This patch adds support for the RARP protocol. This may be needed due to qemu sending out a RARP packet (at least that's what it seems to want to do even though the protocol id is wrong) when migration finishes and we'd need a rule to let the packets pass. Unfortunately my installation of ebtables does not understand -p RARP and also seems to otherwise depend on strings in /etc/ethertype translated to protocol identifiers. Therefore I need to pass -p 0x8035 for RARP. To generally get rid of the dependency of that file I switch all so far supported protocols to use their protocol identifier in the -p parameter rather than the string. I am also extending the schema and added a test case. changes from v1 to v2: - added test case into patch Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com&gt; --- docs/schemas/nwfilter.rng | 9 ++ src/conf/nwfilter_conf.c | 29 ++----- src/conf/nwfilter_conf.h | 22 +++++- src/nwfilter/nwfilter_ebiptables_driver.c | 109 ++++++++++++++++++------------ tests/nwfilterxml2xmlin/rarp-test.xml | 33 +++++++++ tests/nwfilterxml2xmlout/rarp-test.xml | 18 ++++ tests/nwfilterxml2xmltest.c | 1 7 files changed, 158 insertions(+), 63 deletions(-) Index: libvirt-acl/docs/schemas/nwfilter.rng =================================================================== --- libvirt-acl.orig/docs/schemas/nwfilter.rng +++ libvirt-acl/docs/schemas/nwfilter.rng @@ -39,6 +39,15 @@ </optional> <optional> <zeroOrMore> + <element name="rarp"> + <ref name="match-attribute"/> + <ref name="common-l2-attributes"/> + <ref name="arp-attributes"/> <!-- same as arp --> + </element> + </zeroOrMore> + </optional> + <optional> + <zeroOrMore> <element name="ip"> <ref name="match-attribute"/> <ref name="common-l2-attributes"/> Index: libvirt-acl/src/conf/nwfilter_conf.c =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.c +++ libvirt-acl/src/conf/nwfilter_conf.c @@ -46,22 +46,6 @@ #include "domain_conf.h" -/* XXX - * The config parser/structs should not be using platform specific - * constants. Win32 lacks these constants, breaking the parser, - * so temporarily define them until this can be re-written to use - * locally defined enums for all constants - */ -#ifndef ETHERTYPE_IP -# define ETHERTYPE_IP 0x0800 -#endif -#ifndef ETHERTYPE_ARP -# define ETHERTYPE_ARP 0x0806 -#endif -#ifndef ETHERTYPE_IPV6 -# define ETHERTYPE_IPV6 0x86dd -#endif - #define VIR_FROM_THIS VIR_FROM_NWFILTER @@ -90,6 +74,7 @@ VIR_ENUM_IMPL(virNWFilterEbtablesTable, VIR_ENUM_IMPL(virNWFilterChainSuffix, VIR_NWFILTER_CHAINSUFFIX_LAST, "root", "arp", + "rarp", "ipv4", "ipv6"); @@ -97,6 +82,7 @@ VIR_ENUM_IMPL(virNWFilterRuleProtocol, V "none", "mac", "arp", + "rarp", "ip", "ipv6", "tcp", @@ -412,11 +398,10 @@ struct _virXMLAttr2Struct static const struct int_map macProtoMap[] = { - INTMAP_ENTRY(ETHERTYPE_ARP , "arp"), - INTMAP_ENTRY(ETHERTYPE_IP , "ipv4"), -#ifdef ETHERTYPE_IPV6 - INTMAP_ENTRY(ETHERTYPE_IPV6, "ipv6"), -#endif + INTMAP_ENTRY(ETHERTYPE_ARP , "arp"), + INTMAP_ENTRY(ETHERTYPE_REVARP, "rarp"), + INTMAP_ENTRY(ETHERTYPE_IP , "ipv4"), + INTMAP_ENTRY(ETHERTYPE_IPV6 , "ipv6"), INTMAP_ENTRY_LAST }; @@ -1096,6 +1081,7 @@ struct _virAttributes { static const virAttributes virAttr[] = { PROTOCOL_ENTRY("arp" , arpAttributes , VIR_NWFILTER_RULE_PROTOCOL_ARP), + PROTOCOL_ENTRY("rarp" , arpAttributes , VIR_NWFILTER_RULE_PROTOCOL_RARP), PROTOCOL_ENTRY("mac" , macAttributes , VIR_NWFILTER_RULE_PROTOCOL_MAC), PROTOCOL_ENTRY("ip" , ipAttributes , VIR_NWFILTER_RULE_PROTOCOL_IP), PROTOCOL_ENTRY("ipv6" , ipv6Attributes , VIR_NWFILTER_RULE_PROTOCOL_IPV6), @@ -1450,6 +1436,7 @@ virNWFilterRuleDefFixup(virNWFilterRuleD break; case