dom->conn); if (exit_status < 0) @@ -1363,16 +1577,25 @@ phypDomainDestroy(virDomainPtr dom) ConnectionData *connection_data = dom->conn->networkPrivateData; phyp_driverPtr phyp_driver = dom->conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *managed_system = phyp_driver->managed_system; int exit_status = 0; char *cmd = NULL; char *ret = NULL; - if (virAsprintf - (&cmd, - "rmsyscfg -m %s -r lpar --id %d", managed_system, dom->id) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf + (&cmd, + "rmsyscfg -m %s -r lpar --id %d", managed_system, + dom->id) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf(&cmd, "rmsyscfg -r lpar --id %d", dom->id) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, dom->conn); @@ -1508,6 +1731,7 @@ phypDomainSetCPU(virDomainPtr dom, unsigned int nvcpus) ConnectionData *connection_data = dom->conn->networkPrivateData; phyp_driverPtr phyp_driver = dom->conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *managed_system = phyp_driver->managed_system; int exit_status = 0; char *cmd = NULL; @@ -1534,20 +1758,32 @@ phypDomainSetCPU(virDomainPtr dom, unsigned int nvcpus) } else goto exit; - if (virAsprintf - (&cmd, - "chhwres -r proc -m %s --id %d -o %c --procunits %d 2>&1 |sed" - "-e 's/^.*\$[0-9]\\+.[0-9]\\+\$.*$/\\1/g'", - managed_system, dom->id, operation, amount) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf + (&cmd, + "chhwres -r proc -m %s --id %d -o %c --procunits %d 2>&1 |sed" + "-e 's/^.*\$[0-9]\\+.[0-9]\\+\$.*$/\\1/g'", + managed_system, dom->id, operation, amount) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf + (&cmd, + "chhwres -r proc -id %d -o %c --procunits %d 2>&1 |sed" + "-e 's/^.*\$[0-9]\\+.[0-9]\\+\$.*$/\\1/g'", + dom->id, operation, amount) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, dom->conn); if (exit_status < 0) { - VIR_ERROR0(_("Possibly you don't have IBM Tools installed in your LPAR." - "Contact your support to enable this feature.")); + VIR_ERROR0(_ + ("Possibly you don't have IBM Tools installed in your LPAR." + "Contact your support to enable this feature.")); goto err; } @@ -1564,9 +1800,7 @@ phypDomainSetCPU(virDomainPtr dom, unsigned int nvcpus) } virDriver phypDriver = { - VIR_DRV_PHYP, - "PHYP", - phypOpen, /* open */ + VIR_DRV_PHYP, "PHYP", phypOpen, /* open */ phypClose, /* close */ NULL, /* supports_feature */ NULL, /* type */ @@ -1644,23 +1878,23 @@ virDriver phypDriver = { NULL, /* domainIsPersistent */ NULL, /* cpuCompare */ NULL, /* cpuBaseline */ - NULL, /* domainGetJobInfo */ - NULL, /* domainAbortJob */ - NULL, /* domainMigrateSetMaxDowntime */ - NULL, /* domainEventRegisterAny */ - NULL, /* domainEventDeregisterAny */ - NULL, /* domainManagedSave */ - NULL, /* domainHasManagedSaveImage */ - NULL, /* domainManagedSaveRemove */ - NULL, /* domainSnapshotCreateXML */ - NULL, /* domainSnapshotDumpXML */ - NULL, /* domainSnapshotNum */ - NULL, /* domainSnapshotListNames */ - NULL, /* domainSnapshotLookupByName */ - NULL, /* domainHasCurrentSnapshot */ - NULL, /* domainSnapshotCurrent */ - NULL, /* domainRevertToSnapshot */ - NULL, /* domainSnapshotDelete */ + NULL, /* domainGetJobInfo */ + NULL, /* domainAbortJob */ + NULL, /* domainMigrateSetMaxDowntime */ + NULL, /* domainEventRegisterAny */ + NULL, /* domainEventDeregisterAny */ + NULL, /* domainManagedSave */ + NULL, /* domainHasManagedSaveImage */ + NULL, /* domainManagedSaveRemove */ + NULL, /* domainSnapshotCreateXML */ + NULL, /* domainSnapshotDumpXML */ + NULL, /* domainSnapshotNum */ + NULL, /* domainSnapshotListNames */ + NULL, /* domainSnapshotLookupByName */ + NULL, /* domainHasCurrentSnapshot */ + NULL, /* domainSnapshotCurrent */ + NULL, /* domainRevertToSnapshot */ + NULL, /* domainSnapshotDelete */ }; int @@ -1669,20 +1903,34 @@ phypBuildLpar(virConnectPtr conn, virDomainDefPtr def) ConnectionData *connection_data = conn->networkPrivateData; phyp_driverPtr phyp_driver = conn->privateData; LIBSSH2_SESSION *session = connection_data->session; + int system_type = phyp_driver->system_type; char *managed_system = phyp_driver->managed_system; char *cmd = NULL; char *ret = NULL; int exit_status = 0; - if (virAsprintf - (&cmd, - "mksyscfg -m %s -r lpar -p %s -i min_mem=%d,desired_mem=%d," - "max_mem=%d,desired_procs=%d,virtual_scsi_adapters=%s", - managed_system, def->name, (int) def->memory, - (int) def->memory, (int) def->maxmem, (int) def->vcpus, - def->disks[0]->src) < 0) { - virReportOOMError(); - goto err; + if (system_type == HMC) { + if (virAsprintf + (&cmd, + "mksyscfg -m %s -r lpar -p %s -i min_mem=%d,desired_mem=%d," + "max_mem=%d,desired_procs=%d,virtual_scsi_adapters=%s", + managed_system, def->name, (int) def->memory, + (int) def->memory, (int) def->maxmem, (int) def->vcpus, + def->disks[0]->src) < 0) { + virReportOOMError(); + goto err; + } + } else { + if (virAsprintf + (&cmd, + "mksyscfg -r lpar -p %s -i min_mem=%d,desired_mem=%d," + "max_mem=%d,desired_procs=%d,virtual_scsi_adapters=%s", + def->name, (int) def->memory, + (int) def->memory, (int) def->maxmem, (int) def->vcpus, + def->disks[0]->src) < 0) { + virReportOOMError(); + goto err; + } } ret = phypExec(session, cmd, &exit_status, conn); @@ -1796,7 +2044,8 @@ phypUUIDTable_ReadFile(virConnectPtr conn) } uuid_table->lpars[i]->id = id; } else { - VIR_WARN0("Unable to read from information to local file."); + VIR_WARN0 + ("Unable to read from information to local file."); goto err; } @@ -1947,14 +2196,30 @@ phypUUIDTable_Push(virConnectPtr conn) ConnectionData *connection_data = conn->networkPrivateData; LIBSSH2_SESSION *session = connection_data->session; LIBSSH2_CHANNEL *channel = NULL; + char *username = NULL; struct stat local_fileinfo; char buffer[1024]; int rc = 0; FILE *fd; size_t nread, sent; char *ptr; - char remote_file[] = "/home/hscroot/libvirt_uuid_table"; char local_file[] = "./uuid_table"; + char *remote_file = NULL; + + if (conn->uri->user != NULL) { + username = strdup(conn->uri->user); + + if (username == NULL) { + virReportOOMError(); + goto err; + } + } + + if (virAsprintf(&remote_file, "/home/%s/libvirt_uuid_table", username) + < 0) { + virReportOOMError(); + goto err; + } if (stat(local_file, &local_fileinfo) == -1) { VIR_WARN0("Unable to stat local file."); @@ -2031,6 +2296,7 @@ phypUUIDTable_Pull(virConnectPtr conn) ConnectionData *connection_data = conn->networkPrivateData; LIBSSH2_SESSION *session = connection_data->session; LIBSSH2_CHANNEL *channel = NULL; + char *username = NULL; struct stat fileinfo; char buffer[1024]; int rc = 0; @@ -2039,8 +2305,23 @@ phypUUIDTable_Pull(virConnectPtr conn) int amount = 0; int total = 0; int sock = 0; - char remote_file[] = "/home/hscroot/libvirt_uuid_table"; char local_file[] = "./uuid_table"; + char *remote_file = NULL; + + if (conn->uri->user != NULL) { + username = strdup(conn->uri->user); + + if (username == NULL) { + virReportOOMError(); + goto err; + } + } + + if (virAsprintf(&remote_file, "/home/%s/libvirt_uuid_table", username) + < 0) { + virReportOOMError(); + goto err; + } /* Trying to stat the remote file. */ do { @@ -2072,7 +2353,8 @@ phypUUIDTable_Pull(virConnectPtr conn) rc = libssh2_channel_read(channel, buffer, amount); if (rc > 0) { if (safewrite(fd, buffer, rc) != rc) - VIR_WARN0("Unable to write information to local file."); + VIR_WARN0 + ("Unable to write information to local file."); got += rc; total += rc; diff --git a/src/phyp/phyp_driver.h b/src/phyp/phyp_driver.h index f680994..80ff0c3 100644 --- a/src/phyp/phyp_driver.h +++ b/src/phyp/phyp_driver.h @@ -66,11 +66,19 @@ struct _phyp_driver { uuid_tablePtr uuid_table; virCapsPtr caps; int vios_id; + + /* system_type: + * 0 = hmc + * 127 = ivm + * */ + int system_type; char *managed_system; }; int phypCheckSPFreeSapce(virConnectPtr conn, int required_size, char *sp); +int phypGetSystemType(virConnectPtr conn); + int phypGetVIOSPartitionID(virConnectPtr conn); virCapsPtr phypCapsInit(void); -- 1.7.0.4

