"Daniel P. Berrange" <berrange@redhat.com> wrote on 06/07/2011 09:36:22 AM:


>
> The LXC driver networking uses veth device pairs. These can
> be easily hooked into the network filtering code.
>
> * src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter
> ---
>  src/lxc/lxc_driver.c |   12 ++++++++++--
>  1 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index 8eb87a2..4d14466 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -52,7 +52,7 @@
>  #include "hooks.h"
>  #include "files.h"
>  #include "fdstream.h"
> -
> +#include "domain_nwfilter.h"
>  
>  #define VIR_FROM_THIS VIR_FROM_LXC
>  
> @@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,
>          vethDelete(vm->def->nets[i]->ifname);
>      }
>  
> +    virDomainConfVMNWFilterTeardown(vm);
> +
>      if (driver->cgroup &&
>          virCgroupForDomain(driver->cgroup, vm->def->name, &cgroup, 0) == 0) {
>          virCgroupRemove(cgroup);
> @@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr conn,
>  
>          if (vethInterfaceUpOrDown(parentVeth, 1) < 0)
>              goto error_exit;
> +
> +        if (def->nets[i]->filter &&
> +            virDomainConfNWFilterInstantiate(conn, def->nets[i]) < 0)
> +            goto error_exit;
>      }
>  
>      rc = 0;
> @@ -1538,8 +1544,10 @@ cleanup:
>              vethDelete(veths[i]);
>          VIR_FREE(veths[i]);
>      }
> -    if (rc != 0)
> +    if (rc != 0) {
>          VIR_FORCE_CLOSE(priv->monitor);
> +        virDomainConfVMNWFilterTeardown(vm);
> +    }
>      VIR_FORCE_CLOSE(parentTty);
>      VIR_FREE(logfile);
>      return rc;
> --
> 1.7.4.4
>

I would have thought a bit more code to be necessary, especially for supporting the live filter updates. At least something along the lines that the UML support shows:


[...]

static int
umlVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
                   virHashIterator iter, void *data)
{
    virHashForEach(uml_driver->domains.objs, iter, data);

    return 0;
}

[...]

static void
umlVMDriverLock(void)
{
    umlDriverLock(uml_driver);
}
 
static void
umlVMDriverUnlock(void)
{
    umlDriverUnlock(uml_driver);
}

static virNWFilterCallbackDriver umlCallbackDriver = {
    .name = "UML",
    .vmFilterRebuild = umlVMFilterRebuild,
    .vmDriverLock = umlVMDriverLock,
    .vmDriverUnlock = umlVMDriverUnlock,
};
 
int umlRegister(void) {
    virRegisterDriver(&umlDriver);
    virRegisterStateDriver(&umlStateDriver);
    virNWFilterRegisterCallbackDriver(&umlCallbackDriver);
    return 0;
}
 

Regards,
   Stefan