VIR_NWFILTER_RULE_PROTOCOL_ARP: + case VIR_NWFILTER_RULE_PROTOCOL_RARP: case VIR_NWFILTER_RULE_PROTOCOL_NONE: break; Index: libvirt-acl/src/conf/nwfilter_conf.h =================================================================== --- libvirt-acl.orig/src/conf/nwfilter_conf.h +++ libvirt-acl/src/conf/nwfilter_conf.h @@ -35,6 +35,24 @@ # include "xml.h" # include "network.h" +/* XXX + * The config parser/structs should not be using platform specific + * constants. Win32 lacks these constants, breaking the parser, + * so temporarily define them until this can be re-written to use + * locally defined enums for all constants + */ +# ifndef ETHERTYPE_IP +# define ETHERTYPE_IP 0x0800 +# endif +# ifndef ETHERTYPE_ARP +# define ETHERTYPE_ARP 0x0806 +# endif +# ifndef ETHERTYPE_REVARP +# define ETHERTYPE_REVARP 0x8035 +# endif +# ifndef ETHERTYPE_IPV6 +# define ETHERTYPE_IPV6 0x86dd +# endif /** * Chain suffix size is: @@ -292,6 +310,7 @@ enum virNWFilterRuleProtocolType { VIR_NWFILTER_RULE_PROTOCOL_NONE = 0, VIR_NWFILTER_RULE_PROTOCOL_MAC, VIR_NWFILTER_RULE_PROTOCOL_ARP, + VIR_NWFILTER_RULE_PROTOCOL_RARP, VIR_NWFILTER_RULE_PROTOCOL_IP, VIR_NWFILTER_RULE_PROTOCOL_IPV6, VIR_NWFILTER_RULE_PROTOCOL_TCP, @@ -336,7 +355,7 @@ struct _virNWFilterRuleDef { enum virNWFilterRuleProtocolType prtclType; union { ethHdrFilterDef ethHdrFilter; - arpHdrFilterDef arpHdrFilter; + arpHdrFilterDef arpHdrFilter; /* also used for rarp */ ipHdrFilterDef ipHdrFilter; ipv6HdrFilterDef ipv6HdrFilter; tcpHdrFilterDef tcpHdrFilter; @@ -373,6 +392,7 @@ struct _virNWFilterEntry { enum virNWFilterChainSuffixType { VIR_NWFILTER_CHAINSUFFIX_ROOT = 0, VIR_NWFILTER_CHAINSUFFIX_ARP, + VIR_NWFILTER_CHAINSUFFIX_RARP, VIR_NWFILTER_CHAINSUFFIX_IPv4, VIR_NWFILTER_CHAINSUFFIX_IPv6, Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c =================================================================== --- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c +++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c @@ -32,6 +32,7 @@ #include "logging.h" #include "virterror_internal.h" #include "domain_conf.h" +#include "nwfilter_conf.h" #include "nwfilter_gentech_driver.h" #include "nwfilter_ebiptables_driver.h" @@ -103,11 +104,28 @@ static int ebiptablesDriverInit(void); static void ebiptablesDriverShutdown(void); -static const char *supported_protocols[] = { - "ipv4", - "ipv6", - "arp", - NULL, +struct ushort_map { + unsigned short attr; + const char *val; +}; + + +enum l3_proto_idx { + L3_PROTO_IPV4_IDX = 0, + L3_PROTO_IPV6_IDX, + L3_PROTO_ARP_IDX, + L3_PROTO_RARP_IDX, + L3_PROTO_LAST_IDX +}; + +#define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] = { .attr = ATT, .val = VAL } + +static const struct ushort_map l3_protocols[] = { + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP , "ipv4"), + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6 , "ipv6"), + USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX , ETHERTYPE_ARP , "arp"), + USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"), + USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0 , NULL), }; @@ -1611,6 +1629,7 @@ ebtablesCreateRuleInstance(char chainPre break; case VIR_NWFILTER_RULE_PROTOCOL_ARP: + case VIR_NWFILTER_RULE_PROTOCOL_RARP: virBufferVSprintf(&buf, CMD_DEF_PRE "%s -t %s -%%c %s %%s", @@ -1622,7 +1641,10 @@ ebtablesCreateRuleInstance(char chainPre reverse)) goto err_exit; - virBufferAddLit(&buf, " -p arp"); + virBufferVSprintf(&buf, " -p 0x%x", + (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP) + ? l3_protocols[L3_PROTO_ARP_IDX].attr + : l3_protocols[L3_PROTO_RARP_IDX].attr); if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) { if (printDataType(vars, @@ -2036,6 +2058,7 @@ ebiptablesCreateRuleInstance(virConnectP case VIR_NWFILTER_RULE_PROTOCOL_IP: case VIR_NWFILTER_RULE_PROTOCOL_MAC: case VIR_NWFILTER_RULE_PROTOCOL_ARP: + case VIR_NWFILTER_RULE_PROTOCOL_RARP: case VIR_NWFILTER_RULE_PROTOCOL_NONE: case VIR_NWFILTER_RULE_PROTOCOL_IPV6: @@ -2427,7 +2450,7 @@ static int ebtablesCreateTmpSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol, + enum l3_proto_idx protoidx, int stopOnError) { char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; @@ -2435,13 +2458,13 @@ ebtablesCreateTmpSubChain(virBufferPtr b : CHAINPREFIX_HOST_OUT_TEMP; PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); - PRINT_CHAIN(chain, chainPrefix, ifname, protocol); + PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val); virBufferVSprintf(buf, CMD_DEF("%s -t %s -N %s") CMD_SEPARATOR CMD_EXEC "%s" - CMD_DEF("%s -t %s -A %s -p %s -j %s") CMD_SEPARATOR + CMD_DEF("%s -t %s -A %s -p 0x%x -j %s") CMD_SEPARATOR CMD_EXEC "%s", @@ -2450,7 +2473,7 @@ ebtablesCreateTmpSubChain(virBufferPtr b CMD_STOPONERR(stopOnError), ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, - rootchain, protocol, chain, + rootchain, l3_protocols[protoidx].attr, chain, CMD_STOPONERR(stopOnError)); @@ -2462,11 +2485,12 @@ static int _ebtablesRemoveSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol, + enum l3_proto_idx protoidx, int isTempChain) { char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH]; char chainPrefix; + if (isTempChain) { chainPrefix =(incoming) ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_OUT_TEMP; @@ -2476,14 +2500,14 @@ _ebtablesRemoveSubChain(virBufferPtr buf } PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname); - PRINT_CHAIN(chain, chainPrefix, ifname, protocol); + PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val); virBufferVSprintf(buf, - "%s -t %s -D %s -p %s -j %s" CMD_SEPARATOR + "%s -t %s -D %s -p 0x%x -j %s" CMD_SEPARATOR "%s -t %s -F %s" CMD_SEPARATOR "%s -t %s -X %s" CMD_SEPARATOR, ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, - rootchain, protocol, chain, + rootchain, l3_protocols[protoidx].attr, chain, ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain, @@ -2497,10 +2521,10 @@ static int ebtablesRemoveSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol) + enum l3_proto_idx protoidx) { return _ebtablesRemoveSubChain(buf, - incoming, ifname, protocol, 0); + incoming, ifname, protoidx, 0); } @@ -2508,10 +2532,11 @@ static int ebtablesRemoveSubChains(virBufferPtr buf, const char *ifname) { - int i; - for (i = 0; supported_protocols[i]; i++) { - ebtablesRemoveSubChain(buf, 1, ifname, supported_protocols[i]); - ebtablesRemoveSubChain(buf, 0, ifname, supported_protocols[i]); + enum l3_proto_idx i; + + for (i = 0; i < L3_PROTO_LAST_IDX; i++) { + ebtablesRemoveSubChain(buf, 1, ifname, i); + ebtablesRemoveSubChain(buf, 0, ifname, i); } return 0; @@ -2522,10 +2547,10 @@ static int ebtablesRemoveTmpSubChain(virBufferPtr buf, int incoming, const char *ifname, - const char *protocol) + enum l3_proto_idx protoidx) { return _ebtablesRemoveSubChain(buf, - incoming, ifname, protocol, 1); + incoming, ifname, protoidx, 1); } @@ -2533,12 +2558,11 @@ static int ebtablesRemoveTmpSubChains(virBufferPtr buf, const char *ifname) { - int i; - for (i = 0; supported_protocols[i]; i++) { - ebtablesRemoveTmpSubChain(buf, 1, ifname, - supported_protocols[i]); - ebtablesRemoveTmpSubChain(buf, 0, ifname, - supported_protocols[i]); + enum l3_proto_idx i; + + for (i = 0; i < L3_PROTO_LAST_IDX; i++) { + ebtablesRemoveTmpSubChain(buf, 1, ifname, i); + ebtablesRemoveTmpSubChain(buf, 0, ifname, i); } return 0; @@ -2576,12 +2600,11 @@ static int ebtablesRenameTmpSubChains(virBufferPtr buf, const char *ifname) { - int i; - for (i = 0; supported_protocols[i]; i++) { - ebtablesRenameTmpSubChain (buf, 1, ifname, - supported_protocols[i]); - ebtablesRenameTmpSubChain (buf, 0, ifname, - supported_protocols[i]); + enum l3_proto_idx i; + + for (i = 0; i < L3_PROTO_LAST_IDX; i++) { + ebtablesRenameTmpSubChain (buf, 1, ifname, l3_protocols[i].val); + ebtablesRenameTmpSubChain (buf, 0, ifname, l3_protocols[i].val); } return 0; @@ -2911,20 +2934,24 @@ ebiptablesApplyNewRules(virConnectPtr co ebtablesCreateTmpRootChain(&buf, 0, ifname, 1); if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4)) - ebtablesCreateTmpSubChain(&buf, 1, ifname, "ipv4", 1); + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_IPV4_IDX, 1); if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv4)) - ebtablesCreateTmpSubChain(&buf, 0, ifname, "ipv4", 1); + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_IPV4_IDX, 1); if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6)) - ebtablesCreateTmpSubChain(&buf, 1, ifname, "ipv6", 1); + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_IPV6_IDX, 1); if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_IPv6)) - ebtablesCreateTmpSubChain(&buf, 0, ifname, "ipv6", 1); + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_IPV6_IDX, 1); - // keep arp as last + // keep arp,rarp as last if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP)) - ebtablesCreateTmpSubChain(&buf, 1, ifname, "arp", 1); + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_ARP_IDX, 1); if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_ARP)) - ebtablesCreateTmpSubChain(&buf, 0, ifname, "arp", 1); + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_ARP_IDX, 1); + if (chains_in & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP)) + ebtablesCreateTmpSubChain(&buf, 1, ifname, L3_PROTO_RARP_IDX, 1); + if (chains_out & (1 << VIR_NWFILTER_CHAINSUFFIX_RARP)) + ebtablesCreateTmpSubChain(&buf, 0, ifname, L3_PROTO_RARP_IDX, 1); if (ebiptablesExecCLI(&buf, &cli_status) || cli_status != 0) goto tear_down_tmpebchains; Index: libvirt-acl/tests/nwfilterxml2xmlin/rarp-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlin/rarp-test.xml @@ -0,0 +1,33 @@ +<filter name='testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='rarp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65536' hwtype='65536' protocoltype='65536' /> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmlout/rarp-test.xml =================================================================== --- /dev/null +++ libvirt-acl/tests/nwfilterxml2xmlout/rarp-test.xml @@ -0,0 +1,18 @@ +<filter name='testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' hwtype='12' protocoltype='34' opcode='Request' arpsrcmacaddr='01:02:03:04:05:06' arpdstmacaddr='0a:0b:0c:0d:0e:0f'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='255' protocoltype='255' opcode='Request'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='256' protocoltype='256' opcode='11'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff' hwtype='65535' protocoltype='65535' opcode='65535'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <rarp srcmacaddr='01:02:03:04:05:06' srcmacmask='ff:ff:ff:ff:ff:ff'/> + </rule> +</filter> Index: libvirt-acl/tests/nwfilterxml2xmltest.c =================================================================== --- libvirt-acl.orig/tests/nwfilterxml2xmltest.c +++ libvirt-acl/tests/nwfilterxml2xmltest.c @@ -90,6 +90,7 @@ mymain(int argc, char **argv) DO_TEST("mac-test"); DO_TEST("arp-test"); + DO_TEST("rarp-test"); DO_TEST("ip-test"); DO_TEST("ipv6-test");