2 11

[libvirt] [PATCH] move ebiptables script out of /tmp
by Jamie Strandboge 17 Jun '10

17 Jun '10

Hi, I noticed today that ebiptablesWriteToTempFile() creates a temporary file in /tmp that is later executed. It uses mkstemp() and therefore is safe from symlinks attacks, however, there is not really any reason that I can see why it is using /tmp instead of somewhere like /var/lib/libvirt. If libvirtd is confined under a MAC which allows execution of /tmp/virtd* and a vulnerability is found in libvirtd, the /tmp path leaves an opportunity for a local non-root attacker to write a script in /tmp and then subvert libvirt to execute that script. Putting it in /var/lib/libvirt (or somewhere without world-write permissions) would prevent this. I do not consider this a security vulnerability, but rather defensive programming. Attached is a patch that uses LOCAL_STATE_DIR "/lib/libvirt/virtdXXXXXX". Feel free to move it somewhere else if desired. Patch is against head. Thanks -- Jamie Strandboge | http://www.canonical.com

5 8

[libvirt] [PATCH] macvtap: work-around for 2.6.32 and older kernels
by Stefan Berger 17 Jun '10

17 Jun '10

This patch works around a recent extension of the netlink driver I had made use of when building the netlink messages. Unfortunately older kernels don't accept IFLA_IFNAME + name of interface as a replacement for the interface's index, so this patch now gets the interface index ifindex if it's not provided (ifindex <= 0). Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- src/util/macvtap.c | 3 +++ 1 file changed, 3 insertions(+) Index: libvirt-acl/src/util/macvtap.c =================================================================== --- libvirt-acl.orig/src/util/macvtap.c +++ libvirt-acl/src/util/macvtap.c @@ -905,6 +905,9 @@ ifaceGetNthParent(int ifindex, const cha *nth = 0; + if (ifindex <= 0 && ifaceGetIndex(true, ifname, &ifindex) != 0) + return 1; + while (!end && i <= nthParent) { rc = link_dump(true, ifname, ifindex, tb, &recvbuf); if (rc)

2 2

[libvirt] [PATCH] Add several missing vir*Free calls in libvirtd's remote code
by Matthias Bolte 17 Jun '10

