Core driver implementation with ebtables support

This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: N Stefan Berger <stefanb@us.ibm.com>

Core driver implementation with ebtables support
This patch implements the core driver and provides - management functionality for managing the filter XMLs - compiling the internal filter representation into ebtables rules - applying ebtables rules on a network (tap,macvtap) interface - tearing down ebtables rules that were applied on behalf of an interface - updating of filters while VMs are running and causing the firewalls to be rebuilt - other bits and pieces Signed-off-by: N Stefan Berger <stefanb@us.ibm.com>
065b6571 · Stefan Berger · Daniel P. Berrange · e4e20423 · 065b6571 · 065b6571
15 changed file
--- a/configure.ac
+++ b/configure.ac
@@ -294,6 +294,9 @@ if test x"$with_rhel5_api" = x"yes"; then
   AC_DEFINE([WITH_RHEL5_API], [1], [whether building for the RHEL-5 API])
 fi
+AC_PATH_PROG([BASH_PATH], [bash], /bin/bash, [/bin:$PATH])
+AC_DEFINE_UNQUOTED([BASH_PATH], "$BASH_PATH", [path to bash binary])
 AC_PATH_PROG([IPTABLES_PATH], [iptables], /sbin/iptables, [/usr/sbin:$PATH])
 AC_DEFINE_UNQUOTED([IPTABLES_PATH], "$IPTABLES_PATH", [path to iptables binary])
@@ -1268,6 +1271,15 @@ if test "$with_secrets" = "yes" ; then
 fi
 AM_CONDITIONAL([WITH_SECRETS], [test "$with_secrets" = "yes"])
+with_nwfilter=yes
+if test "$with_libvirtd" = "no"; then
+  with_nwfilter=no
+fi
+if test "$with_nwfilter" = "yes" ; then
+  AC_DEFINE([WITH_NWFILTER], 1, [whether local network filter management driver is available])
+fi
+AM_CONDITIONAL([WITH_NWFILTER], [test "$with_nwfilter" = "yes"])
 AC_ARG_WITH([storage-fs],
  AC_HELP_STRING([--with-storage-fs], [with FileSystem backend for the storage driver @<:@default=check@:>@]),[],[with_storage_fs=check])

--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -116,6 +116,10 @@ endif
 if WITH_SECRETS
    libvirtd_LDADD += ../src/libvirt_driver_secret.la
 endif
+if WITH_NWFILTER
+    libvirtd_LDADD += ../src/libvirt_driver_nwfilter.la
+endif
 endif
 libvirtd_LDADD += ../src/libvirt.la

--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -96,6 +96,9 @@
 # ifdef WITH_SECRETS
 #  include "secret/secret_driver.h"
 # endif
+# ifdef WITH_NWFILTER
+#  include "nwfilter/nwfilter_driver.h"
+# endif
 #endif
@@ -876,6 +879,7 @@ static struct qemud_server *qemudInitialize(void) {
    virDriverLoadModule("lxc");
    virDriverLoadModule("uml");
    virDriverLoadModule("one");
+    virDriverLoadModule("nwfilter");
 #else
 # ifdef WITH_NETWORK
    networkRegister();
@@ -892,6 +896,9 @@ static struct qemud_server *qemudInitialize(void) {
 # ifdef WITH_SECRETS
    secretRegister();
 # endif
+# ifdef WITH_NWFILTER
+    nwfilterRegister();
+# endif
 # ifdef WITH_QEMU
    qemuRegister();
 # endif

--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -28,6 +28,9 @@ src/node_device/node_device_driver.c
 src/node_device/node_device_linux_sysfs.c
 src/node_device/node_device_udev.c
 src/nodeinfo.c
+src/nwfilter/nwfilter_driver.c
+src/nwfilter/nwfilter_ebiptables_driver.c
+src/nwfilter/nwfilter_gentech_driver.c
 src/opennebula/one_conf.c
 src/opennebula/one_driver.c
 src/openvz/openvz_conf.c

