[PATCH 0/6] nwfilter define: add support for validation against schema

Kristina Hanicova (6): api: add public virNWFilterDefineXMLFlags() and remote protocol nwfilter: add nwfilterDefineXMLFlags() api: add virNWFilterDefineFlags nwfilter_conf: add validation against schema in define nwfilter_driver: allow VIR_NWFILTER_DEFINE_VALIDATE flag virsh: add support for '--validate' option in define nwfilter docs/manpages/virsh.rst | 5 +++- include/libvirt/libvirt-nwfilter.h | 7 +++++ src/conf/nwfilter_conf.c | 13 +++++---- src/conf/nwfilter_conf.h | 3 ++- src/driver-nwfilter.h | 6 +++++ src/libvirt-nwfilter.c | 43 ++++++++++++++++++++++++++++++ src/libvirt_public.syms | 5 ++++ src/nwfilter/nwfilter_driver.c | 21 ++++++++++++--- src/remote/remote_driver.c | 1 + src/remote/remote_protocol.x | 18 ++++++++++++- src/remote_protocol-structs | 8 ++++++ tools/virsh-nwfilter.c | 13 ++++++++- 12 files changed, 130 insertions(+), 13 deletions(-) -- 2.31.1

This new API function allows to define nwfilter with given flags. Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- include/libvirt/libvirt-nwfilter.h | 3 +++ src/driver-nwfilter.h | 6 +++++ src/libvirt-nwfilter.c | 43 ++++++++++++++++++++++++++++++ src/libvirt_public.syms | 5 ++++ src/remote/remote_driver.c | 1 + src/remote/remote_protocol.x | 18 ++++++++++++- src/remote_protocol-structs | 8 ++++++ 7 files changed, 83 insertions(+), 1 deletion(-) diff --git a/include/libvirt/libvirt-nwfilter.h b/include/libvirt/libvirt-nwfilter.h index 44ca1b3fae..041b1fc33b 100644 --- a/include/libvirt/libvirt-nwfilter.h +++ b/include/libvirt/libvirt-nwfilter.h @@ -85,6 +85,9 @@ virNWFilterPtr virNWFilterLookupByUUIDString (virConnectPtr conn, */ virNWFilterPtr virNWFilterDefineXML (virConnectPtr conn, const char *xmlDesc); +virNWFilterPtr virNWFilterDefineXMLFlags(virConnectPtr conn, + const char *xmlDesc, + unsigned int flags); /* * Delete persistent nwfilter diff --git a/src/driver-nwfilter.h b/src/driver-nwfilter.h index fd76e3af84..1ec591ece9 100644 --- a/src/driver-nwfilter.h +++ b/src/driver-nwfilter.h @@ -49,6 +49,11 @@ typedef virNWFilterPtr (*virDrvNWFilterDefineXML)(virConnectPtr conn, const char *xmlDesc); +typedef virNWFilterPtr +(*virDrvNWFilterDefineXMLFlags)(virConnectPtr conn, + const char *xmlDesc, + unsigned int flags); + typedef int (*virDrvNWFilterUndefine)(virNWFilterPtr nwfilter); @@ -98,6 +103,7 @@ struct _virNWFilterDriver { virDrvNWFilterLookupByName nwfilterLookupByName; virDrvNWFilterLookupByUUID nwfilterLookupByUUID; virDrvNWFilterDefineXML nwfilterDefineXML; + virDrvNWFilterDefineXMLFlags nwfilterDefineXMLFlags; virDrvNWFilterUndefine nwfilterUndefine; virDrvNWFilterGetXMLDesc nwfilterGetXMLDesc; virDrvConnectListAllNWFilterBindings connectListAllNWFilterBindings; diff --git a/src/libvirt-nwfilter.c b/src/libvirt-nwfilter.c index e299385895..c5c53327d3 100644 --- a/src/libvirt-nwfilter.c +++ b/src/libvirt-nwfilter.c @@ -406,6 +406,49 @@ virNWFilterDefineXML(virConnectPtr conn, const char *xmlDesc) } +/** + * virNWFilterDefineXMLFlags: + * @conn: pointer to the hypervisor connection + * @xmlDesc: an XML description of the nwfilter + * @flags: extra flags; not used yet, so callers should always pass 0 + * + * Define a new network filter, based on an XML description + * similar to the one returned by virNWFilterGetXMLDesc() + * + * virNWFilterFree should be used to free the resources after the + * nwfilter object