17 Jun '10

Justin Clift reported a problem with adding virStoragePoolIsPersistent to virsh's pool-info command, resulting in a strange problem. Here's an example: virsh # pool-create-as images_dir3 dir - - - - "/home/images2" Pool images_dir3 created virsh # pool-info images_dir3 Name: images_dir3 UUID: 90301885-94eb-4ca7-14c2-f30b25a29a36 State: running Capacity: 395.20 GB Allocation: 30.88 GB Available: 364.33 GB virsh # pool-destroy images_dir3 Pool images_dir3 destroyed At this point the images_dir3 pool should be gone (because it was transient) and we should be able to create a new pool with the same name: virsh # pool-create-as images_dir3 dir - - - - "/home/images2" Pool images_dir3 created virsh # pool-info images_dir3 Name: images_dir3 UUID: 90301885-94eb-4ca7-14c2-f30b25a29a36 error: Storage pool not found The new pool got the same UUID as the first one, but we didn't specify one. libvirt should have picked a random UUID, but it didn't. It turned out that virStoragePoolIsPersistent leaks a reference to the storage pool object (actually remoteDispatchStoragePoolIsPersistent does). As a result, pool-destroy doesn't remove the virStoragePool for the "images_dir3" pool from the virConnectPtr's storagePools hash on libvirtd's side. Then the second pool-create-as get's the stale virStoragePool object associated with the "images_dir3" name. But this object has the old UUID. This commit ensures that all get_nonnull_* and make_nonnull_* calls for libvirt objects are matched properly with vir*Free calls. This fixes the reference leaks and the reported problem. All remoteDispatch*IsActive and remoteDispatch*IsPersistent functions were affected. But also remoteDispatchDomainMigrateFinish2 was affected in the success path. I wonder why that didn't surface earlier. Probably because domainMigrateFinish2 is executed on the destination host and in the common case this connection is opened especially for the migration and gets closed after the migration is done. So there was no chance to run into a problem because of the leaked reference. --- daemon/remote.c | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index c54565c..1fa0f24 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -979,9 +979,10 @@ remoteDispatchDomainMemoryStats (struct qemud_server *server ATTRIBUTE_UNUSED, /* Allocate stats array for making dispatch call */ if (VIR_ALLOC_N(stats, args->maxStats) < 0) { + virDomainFree (dom); remoteDispatchOOMError(rerr); return -1; - } + } nr_stats = virDomainMemoryStats (dom, stats, args->maxStats, 0); virDomainFree (dom); @@ -1885,6 +1886,7 @@ remoteDispatchDomainMigrateFinish2 (struct qemud_server *server ATTRIBUTE_UNUSED } make_nonnull_domain (&ret->ddom, ddom); + virDomainFree (ddom); return 0; } @@ -5570,10 +5572,12 @@ static int remoteDispatchDomainIsActive(struct qemud_server *server ATTRIBUTE_UN ret->active = virDomainIsActive(domain); if (ret->active < 0) { + virDomainFree(domain); remoteDispatchConnError(err, conn); return -1; } + virDomainFree(domain); return 0; } @@ -5596,10 +5600,12 @@ static int remoteDispatchDomainIsPersistent(struct qemud_server *server ATTRIBUT ret->persistent = virDomainIsPersistent(domain); if (ret->persistent < 0) { + virDomainFree(domain); remoteDispatchConnError(err, conn); return -1; } + virDomainFree(domain); return 0; } @@ -5622,10 +5628,12 @@ static int remoteDispatchInterfaceIsActive(struct qemud_server *server ATTRIBUTE ret->active = virInterfaceIsActive(iface); if (ret->active < 0) { + virInterfaceFree(iface); remoteDispatchConnError(err, conn); return -1; } + virInterfaceFree(iface); return 0; } @@ -5648,10 +5656,12 @@ static int remoteDispatchNetworkIsActive(struct qemud_server *server ATTRIBUTE_U ret->active = virNetworkIsActive(network); if (ret->active < 0) { + virNetworkFree(network); remoteDispatchConnError(err, conn); return -1; } + virNetworkFree(network); return 0; } @@ -5674,10 +5684,12 @@ static int remoteDispatchNetworkIsPersistent(struct qemud_server *server ATTRIBU ret->persistent = virNetworkIsPersistent(network); if (ret->persistent < 0) { + virNetworkFree(network); remoteDispatchConnError(err, conn); return -1; } + virNetworkFree(network); return 0; } @@ -5700,10 +5712,12 @@ static int remoteDispatchStoragePoolIsActive(struct qemud_server *server ATTRIBU ret->active = virStoragePoolIsActive(pool); if (ret->active < 0) { + virStoragePoolFree(pool); remoteDispatchConnError(err, conn); return -1; } + virStoragePoolFree(pool); return 0; } @@ -5726,10 +5740,12 @@ static int remoteDispatchStoragePoolIsPersistent(struct qemud_server *server ATT ret->persistent = virStoragePoolIsPersistent(pool); if (ret->persistent < 0) { + virStoragePoolFree(pool); remoteDispatchConnError(err, conn); return -1; } + virStoragePoolFree(pool); return 0; } -- 1.7.0.4

3 5

Re: [libvirt] libvirt-python apis
by Alex Jia 17 Jun '10

17 Jun '10

Hi pengphy, http://libvirt.org/python.html In addition, source code provides some examples about python binding API under the ./libvirt/python/tests/ directory: # ls libvirt/python/tests/ basic.py create.py error.py Makefile.am node.py uuid.py Regards, Alex ----- Original Message ----- From: pengphy(a)hotmail.com To: libvir-list(a)redhat.com Sent: Thursday, June 17, 2010 3:18:08 PM GMT +08:00 Beijing / Chongqing / Hong Kong / Urumqi Subject: [libvirt] libvirt-python apis hi, all I do not know how to use libvirt python apis, and there seems no documents about that, so if anyone has documents or links about python apis please send it to me! thanks! Regards, xpen -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list

1 0

[libvirt] libvirt-python apis
by pengphy＠hotmail.com 17 Jun '10

17 Jun '10

hi, all I do not know how to use libvirt python apis, and there seems no documents about that, so if anyone has documents or links about python apis please send it to me! thanks! Regards, xpen

1 0

Re: [libvirt] About cgroup mechanism using in libvirt
by Alex Jia 17 Jun '10

17 Jun '10

Thanks for Daniel and Balbir. In fact, libvirt just have implemented CPU scheduler controller for QEMU driver now, the following controller is still not available for QEMU driver at present: 1. Memory controller 2. CPU set controller 3. CPU accounting controller 4. Devices controller 5. Freezer controller 6. Network class controller and CPU scheduler and memory controller are available for LXC driver now, the above 2-6 haven't been implemented in LXC driver by libvirt. Best Regards, Alex ----- Original Message ----- From: "Daniel P. Berrange" <berrange(a)redhat.com> To: "Balbir Singh" <balbir(a)linux.vnet.ibm.com> Cc: "Alex Jia" <ajia(a)redhat.com>, libvir-list(a)redhat.com Sent: Monday, June 14, 2010 6:20:33 AM GMT -05:00 US/Canada Eastern Subject: Re: [libvirt] About cgroup mechanism using in libvirt On Mon, Jun 14, 2010 at 03:28:42PM +0530, Balbir Singh wrote: > On Mon, Jun 14, 2010 at 3:10 PM, Daniel P. Berrange <berrange(a)redhat.com> wrote: > > On Sat, Jun 12, 2010 at 07:23:33AM -0400, Alex Jia wrote: > >> Hey Daniel, > >> The cgroup mechanism have been integrated into libvirt for LXC and QEMU driver, > >> and the LXC driver uses all of cgroup controllers except for net_cls and cpuset, > >> while the QEMU driver only uses the cpu and devices controllers at present. > >> > >> From the user point of view, user can use some virsh commands to control some > >> guest resources: > >> 1. Using 'virsh schedinfo' command to get/set CPU scheduler priority for a guest > > > > QEMU + LXC use the cpu controller 'cpu_shares' tunable > > > >> 2. Using 'virsh vcpuin' command to control guest vcpu affinity > > > > QEMU pins the process directly, doesn't use cgroups. LXC has't > > implemented this yet > > > >> 3. Using 'virsh setmem' command to change memory allocation > >> 4. Using 'virsh setmaxmem' command to change maximum memory limit > > > > QEMU uses balloon driver. LXC uses cgroups memory controller > > > > Not sure if I understand this, but the balloon driver and memory > cgroups are not mutually exclusive. One could use both together and I > would certainly like to see additional commands to support cgroups. > What happens if a guest (like freebsd) does not support ballooning? > Are you suggesting we'll not need cgroups at all with QEMU? No, I was merely describing the current usage. Making use of cgroups to enforce the limit is certainly a desirable RFE for the future. > >> 5. Using 'virsh setvcpus' command to change number of virtual CPUs > > > > QEMU uses cpu hotplug. LXC hasn't implemented this. > > > >> I just make sure the above 1 using CPU scheduler controller, maybe 4 using Memory > >> controller? and maybe 5 using CPU set controller? I am not sure. > >> > > I think we'll some notion of soft limits as well, not sure if they can > be encapsulated using the current set. We need memory shares for > example to encapsulate them. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