--- a/python/generator.py
+++ b/python/generator.py
@@ -175,6 +175,7 @@ skipped_types = {
     'virConnectDomainEventIOErrorCallback': "No function types in python",
     'virConnectDomainEventGraphicsCallback': "No function types in python",
     'virEventAddHandleFunc': "No function types in python",
+     'virNWFilterPtr': "No function types in python",
 }
 #######################################################################
@@ -273,6 +274,7 @@ skip_impl = (
    'virConnectListStorageVols',
    'virConnectListDefinedStorageVols',
    'virConnectListDefinedInterfaces',
+    'virConnectListNWFilters',
    'virConnGetLastError',
    'virGetLastError',
    'virDomainGetInfo',

--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -284,6 +284,11 @@ STORAGE_DRIVER_DISK_SOURCES =					\
 STORAGE_HELPER_DISK_SOURCES =					\
 		storage/parthelper.c
+# Network filters
+NWFILTER_DRIVER_SOURCES =					\
+		nwfilter/nwfilter_driver.h nwfilter/nwfilter_driver.c	\
+		nwfilter/nwfilter_gentech_driver.c 			\
+		nwfilter/nwfilter_ebiptables_driver.c
 # Security framework and drivers for various models
 SECURITY_DRIVER_SOURCES =					\
@@ -727,6 +732,22 @@ endif
 endif
+if WITH_NWFILTER
+if WITH_DRIVER_MODULES
+mod_LTLIBRARIES += libvirt_driver_nwfilter.la
+else
+libvirt_la_LIBADD += libvirt_driver_nwfilter.la
+noinst_LTLIBRARIES += libvirt_driver_nwfilter.la
+endif
+libvirt_driver_nwfilter_la_CFLAGS = \
+		-I@top_srcdir@/src/conf
+if WITH_DRIVER_MODULES
+libvirt_driver_nwfilter_la_LDFLAGS = -module -avoid-version ../gnulib/lib/libgnu.la
+endif
+libvirt_driver_nwfilter_la_SOURCES = $(NWFILTER_DRIVER_SOURCES)
+endif
 libvirt_driver_security_la_SOURCES = $(SECURITY_DRIVER_SOURCES)
 noinst_LTLIBRARIES += libvirt_driver_security.la
 libvirt_la_LIBADD += libvirt_driver_security.la

--- a/src/conf/nwfilter_conf.c
+++ b/src/conf/nwfilter_conf.c
@@ -39,6 +39,7 @@
 #include "nwfilter_params.h"
 #include "nwfilter_conf.h"
 #include "domain_conf.h"
+#include "nwfilter/nwfilter_gentech_driver.h"
 #define VIR_FROM_THIS VIR_FROM_NWFILTER
@@ -1605,10 +1606,42 @@ struct cbStruct {
 };
 static void
-virNWFilterDomainFWUpdateCB(void *payload ATTRIBUTE_UNUSED,
+virNWFilterDomainFWUpdateCB(void *payload,
                            const char *name ATTRIBUTE_UNUSED,
-                            void *data ATTRIBUTE_UNUSED)
+                            void *data)
 {
+    virDomainObjPtr obj = payload;
+    virDomainDefPtr vm = obj->def;
+    struct cbStruct *cb = data;
+    int i;
+    virDomainObjLock(obj);
+    if (virDomainObjIsActive(obj)) {
+        for (i = 0; i < vm->nnets; i++) {
+            virDomainNetDefPtr net = vm->nets[i];
+            if ((net->filter) && (net->ifname)) {
+                switch (cb->step) {
+                case STEP_APPLY_NEW:
+                    cb->err = virNWFilterUpdateInstantiateFilter(cb->conn,
+                                                                 net);
+                    break;
+                case STEP_TEAR_NEW:
+                    cb->err = virNWFilterRollbackUpdateFilter(cb->conn, net);
+                    break;
+                case STEP_TEAR_OLD:
+                    cb->err = virNWFilterTearOldFilter(cb->conn, net);
+                    break;
+                }
+                if (cb->err)
+                    break;
+            }
+        }
+    }
+    virDomainObjUnlock(obj);
 }