is no longer needed. + * + * Returns a new nwfilter object or NULL in case of failure + */ +virNWFilterPtr +virNWFilterDefineXMLFlags(virConnectPtr conn, const char *xmlDesc, unsigned int flags) +{ + VIR_DEBUG("conn=%p, xmlDesc=%s", conn, NULLSTR(xmlDesc)); + + virResetLastError(); + + virCheckFlags(0, NULL); + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(xmlDesc, error); + virCheckReadOnlyGoto(conn->flags, error); + + if (conn->nwfilterDriver && conn->nwfilterDriver->nwfilterDefineXMLFlags) { + virNWFilterPtr ret; + ret = conn->nwfilterDriver->nwfilterDefineXMLFlags(conn, xmlDesc, flags); + if (!ret) + goto error; + return ret; + } + + virReportUnsupportedError(); + + error: + virDispatchError(conn); + return NULL; +} + + /** * virNWFilterUndefine: * @nwfilter: a nwfilter object diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms index 5678a13cda..68f5e9c900 100644 --- a/src/libvirt_public.syms +++ b/src/libvirt_public.syms @@ -896,4 +896,9 @@ LIBVIRT_7.3.0 { virNodeDeviceCreate; } LIBVIRT_7.2.0; +LIBVIRT_7.7.0 { + global: + virNWFilterDefineXMLFlags; +} LIBVIRT_7.3.0; + # .... define new API here using predicted next version number .... diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index c03c68ec30..9ee22e7e15 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -8680,6 +8680,7 @@ static virNWFilterDriver nwfilter_driver = { .nwfilterLookupByName = remoteNWFilterLookupByName, /* 0.8.0 */ .nwfilterGetXMLDesc = remoteNWFilterGetXMLDesc, /* 0.8.0 */ .nwfilterDefineXML = remoteNWFilterDefineXML, /* 0.8.0 */ + .nwfilterDefineXMLFlags = remoteNWFilterDefineXMLFlags, /* 7.7.0 */ .nwfilterUndefine = remoteNWFilterUndefine, /* 0.8.0 */ .connectNumOfNWFilters = remoteConnectNumOfNWFilters, /* 0.8.0 */ .connectListNWFilters = remoteConnectListNWFilters, /* 0.8.0 */ diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index de69704b68..56f610839e 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -1627,6 +1627,15 @@ struct remote_nwfilter_define_xml_ret { remote_nonnull_nwfilter nwfilter; }; +struct remote_nwfilter_define_xml_flags_args { + remote_nonnull_string xml; + unsigned int flags; +}; + +struct remote_nwfilter_define_xml_flags_ret { + remote_nonnull_nwfilter nwfilter; +}; + struct remote_nwfilter_undefine_args { remote_nonnull_nwfilter nwfilter; }; @@ -6784,6 +6793,13 @@ enum remote_procedure { * @priority: high * @acl: node_device:start */ - REMOTE_PROC_NODE_DEVICE_CREATE = 430 + REMOTE_PROC_NODE_DEVICE_CREATE = 430, + /** + * @generate: both + * @priority: high + * @acl: nwfilter:write + * @acl: nwfilter:save + */ + REMOTE_PROC_NWFILTER_DEFINE_XML_FLAGS = 431 }; diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs index 6b46328adc..d51f12f781 100644 --- a/src/remote_protocol-structs +++ b/src/remote_protocol-structs @@ -1174,6 +1174,13 @@ struct remote_nwfilter_define_xml_args { struct remote_nwfilter_define_xml_ret { remote_nonnull_nwfilter nwfilter; }; +struct remote_nwfilter_define_xml_flags_args { + remote_nonnull_string xml; + u_int flags; +}; +struct remote_nwfilter_define_xml_flags_ret { + remote_nonnull_nwfilter nwfilter; +}; struct remote_nwfilter_undefine_args { remote_nonnull_nwfilter nwfilter; }; @@ -3623,4 +3630,5 @@ enum remote_procedure { REMOTE_PROC_NODE_DEVICE_DEFINE_XML = 428, REMOTE_PROC_NODE_DEVICE_UNDEFINE = 429, REMOTE_PROC_NODE_DEVICE_CREATE = 430, + REMOTE_PROC_NWFILTER_DEFINE_XML_FLAGS = 431, }; -- 2.31.1