2 1

[libvirt] [PATCH] virsh: change printf() calls to vshPrint()
by Justin Clift 17 Jun '10

17 Jun '10

Trivial fix changing printf() calls to vshPrint() where the ctl variable is available. --- Haven't created a BZ for this yet, as I'm not sure it's important enough to warrant pushing into anything other than git head. Should a BZ be created anyway? tools/virsh.c | 40 ++++++++++++++++++++-------------------- 1 files changed, 20 insertions(+), 20 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index 07f2a1e..d8d2220 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -1620,25 +1620,25 @@ cmdSchedinfo(vshControl *ctl, const vshCmd *cmd) for (i = 0; i < nparams; i++){ switch (params[i].type) { case VIR_DOMAIN_SCHED_FIELD_INT: - printf("%-15s: %d\n", params[i].field, params[i].value.i); + vshPrint(ctl, "%-15s: %d\n", params[i].field, params[i].value.i); break; case VIR_DOMAIN_SCHED_FIELD_UINT: - printf("%-15s: %u\n", params[i].field, params[i].value.ui); + vshPrint(ctl, "%-15s: %u\n", params[i].field, params[i].value.ui); break; case VIR_DOMAIN_SCHED_FIELD_LLONG: - printf("%-15s: %lld\n", params[i].field, params[i].value.l); + vshPrint(ctl, "%-15s: %lld\n", params[i].field, params[i].value.l); break; case VIR_DOMAIN_SCHED_FIELD_ULLONG: - printf("%-15s: %llu\n", params[i].field, params[i].value.ul); + vshPrint(ctl, "%-15s: %llu\n", params[i].field, params[i].value.ul); break; case VIR_DOMAIN_SCHED_FIELD_DOUBLE: - printf("%-15s: %f\n", params[i].field, params[i].value.d); + vshPrint(ctl, "%-15s: %f\n", params[i].field, params[i].value.d); break; case VIR_DOMAIN_SCHED_FIELD_BOOLEAN: - printf("%-15s: %d\n", params[i].field, params[i].value.b); + vshPrint(ctl, "%-15s: %d\n", params[i].field, params[i].value.b); break; default: - printf("not implemented scheduler parameter type\n"); + vshPrint(ctl, "not implemented scheduler parameter type\n"); } } } @@ -2654,7 +2654,7 @@ cmdDumpXML(vshControl *ctl, const vshCmd *cmd) dump = virDomainGetXMLDesc(dom, flags); if (dump != NULL) { - printf("%s", dump); + vshPrint(ctl, "%s", dump); VIR_FREE(dump); } else { ret = FALSE; @@ -2700,7 +2700,7 @@ cmdDomXMLFromNative(vshControl *ctl, const vshCmd *cmd) xmlData = virConnectDomainXMLFromNative(ctl->conn, format, configData, flags); if (xmlData != NULL) { - printf("%s", xmlData); + vshPrint(ctl, "%s", xmlData); VIR_FREE(xmlData); } else { ret = FALSE; @@ -2745,7 +2745,7 @@ cmdDomXMLToNative(vshControl *ctl, const vshCmd *cmd) configData = virConnectDomainXMLToNative(ctl->conn, format, xmlData, flags); if (configData != NULL) { - printf("%s", configData); + vshPrint(ctl, "%s", configData); VIR_FREE(configData); } else { ret = FALSE; @@ -3217,7 +3217,7 @@ cmdNetworkDumpXML(vshControl *ctl, const vshCmd *cmd) dump = virNetworkGetXMLDesc(network, 0); if (dump != NULL) { - printf("%s", dump); + vshPrint(ctl, "%s", dump); VIR_FREE(dump); } else { ret = FALSE; @@ -3806,7 +3806,7 @@ cmdInterfaceDumpXML(vshControl *ctl, const vshCmd *cmd) dump = virInterfaceGetXMLDesc(iface, flags); if (dump != NULL) { - printf("%s", dump); + vshPrint(ctl, "%s", dump); VIR_FREE(dump); } else { ret = FALSE; @@ -4094,7 +4094,7 @@ cmdNWFilterDumpXML(vshControl *ctl, const vshCmd *cmd) dump = virNWFilterGetXMLDesc(nwfilter, 0); if (dump != NULL) { - printf("%s", dump); + vshPrint(ctl, "%s", dump); VIR_FREE(dump); } else { ret = FALSE; @@ -4566,7 +4566,7 @@ cmdPoolCreateAs(vshControl *ctl, const vshCmd *cmd) return FALSE; if (printXML) { - printf("%s", xml); + vshPrint(ctl, "%s", xml); VIR_FREE(xml); } else { pool = virStoragePoolCreateXML(ctl->conn, xml, 0); @@ -4655,7 +4655,7 @@ cmdPoolDefineAs(vshControl *ctl, const vshCmd *cmd) return FALSE; if (printXML) { - printf("%s", xml); + vshPrint(ctl, "%s", xml); VIR_FREE(xml); } else { pool = virStoragePoolDefineXML(ctl->conn, xml, 0); @@ -4859,7 +4859,7 @@ cmdPoolDumpXML(vshControl *ctl, const vshCmd *cmd) dump = virStoragePoolGetXMLDesc(pool, 0); if (dump != NULL) { - printf("%s", dump); + vshPrint(ctl, "%s", dump); VIR_FREE(dump); } else { ret = FALSE; @@ -5925,7 +5925,7 @@ cmdVolDumpXML(vshControl *ctl, const vshCmd *cmd) dump = virStorageVolGetXMLDesc(vol, 0); if (dump != NULL) { - printf("%s", dump); + vshPrint(ctl, "%s", dump); VIR_FREE(dump); } else { ret = FALSE; @@ -6240,7 +6240,7 @@ cmdSecretDumpXML(vshControl *ctl, const vshCmd *cmd) xml = virSecretGetXMLDesc(secret, 0); if (xml == NULL) goto cleanup; - printf("%s", xml); + vshPrint(ctl, "%s", xml); VIR_FREE(xml); ret = TRUE; @@ -6350,7 +6350,7 @@ cmdSecretGetValue(vshControl *ctl, const vshCmd *cmd) vshError(ctl, "%s", _("Failed to allocate memory")); goto cleanup; } - printf("%s", base64); + vshPrint(ctl, "%s", base64); memset(base64, 0, strlen(base64)); VIR_FREE(base64); ret = TRUE; @@ -8681,7 +8681,7 @@ cmdSnapshotDumpXML(vshControl *ctl, const vshCmd *cmd) if (!xml) goto cleanup; - printf("%s", xml); + vshPrint(ctl, "%s", xml); ret = TRUE; -- 1.7.0.1