--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -449,6 +449,42 @@ virNodeDeviceGetWWNs;
 virNodeDeviceGetParentHost;
+# nwfilter_conf.h
+virNWFilterPoolLoadAllConfigs;
+virNWFilterPoolObjAssignDef;
+virNWFilterPoolObjSaveDef;
+virNWFilterPoolObjFindByName;
+virNWFilterPoolObjFindByUUID;
+virNWFilterPoolObjLock;
+virNWFilterPoolObjUnlock;
+virNWFilterPoolObjRemove;
+virNWFilterDefFree;
+virNWFilterDefParseString;
+virNWFilterPoolObjDeleteDef;
+virNWFilterPoolObjListFree;
+virNWFilterDefFormat;
+virNWFilterChainSuffixTypeToString;
+virNWFilterRuleActionTypeToString;
+virNWFilterJumpTargetTypeToString;
+virNWFilterRegisterCallbackDriver;
+virNWFilterTestUnassignDef;
+virNWFilterConfLayerInit;
+virNWFilterConfLayerShutdown;
+#nwfilter_params.h
+virNWFilterHashTableCreate;
+virNWFilterHashTableFree;
+virNWFilterHashTablePut;
+virNWFilterHashTablePutAll;
+virNWFilterHashTableRemoveEntry;
+# nwfilter_gentech_driver.h
+virNWFilterInstantiateFilter;
+virNWFilterTeardownFilter;
 # pci.h
 pciGetDevice;
 pciFreeDevice;

