Re: [libvirt] [PATCH 2/2] add MAC address based port filtering to qemu

On Tue, Oct 27, 2009 at 12:36:14PM +0100, Gerhard Stenzel wrote: > This patch adds MAC address based port filtering to the qemu driver. > > Signed-off-by: Gerhard Stenzel <gerhard.stenzel(a)de.ibm.com&gt; [...] > +networkAddEbtablesRules(struct qemud_driver *driver) { > + int err; > + > + /* Set forward policy to DROP */ > + if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) { > + virReportSystemError(NULL, err, > + _("failed to add ebtables rule to set default policy to drop on '%s'"), > + __FILE__); > + return err; I changed the indentation a bit to fit into 80 columns [...] > @@ -318,6 +319,22 @@ int qemudLoadDriverConfig(struct qemud_driver *driver, > } > } > > + p = virConfGetValue (conf, "mac_filter"); > + CHECK_TYPE ("mac_filter", VIR_CONF_LONG); > + if (p) { > + driver->macFilter = p->l; > + if (!(driver->ebtables = ebtablesContextNew("qemu"))) { > + driver->macFilter = 0; > + virReportSystemError(NULL, errno, > + _("failed to enable mac filter in in '%s'"), __FILE__); same in a couple of place in that module too > @@ -2176,6 +2177,21 @@ static void qemudShutdownVMDaemon(virConnectPtr conn, > > VIR_DEBUG(_("Shutting down VM '%s'\n"), vm->def->name); > > + if (driver->macFilter) { > + int i; > + virDomainDefPtr def = vm->def; > + for (i = 0 ; i < def->nnets ; i++) { > + virDomainNetDefPtr net = def->nets[i]; > + if (net->ifname == NULL) > + continue; > + if ((errno = networkDisallowMacOnPort(conn, driver, net->ifname, net->mac))) { > + virReportSystemError(conn, errno, > + _("failed to remove ebtables rule to allow MAC address on '%s'"), > + net->ifname); > + } > + } > + } > + > if (virKillProcess(vm->pid, 0) == 0 && > virKillProcess(vm->pid, SIGTERM) < 0) > virReportSystemError(conn, errno, again a bit of formatting btut nothing to add otherwise. I have applied this patch too and I pushed both, thanks ! We just need to look at the spec file dependancy (should be added I think) and clear up potential issues in saving :-)