3 2

[libvirt] [PATCH] nwfilter: use match target on incoming traffic
by Stefan Berger 17 Jun '10

17 Jun '10

The following patch enables the iptables match target to be used by default for incoming traffic. So far it has only be used for outgoing traffic. Signed-off-by: Stefan Berger --- src/nwfilter/nwfilter_ebiptables_driver.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -1488,18 +1488,25 @@ iptablesCreateRuleInstance(virNWFilterDe char chainPrefix[2]; int needState = 1; bool maySkipICMP, inout = false; + const char *matchState; if ((rule->tt == VIR_NWFILTER_RULE_DIRECTION_IN) || (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT)) { directionIn = 1; - needState = 0; inout = (rule->tt == VIR_NWFILTER_RULE_DIRECTION_INOUT); + if (inout) + needState = 0; } chainPrefix[0] = 'F'; maySkipICMP = directionIn || inout; + if (needState) + matchState = directionIn ? MATCH_STATE_IN : MATCH_STATE_OUT; + else + matchState = NULL; + chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP; rc = _iptablesCreateRuleInstance(directionIn, chainPrefix, @@ -1508,8 +1515,7 @@ iptablesCreateRuleInstance(virNWFilterDe ifname, vars, res, - needState ? MATCH_STATE_OUT - : NULL, + matchState, "RETURN", isIPv6, maySkipICMP); @@ -1518,6 +1524,10 @@ iptablesCreateRuleInstance(virNWFilterDe maySkipICMP = !directionIn || inout; + if (needState) + matchState = directionIn ? MATCH_STATE_OUT : MATCH_STATE_IN; + else + matchState = NULL; chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP; rc = _iptablesCreateRuleInstance(!directionIn, @@ -1527,8 +1537,7 @@ iptablesCreateRuleInstance(virNWFilterDe ifname, vars, res, - needState ? MATCH_STATE_IN - : NULL, + matchState, "ACCEPT", isIPv6, maySkipICMP);

2 1

[libvirt] [PATCHv3 2/2] virsh: improve help text for vol query commands
by Justin Clift 17 Jun '10

17 Jun '10

Improves the help text for vol-path, vol-name, and vol-key, which previously referred to volume UUIDs. Addresses BZ # 598365. --- tools/virsh.c | 10 +++++----- 1 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index 7d8ae0e..8c9ae83 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -6011,13 +6011,13 @@ cmdVolList(vshControl *ctl, const vshCmd *cmd ATTRIBUTE_UNUSED) * "vol-name" command */ static const vshCmdInfo info_vol_name[] = { - {"help", N_("convert a vol UUID to vol name")}, + {"help", N_("returns the volume name for a given volume key or path")}, {"desc", ""}, {NULL, NULL} }; static const vshCmdOptDef opts_vol_name[] = { - {"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("vol key or path")}, + {"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("volume key or path")}, {NULL, 0, 0, NULL} }; @@ -6098,7 +6098,7 @@ static const vshCmdInfo info_vol_key[] = { static const vshCmdOptDef opts_vol_key[] = { {"pool", VSH_OT_STRING, 0, N_("pool name or uuid")}, - {"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("vol uuid")}, + {"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("volume name or path")}, {NULL, 0, 0, NULL} }; @@ -6124,14 +6124,14 @@ cmdVolKey(vshControl *ctl, const vshCmd *cmd) * "vol-path" command */ static const vshCmdInfo info_vol_path[] = { - {"help", N_("convert a vol UUID to vol path")}, + {"help", N_("returns the volume path for a given volume name or key")}, {"desc", ""}, {NULL, NULL} }; static const vshCmdOptDef opts_vol_path[] = { {"pool", VSH_OT_STRING, 0, N_("pool name or uuid")}, - {"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("vol name or key")}, + {"vol", VSH_OT_DATA, VSH_OFLAG_REQ, N_("volume name or key")}, {NULL, 0, 0, NULL} }; -- 1.7.0.1

3 2

[libvirt] [PATCH] esx: Update case insensitive .vmx tests
by Matthias Bolte 17 Jun '10

17 Jun '10

Commit b9efc7dc3b97ef667ab99cee884b8485ebcb2f91 made virFileHasSuffix case insensitive. Honor this in the tests by switching vmdk to VMDK. --- tests/vmx2xmldata/vmx2xml-case-insensitive-1.vmx | 2 +- tests/vmx2xmldata/vmx2xml-case-insensitive-1.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/vmx2xmldata/vmx2xml-case-insensitive-1.vmx b/tests/vmx2xmldata/vmx2xml-case-insensitive-1.vmx index 3626c5e..bd36cf8 100644 --- a/tests/vmx2xmldata/vmx2xml-case-insensitive-1.vmx +++ b/tests/vmx2xmldata/vmx2xml-case-insensitive-1.vmx @@ -18,7 +18,7 @@ SCSI0.SHAREDBUS = "NONE" SCSI0.VIRTUALDEV = "LSILOGIC" MEMSIZE = "1024" SCSI0:0.PRESENT = "TRUE" -SCSI0:0.FILENAME = "FEDORA11.vmdk" +SCSI0:0.FILENAME = "FEDORA11.VMDK" SCSI0:0.DEVICETYPE = "SCSI-HARDDISK" IDE0:0.PRESENT = "TRUE" IDE0:0.CLIENTDEVICE = "TRUE" diff --git a/tests/vmx2xmldata/vmx2xml-case-insensitive-1.xml b/tests/vmx2xmldata/vmx2xml-case-insensitive-1.xml index 0be570f..3131bb2 100644 --- a/tests/vmx2xmldata/vmx2xml-case-insensitive-1.xml +++ b/tests/vmx2xmldata/vmx2xml-case-insensitive-1.xml @@ -14,7 +14,7 @@ <devices> <disk type='file' device='disk'> <driver name='LSILOGIC'/> - <source file='[datastore] directory/FEDORA11.vmdk'/> + <source file='[datastore] directory/FEDORA11.VMDK'/> <target dev='sda' bus='scsi'/> </disk> <interface type='bridge'> -- 1.7.0.4

2 2

[libvirt] [PATCH] esx: Accept 'disk' as harddisk device type in .vmx files
by Matthias Bolte 17 Jun '10

