"Daniel P. Berrange" <berrange@redhat.com> wrote on 03/17/2010 10:40:36 AM:
On Thu, Mar 11, 2010 at 08:06:04AM -0500, Stefan Berger wrote:
Hi!
The following set of patches add network filtering (ACL) extensions to libvirt and enable network traffic filtering for VMs using ebtables
and,
depending on the networking technology being used (tap, but not macvtap), also iptables. Usage of either is optional and controlled through filters that a VM is referencing.
The ebtables-level filtering is based on the XML derived from the CIM network slide 10 (filtering) from the DMTF website (http://www.dmtf.org/standards/cim/cim_schema_v2230/CIM_Network.pdf). The XML we derived from this was discussed on the list before. On the ebtables level we currently handle filtering of IPv4 and ARP traffic.
It is planned to cover IPv6 too, either at ebtables or ip6tables level ?
Well, the code should be able to handle it and we at least thought about it. I am not an IPv6 expert myself ... currently ... yet. :-)
I've not looked at the actual code in detail yet, but the public API, virsh commands, XML etc all looks generally good to me. I'll try and get you a detailed code review friday/monday once I get through my current work items.
Let me post another series later today with the fixes that I have made following your reviews and changes I did make myself.
One comment about the instantiation of the rules: Since the XML allows to create nearly any possible combination of parameters to ebtables or iptables commands, I haven't used the ebtables or iptables wrappers. Instead, I am writing ebtables/iptables command into a buffer, add command line options to each one of them as described in the rule's
XML,
write the buffer into a file and run it as a script. For those commands that are not allowed to fail I am using the following format to run them:
cmd="ebtables <some options>" r=`${cmd}` if [ $? -ne 0 ]; then echo "Failure in command ${cmd}." exit 1 fi
cmd="..." [...]
If one of the command fails in such a batch, the libvirt code is going pick up the error code '1', tear down anything previously established and report an error back. The actual error message shown above is currently not reported back, but can be later on with some changes to the commands running external programs that need to read the script's stdout.
I understand why you can't use the ebtables/iptables APIs we currently have there, but I'm not much of a fan of using the shell script. Isn't it just as easy to directly call virRun() with each set of ARGV to be exec'd ?
I hadn't thought about calling that function... I would want to call a function that can handle something like bash scripts, i.e., multiple concatenated fragments as those shown above just to be more 'efficient'. If virRun() can handle that and $? for example would be treated there as the return value (which I think is bash-dependent), I'd be happy to call it as well. Stefan
Regards, Daniel -- |: Red Hat, Engineering, London -o-
http://people.redhat.com/berrange/:|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org:| |: http://autobuild.org -o- http://search.cpan.org/~danberr/:| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|