Re: [libvirt] [PATCH 2/2] add MAC address based port filtering to qemu

3 Nov 2009


      On Tue, Oct 27, 2009 at 12:36:14PM +0100, Gerhard Stenzel wrote:
...
This patch adds MAC address based port filtering to the qemu driver.
Signed-off-by: Gerhard Stenzel <gerhard.stenzel@de.ibm.com>
[...]
+networkAddEbtablesRules(struct qemud_driver *driver) {
+    int err;
+
+    /* Set forward policy to DROP */
+    if ((err = ebtablesAddForwardPolicyReject(driver->ebtables))) {
+        virReportSystemError(NULL, err,
+                             _("failed to add ebtables rule to set default policy to drop on '%s'"),
+                             __FILE__);
+        return err;
I changed the indentation a bit to fit into 80 columns
[...]
...
@@ -318,6 +319,22 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
          }
      }
+    p = virConfGetValue (conf, "mac_filter");
+    CHECK_TYPE ("mac_filter", VIR_CONF_LONG);
+    if (p) {
+        driver->macFilter = p->l;
+        if (!(driver->ebtables = ebtablesContextNew("qemu"))) {
+            driver->macFilter = 0;
+            virReportSystemError(NULL, errno,
+                                 _("failed to enable mac filter in in '%s'"), __FILE__);
same in a couple of place in that module too
...
@@ -2176,6 +2177,21 @@ static void qemudShutdownVMDaemon(virConnectPtr conn,
VIR_DEBUG(_("Shutting down VM '%s'\n"), vm->def->name);
+    if (driver->macFilter) {
+        int i;
+        virDomainDefPtr def = vm->def;
+        for (i = 0 ; i < def->nnets ; i++) {
+            virDomainNetDefPtr net = def->nets[i];
+            if (net->ifname == NULL)
+                continue;
+            if ((errno = networkDisallowMacOnPort(conn, driver, net->ifname, net->mac))) {
+                virReportSystemError(conn, errno,
+                                     _("failed to remove ebtables rule to allow MAC address on  '%s'"),
+                                     net->ifname);
+            }
+        }
+    }
+
     if (virKillProcess(vm->pid, 0) == 0 &&
         virKillProcess(vm->pid, SIGTERM) < 0)
         virReportSystemError(conn, errno,
again a bit of formatting btut nothing to add otherwise.

I have applied this patch too and I pushed both, thanks !

  We just need to look at the spec file dependancy (should be added I
think) and clear up potential issues in saving :-)

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel@veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

    