17 Jun '10

--- src/esx/esx_vmx.c | 12 ++++++++---- 1 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/esx/esx_vmx.c b/src/esx/esx_vmx.c index 5cadb5a..675318f 100644 --- a/src/esx/esx_vmx.c +++ b/src/esx/esx_vmx.c @@ -1542,16 +1542,20 @@ esxVMX_ParseDisk(esxVI_Context *ctx, virConfPtr conf, int device, int bus, if (virFileHasSuffix(fileName, ".vmdk")) { if (deviceType != NULL) { if (bus == VIR_DOMAIN_DISK_BUS_SCSI && - STRCASENEQ(deviceType, "scsi-hardDisk")) { + STRCASENEQ(deviceType, "scsi-hardDisk") && + STRCASENEQ(deviceType, "disk")) { ESX_ERROR(VIR_ERR_INTERNAL_ERROR, _("Expecting VMX entry '%s' to be 'scsi-hardDisk' " - "but found '%s'"), deviceType_name, deviceType); + "or 'disk' but found '%s'"), deviceType_name, + deviceType); goto cleanup; } else if (bus == VIR_DOMAIN_DISK_BUS_IDE && - STRCASENEQ(deviceType, "ata-hardDisk")) { + STRCASENEQ(deviceType, "ata-hardDisk") && + STRCASENEQ(deviceType, "disk")) { ESX_ERROR(VIR_ERR_INTERNAL_ERROR, _("Expecting VMX entry '%s' to be 'ata-hardDisk' " - "but found '%s'"), deviceType_name, deviceType); + "or 'disk' but found '%s'"), deviceType_name, + deviceType); goto cleanup; } } -- 1.7.0.4

2 2

[libvirt] [PATCH v2] nwfilter: fix loadable module support
by Stefan Berger 16 Jun '10

16 Jun '10

Following Daniel Berrange's suggestion of introducing another driver interface, I now wrote the below patch where the nwfilter driver registers the functions to instantiate and teardown the nwfilters with a function in conf/domain_nwfilter.c called virDomainConfNWFilterRegister. Previous helper functions that were called from qemu_driver.c and qemu_conf.c were move into conf/domain_nwfilter.h with slight renaming done for consistency. Those functions now call the function expored by domain_nwfilter.c, which in turn call the functions of the new driver interface, if available. Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com> --- src/Makefile.am | 3 - src/conf/domain_nwfilter.c | 51 ++++++++++++++++++++++++ src/conf/domain_nwfilter.h | 68 +++++++++++++++++++++++++++++++++ src/libvirt_private.syms | 5 ++ src/nwfilter/nwfilter_driver.c | 22 ++++++++++ src/nwfilter/nwfilter_gentech_driver.h | 17 -------- src/qemu/qemu_conf.c | 11 ++--- src/qemu/qemu_driver.c | 2 8 files changed, 155 insertions(+), 24 deletions(-) Index: libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_gentech_driver.h +++ libvirt-acl/src/nwfilter/nwfilter_gentech_driver.h @@ -67,21 +67,4 @@ void virNWFilterDomainFWUpdateCB(void *p const char *name ATTRIBUTE_UNUSED, void *data); - -/* tear down an interface's filter before tearing down the interface */ -static inline void -virNWFilterTearNWFilter(virDomainNetDefPtr net) { - if ((net->filter) && (net->ifname)) - virNWFilterTeardownFilter(net); -} - - -static inline void -virNWFilterTearVMNWFilters(virDomainObjPtr vm) { - int i; - - for (i = 0; i < vm->def->nnets; i++) - virNWFilterTearNWFilter(vm->def->nets[i]); -} - #endif Index: libvirt-acl/src/qemu/qemu_conf.c =================================================================== --- libvirt-acl.orig/src/qemu/qemu_conf.c +++ libvirt-acl/src/qemu/qemu_conf.c @@ -54,7 +54,7 @@ #include "network.h" #include "macvtap.h" #include "cpu/cpu.h" -#include "nwfilter/nwfilter_gentech_driver.h" +#include "domain_nwfilter.h" #define VIR_FROM_THIS VIR_FROM_QEMU @@ -1514,9 +1514,10 @@ int qemudExtractVersion(struct qemud_dri /** * qemudPhysIfaceConnect: * @conn: pointer to virConnect object + * @driver: pointer to the qemud_driver * @net: pointer to he VM's interface description with direct device type - * @linkdev: The name of the physical interface to link the macvtap to - * @brmode: The mode to put the macvtap device into + * @qemuCmdFlags: flags for qemu + * @vmuuid: The UUID of the VM (needed by 802.1Qbh) * * Returns a filedescriptor on success or -1 in case of error. */ @@ -1555,7 +1556,7 @@ qemudPhysIfaceConnect(virConnectPtr conn if (rc >= 0) { if ((net->filter) && (net->ifname)) { - err = virNWFilterInstantiateFilter(conn, net); + err = virNWFilterInstantiateNWFilter(conn, net); if (err) { close(rc); rc = -1; @@ -1688,7 +1689,7 @@ qemudNetworkIfaceConnect(virConnectPtr c if (tapfd >= 0) { if ((net->filter) && (net->ifname)) { - err = virNWFilterInstantiateFilter(conn, net); + err = virNWFilterInstantiateNWFilter(conn, net); if (err) { close(tapfd); tapfd = -1; Index: libvirt-acl/src/qemu/qemu_driver.c =================================================================== --- libvirt-acl.orig/src/qemu/qemu_driver.c +++ libvirt-acl/src/qemu/qemu_driver.c @@ -81,7 +81,7 @@ #include "xml.h" #include "cpu/cpu.h" #include "macvtap.h" -#include "nwfilter/nwfilter_gentech_driver.h" +#include "domain_nwfilter.h" #include "hooks.h" #include "storage_file.h" Index: libvirt-acl/src/Makefile.am =================================================================== --- libvirt-acl.orig/src/Makefile.am +++ libvirt-acl/src/Makefile.am @@ -97,7 +97,8 @@ DRIVER_SOURCES = \ # Domain driver generic impl APIs DOMAIN_CONF_SOURCES = \ conf/capabilities.c conf/capabilities.h \ - conf/domain_conf.c conf/domain_conf.h + conf/domain_conf.c conf/domain_conf.h \ + conf/domain_nwfilter.c conf/domain_nwfilter.h DOMAIN_EVENT_SOURCES = \ conf/domain_event.c conf/domain_event.h Index: libvirt-acl/src/conf/domain_nwfilter.h =================================================================== --- /dev/null +++ libvirt-acl/src/conf/domain_nwfilter.h @@ -0,0 +1,68 @@ +/* + * domain_nwfilter.h: + * + * Copyright (C) 2010 IBM Corporation + * Copyright (C) 2010 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Stefan Berger <stefanb(a)us.ibm.com> + */ +#ifndef DOMAIN_NWFILTER_H +# define DOMAIN_NWFILTER_H + +typedef int (*virDomainConfInstantiateNWFilter)(virConnectPtr conn, + virDomainNetDefPtr net); +typedef void (*virDomainConfTeardownNWFilter)(virDomainNetDefPtr net); + +typedef struct { + virDomainConfInstantiateNWFilter instantiateFilter; + virDomainConfTeardownNWFilter teardownFilter; +} virDomainConfNWFilterDriver; +typedef virDomainConfNWFilterDriver *virDomainConfNWFilterDriverPtr; + +void virDomainConfNWFilterRegister(virDomainConfNWFilterDriverPtr driver); + +int virDomainConfNWFilterInstantiate(virConnectPtr conn, + virDomainNetDefPtr net); +void virDomainConfNWFilterTeardown(virDomainNetDefPtr net); + + +/* helper functions */ + +static inline +int virNWFilterInstantiateNWFilter(virConnectPtr conn, + const virDomainNetDefPtr net) +{ + return virDomainConfNWFilterInstantiate(conn, net); +} + +/* tear down an interface's filter before tearing down the interface */ +static inline void +virNWFilterTearNWFilter(virDomainNetDefPtr net) { + if ((net->filter) && (net->ifname)) + virDomainConfNWFilterTeardown(net); +} + + +static inline void +virNWFilterTearVMNWFilters(virDomainObjPtr vm) { + int i; + + for (i = 0; i < vm->def->nnets; i++) + virNWFilterTearNWFilter(vm->def->nets[i]); +} + +#endif /* DOMAIN_NWFILTER_H */ Index: libvirt-acl/src/conf/domain_nwfilter.c =================================================================== --- /dev/null +++ libvirt-acl/src/conf/domain_nwfilter.c @@ -0,0 +1,51 @@ +/* + * domain_nwfilter.c: + * + * Copyright (C) 2010 IBM Corporation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Stefan Berger <stefanb(a)us.ibm.com> + */ + +#include <config.h> + +#include "internal.h" + +#include "datatypes.h" +#include "domain_conf.h" +#include "domain_nwfilter.h" + +static virDomainConfNWFilterDriverPtr nwfilterDriver; + +void +virDomainConfNWFilterRegister(virDomainConfNWFilterDriverPtr driver) { + nwfilterDriver = driver; +} + +int +virDomainConfNWFilterInstantiate(virConnectPtr conn, + virDomainNetDefPtr net) { + if (nwfilterDriver) + return nwfilterDriver->instantiateFilter(conn, net); + /* driver module not available -- don't indicate failure */ + return 0; +} + +void +virDomainConfNWFilterTeardown(virDomainNetDefPtr net) { + if (nwfilterDriver) + nwfilterDriver->teardownFilter(net); +} Index: libvirt-acl/src/libvirt_private.syms =================================================================== --- libvirt-acl.orig/src/libvirt_private.syms +++ libvirt-acl/src/libvirt_private.syms @@ -264,6 +264,11 @@ virDomainEventDispatchDefaultFunc; virDomainEventDispatch; virDomainEventQueueDispatch; +# domain_nwfilter.h +virDomainConfNWFilterRegister; +virDomainConfNWFilterInstantiate; +virDomainConfNWFilterTeardown; + # ebtables.h ebtablesAddForwardAllowIn; Index: libvirt-acl/src/nwfilter/nwfilter_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_driver.c @@ -33,6 +33,7 @@ #include "datatypes.h" #include "memory.h" #include "domain_conf.h" +#include "domain_nwfilter.h" #include "nwfilter_driver.h" #include "nwfilter_gentech_driver.h" @@ -410,6 +411,19 @@ cleanup: } +static int +nwfilterInstantiateFilter(virConnectPtr conn, + virDomainNetDefPtr net) { + return virNWFilterInstantiateFilter(conn, net); +} + + +static void +nwfilterTeardownFilter(virDomainNetDefPtr net) { + virNWFilterTeardownFilter(net); +} + + static virNWFilterDriver nwfilterDriver = { .name = "nwfilter", .open = nwfilterOpen, @@ -432,8 +446,16 @@ static virStateDriver stateDriver = { .active = nwfilterDriverActive, }; + +static virDomainConfNWFilterDriver domainNWFilterDriver = { + .instantiateFilter = nwfilterInstantiateFilter, + .teardownFilter = nwfilterTeardownFilter, +}; + + int nwfilterRegister(void) { virRegisterNWFilterDriver(&nwfilterDriver); virRegisterStateDriver(&stateDriver); + virDomainConfNWFilterRegister(&domainNWFilterDriver); return 0; }

