[libvirt] [RFC PATCH 5/6] add MAC address based port filtering to qemu
This patch adds MAC address based port filtering to the qemu driver.
Signed-off-by: Gerhard Stenzel <gerhard.stenzel(a)de.ibm.com>
---
src/qemu/qemu.conf | 3 +++
src/qemu/qemu_conf.c | 14 ++++++++++++++
src/qemu/qemu_conf.h | 2 ++
src/qemu/qemu_driver.c | 23 +++++++++++++++++++++++
4 files changed, 42 insertions(+), 0 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 6d6b86a..53c4522 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -152,3 +152,6 @@
# in a location of $MOUNTPOINT/libvirt/qemu
# hugetlbfs_mount = "/dev/hugepages"
+
+mac_filter = 1
+
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index ac63570..7a3b1f1 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -318,6 +318,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
}
}
+ p = virConfGetValue (conf, "mac_filter");
+ CHECK_TYPE ("mac_filter", VIR_CONF_LONG);
+ if (p) driver->macFilter = p->l;
+
virConfFree (conf);
return 0;
}
@@ -1193,6 +1197,16 @@ qemudNetworkIfaceConnect(virConnectPtr conn,
tapfd = -1;
}
+ if (driver->macFilter) {
+ virNetworkPtr network = virNetworkLookupByName(conn,
+ net->data.network.name);
+ if ((err = virNetworkAllowMacOnPort(network, brname, net->ifname,
net->mac))) {
+ virReportSystemError(conn, err,
+ _("failed to add ebtables rule to allow MAC address
on '%s'"),
+ net->ifname);
+ }
+ }
+
cleanup:
VIR_FREE(brname);
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index f9a970f..ddcbd8a 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -112,6 +112,8 @@ struct qemud_driver {
char *hugetlbfs_mount;
char *hugepage_path;
+ unsigned int macFilter : 1;
+
virCapsPtr caps;
/* An array of callbacks */
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 155e4a3..a95c867 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -239,6 +239,14 @@ qemudAutostartConfigs(struct qemud_driver *driver) {
}
virDomainObjUnlock(vm);
}
+ if (qemu_driver->macFilter) {
+ fprintf(stderr,"%s:%s:%d macFilter=%d\n", __FILE__, __FUNCTION__,
__LINE__, qemu_driver->macFilter);
+ if ((errno = virNetworkDisableAllFrames(conn))) {
+ virReportSystemError(conn, errno,
+ _("failed to add rule to drop all frames in
'%s'"), __FILE__);
+ }
+ }
+
qemuDriverUnlock(driver);
if (conn)
@@ -2167,8 +2175,23 @@ cleanup:
static void qemudShutdownVMDaemon(virConnectPtr conn,
struct qemud_driver *driver,
virDomainObjPtr vm) {
+
int ret;
int retries = 0;
+ char *brname;
+
+ virDomainNetDefPtr net = vm->def->nets[0];
+ virNetworkPtr network = virNetworkLookupByName(conn,
+ net->data.network.name);
+ brname = virNetworkGetBridgeName(network);
+
+ if (driver->macFilter) {
+ if ((errno = virNetworkDisallowMacOnPort(network, brname, net->ifname,
net->mac))) {
+ virReportSystemError(conn, errno,
+ _("failed to add ebtables rule to allow MAC address
on '%s'"),
+ net->ifname);
+ }
+ }
if (!virDomainIsActive(vm))
return;