On 8/20/21 1:57 PM, Kristina Hanicova wrote:
This new API function allows to define nwfilter with given flags.
Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- include/libvirt/libvirt-nwfilter.h | 3 +++ src/driver-nwfilter.h | 6 +++++ src/libvirt-nwfilter.c | 43 ++++++++++++++++++++++++++++++ src/libvirt_public.syms | 5 ++++ src/remote/remote_driver.c | 1 + src/remote/remote_protocol.x | 18 ++++++++++++- src/remote_protocol-structs | 8 ++++++ 7 files changed, 83 insertions(+), 1 deletion(-)
diff --git a/include/libvirt/libvirt-nwfilter.h b/include/libvirt/libvirt-nwfilter.h index 44ca1b3fae..041b1fc33b 100644 --- a/include/libvirt/libvirt-nwfilter.h +++ b/include/libvirt/libvirt-nwfilter.h @@ -85,6 +85,9 @@ virNWFilterPtr virNWFilterLookupByUUIDString (virConnectPtr conn, */ virNWFilterPtr virNWFilterDefineXML (virConnectPtr conn, const char *xmlDesc); +virNWFilterPtr virNWFilterDefineXMLFlags(virConnectPtr conn, + const char *xmlDesc, + unsigned int flags);
/* * Delete persistent nwfilter diff --git a/src/driver-nwfilter.h b/src/driver-nwfilter.h index fd76e3af84..1ec591ece9 100644 --- a/src/driver-nwfilter.h +++ b/src/driver-nwfilter.h @@ -49,6 +49,11 @@ typedef virNWFilterPtr (*virDrvNWFilterDefineXML)(virConnectPtr conn, const char *xmlDesc);
+typedef virNWFilterPtr +(*virDrvNWFilterDefineXMLFlags)(virConnectPtr conn, + const char *xmlDesc, + unsigned int flags); + typedef int (*virDrvNWFilterUndefine)(virNWFilterPtr nwfilter);
@@ -98,6 +103,7 @@ struct _virNWFilterDriver { virDrvNWFilterLookupByName nwfilterLookupByName; virDrvNWFilterLookupByUUID nwfilterLookupByUUID; virDrvNWFilterDefineXML nwfilterDefineXML; + virDrvNWFilterDefineXMLFlags nwfilterDefineXMLFlags; virDrvNWFilterUndefine nwfilterUndefine; virDrvNWFilterGetXMLDesc nwfilterGetXMLDesc; virDrvConnectListAllNWFilterBindings connectListAllNWFilterBindings; diff --git a/src/libvirt-nwfilter.c b/src/libvirt-nwfilter.c index e299385895..c5c53327d3 100644 --- a/src/libvirt-nwfilter.c +++ b/src/libvirt-nwfilter.c @@ -406,6 +406,49 @@ virNWFilterDefineXML(virConnectPtr conn, const char *xmlDesc) }
+/** + * virNWFilterDefineXMLFlags: + * @conn: pointer to the hypervisor connection + * @xmlDesc: an XML description of the nwfilter + * @flags: extra flags; not used yet, so callers should always pass 0 + * + * Define a new network filter, based on an XML description + * similar to the one returned by virNWFilterGetXMLDesc() + * + * virNWFilterFree should be used to free the resources after the + * nwfilter object is no longer needed. + * + * Returns a new nwfilter object or NULL in case of failure + */ +virNWFilterPtr +virNWFilterDefineXMLFlags(virConnectPtr conn, const char *xmlDesc, unsigned int flags) +{ + VIR_DEBUG("conn=%p, xmlDesc=%s", conn, NULLSTR(xmlDesc));
The @flags should be included in the debug printing too.
+ + virResetLastError(); + + virCheckFlags(0, NULL);
This isn't a good idea. It stops client from sending a flag they don't know, true. But ultimately it's the server (nwfilter driver) where we want to validate @flags because a client can be talking to newer/older server which in general supports different set of flags. Just drop this line. Michal