2 2

[libvirt] [PATCH 1/2] virsh: add new --details option to pool-list
by Justin Clift 16 Jun '10

16 Jun '10

This patch adds a new --details option to the virsh pool-list command, making its output more useful to people who use virsh for significant lengths of time. --- Output from the new option (hopefully this doesn't wrap): virsh # pool-list Name State Autostart ----------------------------------------- default active yes image_dir active yes virsh # pool-list --all Name State Autostart ----------------------------------------- default active yes image_dir active yes tmp inactive no virsh # pool-list --details Name State Autostart Persistent Capacity Allocation Available -------------------------------------------------------------------------------------- default running yes yes 1.79 TB 1.47 TB 326.02 GB image_dir running yes yes 1.79 TB 1.47 TB 326.02 GB virsh # pool-list --all --details Name State Autostart Persistent Capacity Allocation Available -------------------------------------------------------------------------------------- default running yes yes 1.79 TB 1.47 TB 326.02 GB image_dir running yes yes 1.79 TB 1.47 TB 326.02 GB tmp inactive no yes - - - virsh # Much more practical than running pool-info individually on each pool. tools/virsh.c | 130 ++++++++++++++++++++++++++++++++++++++++++++++++------ tools/virsh.pod | 6 ++- 2 files changed, 119 insertions(+), 17 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index d8d2220..afa84e6 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -4882,14 +4882,17 @@ static const vshCmdInfo info_pool_list[] = { static const vshCmdOptDef opts_pool_list[] = { {"inactive", VSH_OT_BOOL, 0, N_("list inactive pools")}, {"all", VSH_OT_BOOL, 0, N_("list inactive & active pools")}, + {"details", VSH_OT_BOOL, 0, N_("display extended details for pools")}, {NULL, 0, 0, NULL} }; static int cmdPoolList(vshControl *ctl, const vshCmd *cmd ATTRIBUTE_UNUSED) { + virStoragePoolInfo info; int inactive = vshCommandOptBool(cmd, "inactive"); int all = vshCommandOptBool(cmd, "all"); + int details = vshCommandOptBool(cmd, "details"); int active = !inactive || all ? 1 : 0; int maxactive = 0, maxinactive = 0, i; char **activeNames = NULL, **inactiveNames = NULL; @@ -4937,36 +4940,114 @@ cmdPoolList(vshControl *ctl, const vshCmd *cmd ATTRIBUTE_UNUSED) qsort(&inactiveNames[0], maxinactive, sizeof(char*), namesorter); } } - vshPrintExtra(ctl, "%-20s %-10s %-10s\n", _("Name"), _("State"), _("Autostart")); - vshPrintExtra(ctl, "-----------------------------------------\n"); + + /* Display the appropriate heading */ + if (details) { + vshPrintExtra(ctl, "%-20s %-10s %-10s %-11s %-9s %-11s %-10s\n", + _("Name"), _("State"), _("Autostart"), _("Persistent"), + _("Capacity"), _("Allocation"), _("Available")); + vshPrintExtra(ctl, + "--------------------------------------------------------------------------------------\n"); + } else { + vshPrintExtra(ctl, "%-20s %-10s %-10s\n", _("Name"), _("State"), + _("Autostart")); + vshPrintExtra(ctl, "-----------------------------------------\n"); + } for (i = 0; i < maxactive; i++) { - virStoragePoolPtr pool = virStoragePoolLookupByName(ctl->conn, activeNames[i]); - const char *autostartStr; - int autostart = 0; + const char *autostartStr, *persistentStr, *stateStr = NULL; + int autostart = 0, persistent = 0; /* this kind of work with pools is not atomic operation */ + virStoragePoolPtr pool = virStoragePoolLookupByName(ctl->conn, activeNames[i]); if (!pool) { VIR_FREE(activeNames[i]); continue; } + /* Retrieve the pool autostart status */ if (virStoragePoolGetAutostart(pool, &autostart) < 0) autostartStr = _("no autostart"); else autostartStr = autostart ? _("yes") : _("no"); - vshPrint(ctl, "%-20s %-10s %-10s\n", - virStoragePoolGetName(pool), - _("active"), - autostartStr); + /* If requested, collect the extended information for this pool */ + if (details) { + if (virStoragePoolGetInfo(pool, &info) != 0) { + vshError(ctl, "%s", _("Could not retrieve pool information")); + VIR_FREE(activeNames[i]); + continue; + } + + /* Decide which state string to display */ + switch (info.state) { + case VIR_STORAGE_POOL_INACTIVE: + stateStr = _("inactive"); + break; + case VIR_STORAGE_POOL_BUILDING: + stateStr = _("building"); + break; + case VIR_STORAGE_POOL_RUNNING: + stateStr = _("running"); + break; + case VIR_STORAGE_POOL_DEGRADED: + stateStr = _("degraded"); + break; + case VIR_STORAGE_POOL_INACCESSIBLE: + stateStr = _("inaccessible"); + break; + } + + /* Check if the pool is persistent or not */ + persistent = virStoragePoolIsPersistent(pool); + vshDebug(ctl, 5, "Persistent flag value: %d\n", persistent); + if (persistent < 0) + persistentStr = _("unknown"); + else + persistentStr = persistent ? _("yes") : _("no"); + + /* Display all information for this pool */ + vshPrint(ctl, "%-20s %-10s %-10s %-11s", + virStoragePoolGetName(pool), + stateStr, + autostartStr, + persistentStr); + + /* Display the capacity related quantities */ + if (info.state == VIR_STORAGE_POOL_RUNNING || + info.state == VIR_STORAGE_POOL_DEGRADED) { + double val; + const char *unit; + virBuffer infoBufStr = VIR_BUFFER_INITIALIZER; + + val = prettyCapacity(info.capacity, &unit); + virBufferVSprintf(&infoBufStr, "%.2lf %s", val, unit); + vshPrint(ctl, " %-9s", virBufferContentAndReset(&infoBufStr)); + + val = prettyCapacity(info.allocation, &unit); + virBufferVSprintf(&infoBufStr, "%.2lf %s", val, unit); + vshPrint(ctl, " %-11s", virBufferContentAndReset(&infoBufStr)); + + val = prettyCapacity(info.available, &unit); + virBufferVSprintf(&infoBufStr, "%.2lf %s", val, unit); + vshPrint(ctl, " %-10s\n", virBufferContentAndReset(&infoBufStr)); + } else + vshPrint(ctl, " %-9s %-11s %-10s\n", "-", "-", "-"); + } else { + /* Display basic information pool information */ + vshPrint(ctl, "%-20s %-10s %-10s\n", + virStoragePoolGetName(pool), + _("active"), + autostartStr); + } + virStoragePoolFree(pool); VIR_FREE(activeNames[i]); } for (i = 0; i < maxinactive; i++) { virStoragePoolPtr pool = virStoragePoolLookupByName(ctl->conn, inactiveNames[i]); - const char *autostartStr; - int autostart = 0; + const char *autostartStr, *persistentStr; + int autostart = 0, persistent = 0; /* this kind of work with pools is not atomic operation */ if (!pool) { @@ -4979,10 +5060,29 @@ cmdPoolList(vshControl *ctl, const vshCmd *cmd ATTRIBUTE_UNUSED) else autostartStr = autostart ? _("yes") : _("no"); - vshPrint(ctl, "%-20s %-10s %-10s\n", - inactiveNames[i], - _("inactive"), - autostartStr); + if (details) { + /* Check if the pool is persistent or not */ + persistent = virStoragePoolIsPersistent(pool); + vshDebug(ctl, 5, "Persistent flag value: %d\n", persistent); + if (persistent < 0) + persistentStr = _("unknown"); + else + persistentStr = persistent ? _("yes") : _("no"); + + /* Display detailed pool information */ + vshPrint(ctl, "%-20s %-10s %-10s %-11s %-9s %-11s %-10s\n", + inactiveNames[i], + _("inactive"), + autostartStr, + persistentStr, + "-", "-", "-"); + } else { + /* Display basic pool information */ + vshPrint(ctl, "%-20s %-10s %-10s\n", + inactiveNames[i], + _("inactive"), + autostartStr); + } virStoragePoolFree(pool); VIR_FREE(inactiveNames[i]); diff --git a/tools/virsh.pod b/tools/virsh.pod index b1917ee..cec07e3 100644 --- a/tools/virsh.pod +++ b/tools/virsh.pod @@ -732,11 +732,13 @@ variables, and defaults to C<vi>. Returns basic information about the I<pool> object. -=item B<pool-list> optional I<--inactive> I<--all> +=item B<pool-list> optional I<--inactive> I<--all> I<--details> List pool objects known to libvirt. By default, only pools in use by active domains are listed; I<--inactive> lists just the inactive -pools, and I<--all> lists all pools. +pools, and I<--all> lists all pools. The I<--details> option instructs +virsh to additionally display pool persistence and capacity related +information where available. =item B<pool-name> I<uuid> -- 1.7.0.1

1 0

[libvirt] [PATCH 0/2] virsh: add new --details option flag to pool-list and vol-list
by Justin Clift 16 Jun '10

16 Jun '10

Hi all, The following two patches add a new "--details" option flag to the virsh pool-list and vol-list commands. (with virsh.pod entries too) The reason for adding them, is that when using virsh for any length of time it's gets painful having to use pool-info and vol-info on (70+) individual volumes, just to get basic info. :/ This shows the required info much more easily. :) + The first patch is for the pool-list command, and was pretty straightforward. + The second patch is for the vol-list command, and was a pain due to adding support for multi-line output when long path and name strings were involved. (if there be dragons, they'd be here ;> ) Decent example of the output from each command are in their email comments. Open for suggestions and better ideas of course. :) Regards and best wishes, Justin Clift -- Salasaga - Open Source eLearning IDE http://www.salasaga.org

1 0