I have added a new driver function which allows to define nwfilter with given flags. I have also replaced definition of nwfilterDefineXML() with function call to the new function. Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- src/nwfilter/nwfilter_driver.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index edb284aa4b..4b355ffff1 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -525,9 +525,11 @@ nwfilterConnectListAllNWFilters(virConnectPtr conn, return ret; } + static virNWFilterPtr -nwfilterDefineXML(virConnectPtr conn, - const char *xml) +nwfilterDefineXMLFlags(virConnectPtr conn, + const char *xml, + unsigned int flags) { virNWFilterDef *def; virNWFilterObj *obj = NULL; @@ -540,13 +542,15 @@ nwfilterDefineXML(virConnectPtr conn, return NULL; } + virCheckFlags(0, NULL); + nwfilterDriverLock(); virNWFilterWriteLockFilterUpdates(); if (!(def = virNWFilterDefParseString(xml))) goto cleanup; - if (virNWFilterDefineXMLEnsureACL(conn, def) < 0) + if (virNWFilterDefineXMLFlagsEnsureACL(conn, def) < 0) goto cleanup; if (!(obj = virNWFilterObjListAssignDef(driver->nwfilters, def))) @@ -572,6 +576,14 @@ nwfilterDefineXML(virConnectPtr conn, } +static virNWFilterPtr +nwfilterDefineXML(virConnectPtr conn, + const char *xml) +{ + return nwfilterDefineXMLFlags(conn, xml, 0); +} + + static int nwfilterUndefine(virNWFilterPtr nwfilter) { @@ -809,6 +821,7 @@ static virNWFilterDriver nwfilterDriver = { .nwfilterLookupByName = nwfilterLookupByName, /* 0.8.0 */ .nwfilterLookupByUUID = nwfilterLookupByUUID, /* 0.8.0 */ .nwfilterDefineXML = nwfilterDefineXML, /* 0.8.0 */ + .nwfilterDefineXMLFlags = nwfilterDefineXMLFlags, /* 7.7.0 */ .nwfilterUndefine = nwfilterUndefine, /* 0.8.0 */ .nwfilterGetXMLDesc = nwfilterGetXMLDesc, /* 0.8.0 */ .nwfilterBindingLookupByPortDev = nwfilterBindingLookupByPortDev, /* 4.5.0 */ -- 2.31.1

On 8/20/21 1:57 PM, Kristina Hanicova wrote:
I have added a new driver function which allows to define nwfilter with given flags. I have also replaced definition of nwfilterDefineXML() with function call to the new function.
Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- src/nwfilter/nwfilter_driver.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index edb284aa4b..4b355ffff1 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -525,9 +525,11 @@ nwfilterConnectListAllNWFilters(virConnectPtr conn, return ret; }
+ static virNWFilterPtr -nwfilterDefineXML(virConnectPtr conn, - const char *xml) +nwfilterDefineXMLFlags(virConnectPtr conn, + const char *xml, + unsigned int flags) { virNWFilterDef *def; virNWFilterObj *obj = NULL; @@ -540,13 +542,15 @@ nwfilterDefineXML(virConnectPtr conn, return NULL; }
+ virCheckFlags(0, NULL); +
I think this check should go before !driver->privileged check. That way it's consistent with the rest of the code. Michal

Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- include/libvirt/libvirt-nwfilter.h | 4 ++++ src/libvirt-nwfilter.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/libvirt/libvirt-nwfilter.h b/include/libvirt/libvirt-nwfilter.h index 041b1fc33b..9897df6df6 100644 --- a/include/libvirt/libvirt-nwfilter.h +++ b/include/libvirt/libvirt-nwfilter.h @@ -80,6 +80,10 @@ virNWFilterPtr virNWFilterLookupByUUID (virConnectPtr conn, virNWFilterPtr virNWFilterLookupByUUIDString (virConnectPtr conn, const char *uuid); +typedef enum { + VIR_NWFILTER_DEFINE_VALIDATE = 1 << 0, /* Validate the XML document against schema */ +} virNWFilterDefineFlags; + /* * Define persistent nwfilter */ diff --git a/src/libvirt-nwfilter.c b/src/libvirt-nwfilter.c index c5c53327d3..ca4dddf89e 100644 --- a/src/libvirt-nwfilter.c +++ b/src/libvirt-nwfilter.c @@ -410,7 +410,7 @@ virNWFilterDefineXML(virConnectPtr conn, const char *xmlDesc) * virNWFilterDefineXMLFlags: * @conn: pointer to the hypervisor connection * @xmlDesc: an XML description of the nwfilter - * @flags: extra flags; not used yet, so callers should always pass 0 + * @flags: bitwise-OR of virNWFilterDefineFlags * * Define a new network filter, based on an XML description * similar to the one returned by virNWFilterGetXMLDesc() @@ -427,7 +427,7 @@ virNWFilterDefineXMLFlags(virConnectPtr conn, const char *xmlDesc, unsigned int virResetLastError(); - virCheckFlags(0, NULL); + virCheckFlags(VIR_NWFILTER_DEFINE_VALIDATE, NULL); virCheckConnectReturn(conn, NULL); virCheckNonNullArgGoto(xmlDesc, error); -- 2.31.1

On 8/20/21 1:57 PM, Kristina Hanicova wrote:
Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- include/libvirt/libvirt-nwfilter.h | 4 ++++ src/libvirt-nwfilter.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include/libvirt/libvirt-nwfilter.h b/include/libvirt/libvirt-nwfilter.h index 041b1fc33b..9897df6df6 100644 --- a/include/libvirt/libvirt-nwfilter.h +++ b/include/libvirt/libvirt-nwfilter.h @@ -80,6 +80,10 @@ virNWFilterPtr virNWFilterLookupByUUID (virConnectPtr conn, virNWFilterPtr virNWFilterLookupByUUIDString (virConnectPtr conn, const char *uuid);
+typedef enum { + VIR_NWFILTER_DEFINE_VALIDATE = 1 << 0, /* Validate the XML document against schema */ +} virNWFilterDefineFlags; + /* * Define persistent nwfilter */ diff --git a/src/libvirt-nwfilter.c b/src/libvirt-nwfilter.c index c5c53327d3..ca4dddf89e 100644 --- a/src/libvirt-nwfilter.c +++ b/src/libvirt-nwfilter.c @@ -410,7 +410,7 @@ virNWFilterDefineXML(virConnectPtr conn, const char *xmlDesc) * virNWFilterDefineXMLFlags: * @conn: pointer to the hypervisor connection * @xmlDesc: an XML description of the nwfilter - * @flags: extra flags; not used yet, so callers should always pass 0 + * @flags: bitwise-OR of virNWFilterDefineFlags * * Define a new network filter, based on an XML description * similar to the one returned by virNWFilterGetXMLDesc() @@ -427,7 +427,7 @@ virNWFilterDefineXMLFlags(virConnectPtr conn, const char *xmlDesc, unsigned int
virResetLastError();
- virCheckFlags(0, NULL); + virCheckFlags(VIR_NWFILTER_DEFINE_VALIDATE, NULL);
virCheckConnectReturn(conn, NULL); virCheckNonNullArgGoto(xmlDesc, error);
This last hunk shouldn't be here as @flags shouldn't be checked for at client side. Michal

This patch also includes propagation of flags into the virNWFilterDefParse(). Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- src/conf/nwfilter_conf.c | 13 ++++++++----- src/conf/nwfilter_conf.h | 3 ++- src/nwfilter/nwfilter_driver.c | 2 +- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/conf/nwfilter_conf.c b/src/conf/nwfilter_conf.c index 7d491e27b1..a3109962af 100644 --- a/src/conf/nwfilter_conf.c +++ b/src/conf/nwfilter_conf.c @@ -2739,12 +2739,14 @@ virNWFilterDefParseNode(xmlDocPtr xml, static virNWFilterDef * virNWFilterDefParse(const char *xmlStr, - const char *filename) + const char *filename, + unsigned int flags) { virNWFilterDef *def = NULL; g_autoptr(xmlDoc) xml = NULL; - if ((xml = virXMLParse(filename, xmlStr, _("(nwfilter_definition)"), NULL, false))) { + if ((xml = virXMLParse(filename, xmlStr, _("(nwfilter_definition)"), "nwfilter.rng", + flags & VIR_NWFILTER_DEFINE_VALIDATE))) { def = virNWFilterDefParseNode(xml, xmlDocGetRootElement(xml)); } @@ -2753,16 +2755,17 @@ virNWFilterDefParse(const char *xmlStr, virNWFilterDef * -virNWFilterDefParseString(const char *xmlStr) +virNWFilterDefParseString(const char *xmlStr, + unsigned int flags) { - return virNWFilterDefParse(xmlStr, NULL); + return virNWFilterDefParse(xmlStr, NULL, flags); } virNWFilterDef * virNWFilterDefParseFile(const char *filename) { - return virNWFilterDefParse(NULL, filename); + return virNWFilterDefParse(NULL, filename, 0); } diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h index 8d5684eb4e..bbe12284a5 100644 --- a/src/conf/nwfilter_conf.h +++ b/src/conf/nwfilter_conf.h @@ -546,7 +546,8 @@ virNWFilterSaveConfig(const char *configDir, virNWFilterDef *def); virNWFilterDef * -virNWFilterDefParseString(const char *xml); +virNWFilterDefParseString(const char *xml, + unsigned int flags); virNWFilterDef * virNWFilterDefParseFile(const char *filename); diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 4b355ffff1..4cfdd42a37 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -547,7 +547,7 @@ nwfilterDefineXMLFlags(virConnectPtr conn, nwfilterDriverLock(); virNWFilterWriteLockFilterUpdates(); - if (!(def = virNWFilterDefParseString(xml))) + if (!(def = virNWFilterDefParseString(xml, 0))) goto cleanup; if (virNWFilterDefineXMLFlagsEnsureACL(conn, def) < 0) -- 2.31.1

Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- src/nwfilter/nwfilter_driver.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 4cfdd42a37..d38c5b78e3 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -542,12 +542,12 @@ nwfilterDefineXMLFlags(virConnectPtr conn, return NULL; } - virCheckFlags(0, NULL); + virCheckFlags(VIR_NWFILTER_DEFINE_VALIDATE, NULL); nwfilterDriverLock(); virNWFilterWriteLockFilterUpdates(); - if (!(def = virNWFilterDefParseString(xml, 0))) + if (!(def = virNWFilterDefParseString(xml, flags))) goto cleanup; if (virNWFilterDefineXMLFlagsEnsureACL(conn, def) < 0) -- 2.31.1

Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- docs/manpages/virsh.rst | 5 ++++- tools/virsh-nwfilter.c | 13 ++++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index 3eb310d02e..0326a7d015 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -7483,7 +7483,7 @@ nwfilter-define :: - nwfilter-define xmlfile + nwfilter-define xmlfile [--validate] Make a new network filter known to libvirt. If a network filter with the same name already exists, it will be replaced with the new XML. @@ -7492,6 +7492,9 @@ its network traffic rules adapted. If for any reason the network traffic filtering rules cannot be instantiated by any of the running virtual machines, then the new XML will be rejected. +Optionally, the format of the input XML file can be validated against an +internal RNG schema with *--validate*. + nwfilter-undefine ----------------- diff --git a/tools/virsh-nwfilter.c b/tools/virsh-nwfilter.c index f38f33798d..e062aa1649 100644 --- a/tools/virsh-nwfilter.c +++ b/tools/virsh-nwfilter.c @@ -81,6 +81,10 @@ static const vshCmdInfo info_nwfilter_define[] = { static const vshCmdOptDef opts_nwfilter_define[] = { VIRSH_COMMON_OPT_FILE(N_("file containing an XML network " "filter description")), + {.name = "validate", + .type = VSH_OT_BOOL, + .help = N_("validate the XML against the schema") + }, {.name = NULL} }; @@ -91,15 +95,22 @@ cmdNWFilterDefine(vshControl *ctl, const vshCmd *cmd) const char *from = NULL; bool ret = true; g_autofree char *buffer = NULL; + unsigned int flags = 0; virshControl *priv = ctl->privData; if (vshCommandOptStringReq(ctl, cmd, "file", &from) < 0) return false; + if (vshCommandOptBool(cmd, "validate")) + flags |= VIR_NWFILTER_DEFINE_VALIDATE; + if (virFileReadAll(from, VSH_MAX_XML_FILE, &buffer) < 0) return false; - nwfilter = virNWFilterDefineXML(priv->conn, buffer); + if (flags) + nwfilter = virNWFilterDefineXMLFlags(priv->conn, buffer, flags); + else + nwfilter = virNWFilterDefineXML(priv->conn, buffer); if (nwfilter != NULL) { vshPrintExtra(ctl, _("Network filter %s defined from %s\n"), -- 2.31.1

On 8/20/21 1:57 PM, Kristina Hanicova wrote:
Kristina Hanicova (6): api: add public virNWFilterDefineXMLFlags() and remote protocol nwfilter: add nwfilterDefineXMLFlags() api: add virNWFilterDefineFlags nwfilter_conf: add validation against schema in define nwfilter_driver: allow VIR_NWFILTER_DEFINE_VALIDATE flag virsh: add support for '--validate' option in define nwfilter
docs/manpages/virsh.rst | 5 +++- include/libvirt/libvirt-nwfilter.h | 7 +++++ src/conf/nwfilter_conf.c | 13 +++++---- src/conf/nwfilter_conf.h | 3 ++- src/driver-nwfilter.h | 6 +++++ src/libvirt-nwfilter.c | 43 ++++++++++++++++++++++++++++++ src/libvirt_public.syms | 5 ++++ src/nwfilter/nwfilter_driver.c | 21 ++++++++++++--- src/remote/remote_driver.c | 1 + src/remote/remote_protocol.x | 18 ++++++++++++- src/remote_protocol-structs | 8 ++++++ tools/virsh-nwfilter.c | 13 ++++++++- 12 files changed, 130 insertions(+), 13 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal
participants (2)
-
Kristina Hanicova
-
Michal Prívozník