--- a/src/libvirt_public.syms
+++ b/src/libvirt_public.syms
@@ -380,4 +380,5 @@ LIBVIRT_0.7.8 {
 	virNWFilterUndefine;
 } LIBVIRT_0.7.7;
 # .... define new API here using predicted next version number ....
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
+/*
+ * nwfilter_driver.c: core driver for network filter APIs
+ *                    (based on storage_driver.c)
+ *
+ * Copyright (C) 2006-2009 Red Hat, Inc.
+ * Copyright (C) 2006-2008 Daniel P. Berrange
+ * Copyright (C) 2010 IBM Corporation
+ * Copyright (C) 2010 Stefan Berger
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ *
+ * Author: Daniel P. Berrange <berrange@redhat.com>
+ *         Stefan Berger <stefanb@us.ibm.com>
+ */
+#include <config.h>
+#include "internal.h"
+#include "virterror_internal.h"
+#include "datatypes.h"
+#include "memory.h"
+#include "domain_conf.h"
+#include "nwfilter_driver.h"
+#define VIR_FROM_THIS VIR_FROM_NWFILTER
+#define nwfilterLog(msg...) fprintf(stderr, msg)
+static virNWFilterDriverStatePtr driverState;
+static int nwfilterDriverShutdown(void);
+static void nwfilterDriverLock(virNWFilterDriverStatePtr driver)
+{
+    virMutexLock(&driver->lock);
+}
+static void nwfilterDriverUnlock(virNWFilterDriverStatePtr driver)
+{
+    virMutexUnlock(&driver->lock);
+}
+/**
+ * virNWFilterStartup:
+ *
+ * Initialization function for the QEmu daemon
+ */
+static int
+nwfilterDriverStartup(int privileged) {
+    char *base = NULL;
+    if (virNWFilterConfLayerInit() < 0)
+        return -1;
+    if (VIR_ALLOC(driverState) < 0)
+        goto alloc_err_exit;
+    if (virMutexInit(&driverState->lock) < 0)
+        goto alloc_err_exit;
+    nwfilterDriverLock(driverState);
+    if (privileged) {
+        if ((base = strdup (SYSCONF_DIR "/libvirt")) == NULL)
+            goto out_of_memory;
+    } else {
+        uid_t uid = geteuid();
+        char *userdir = virGetUserDirectory(uid);
+        if (!userdir)
+            goto error;
+        if (virAsprintf(&base, "%s/.libvirt", userdir) == -1) {
+            nwfilterLog("out of memory in virAsprintf");
+            VIR_FREE(userdir);
+            goto out_of_memory;
+        }
+        VIR_FREE(userdir);
+    }
+    if (virAsprintf(&driverState->configDir,
+                    "%s/nwfilter", base) == -1)
+        goto out_of_memory;
+    VIR_FREE(base);
+    if (virNWFilterPoolLoadAllConfigs(NULL,
+                                      &driverState->pools,
+                                      driverState->configDir) < 0)
+        goto error;
+    nwfilterDriverUnlock(driverState);
+    return 0;
+out_of_memory:
+    nwfilterLog("virNWFilterStartup: out of memory");
+error:
+    VIR_FREE(base);
+    nwfilterDriverUnlock(driverState);
+    nwfilterDriverShutdown();
+alloc_err_exit:
+    virNWFilterConfLayerShutdown();
+    return -1;
+}
+/**
+ * virNWFilterReload:
+ *
+ * Function to restart the nwfilter driver, it will recheck the configuration
+ * files and update its state
+ */
+static int
+nwfilterDriverReload(void) {
+    if (!driverState) {
+        return -1;
+    }
+    nwfilterDriverLock(driverState);
+    virNWFilterPoolLoadAllConfigs(NULL,
+                                  &driverState->pools,
+                                  driverState->configDir);
+    nwfilterDriverUnlock(driverState);
+    return 0;
+}
+/**
+ * virNWFilterActive:
+ *
+ * Checks if the nwfilter driver is active, i.e. has an active pool
+ *
+ * Returns 1 if active, 0 otherwise
+ */
+static int
+nwfilterDriverActive(void) {
+    if (!driverState->pools.count)
+        return 0;
+    return 1;
+}
+/**
+ * virNWFilterShutdown:
+ *
+ * Shutdown the nwfilter driver, it will stop all active nwfilter pools
+ */
+static int
+nwfilterDriverShutdown(void) {
+    if (!driverState)
+        return -1;
+    nwfilterDriverLock(driverState);
+    /* free inactive pools */
+    virNWFilterPoolObjListFree(&driverState->pools);
+    VIR_FREE(driverState->configDir);
+    nwfilterDriverUnlock(driverState);
+    virMutexDestroy(&driverState->lock);
+    VIR_FREE(driverState);
+    return 0;
+}
+static virNWFilterPtr
+nwfilterLookupByUUID(virConnectPtr conn,
+                     const unsigned char *uuid) {
+    virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
+    virNWFilterPoolObjPtr pool;
+    virNWFilterPtr ret = NULL;
+    nwfilterDriverLock(driver);
+    pool = virNWFilterPoolObjFindByUUID(&driver->pools, uuid);
+    nwfilterDriverUnlock(driver);
+    if (!pool) {
+        virNWFilterReportError(conn, VIR_ERR_NO_NWFILTER,
+                              "%s", _("no pool with matching uuid"));
+        goto cleanup;
+    }
+    ret = virGetNWFilter(conn, pool->def->name, pool->def->uuid);
+cleanup:
+    if (pool)
+        virNWFilterPoolObjUnlock(pool);
+    return ret;
+}
+static virNWFilterPtr
+nwfilterLookupByName(virConnectPtr conn,
+                     const char *name) {
+    virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
+    virNWFilterPoolObjPtr pool;
+    virNWFilterPtr ret = NULL;
+    nwfilterDriverLock(driver);
+    pool = virNWFilterPoolObjFindByName(&driver->pools, name);
+    nwfilterDriverUnlock(driver);
+    if (!pool) {
+        virNWFilterReportError(conn, VIR_ERR_NO_NWFILTER,
+                              _("no pool with matching name '%s'"), name);
+        goto cleanup;
+    }
+    ret = virGetNWFilter(conn, pool->def->name, pool->def->uuid);
+cleanup:
+    if (pool)
+        virNWFilterPoolObjUnlock(pool);
+    return ret;
+}
+static virDrvOpenStatus
+nwfilterOpen(virConnectPtr conn,
+            virConnectAuthPtr auth ATTRIBUTE_UNUSED,
+            int flags ATTRIBUTE_UNUSED) {
+    if (!driverState)
+        return VIR_DRV_OPEN_DECLINED;
+    conn->nwfilterPrivateData = driverState;
+    return VIR_DRV_OPEN_SUCCESS;
+}
+static int
+nwfilterClose(virConnectPtr conn) {
+    conn->nwfilterPrivateData = NULL;
+    return 0;
+}
+static int
+nwfilterNumNWFilters(virConnectPtr conn) {
+    virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
+    return driver->pools.count;
+}
+static int
+nwfilterListNWFilters(virConnectPtr conn,
+                      char **const names,
+                      int nnames) {
+    virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
+    int got = 0, i;
+    nwfilterDriverLock(driver);
+    for (i = 0 ; i < driver->pools.count && got < nnames ; i++) {
+        virNWFilterPoolObjLock(driver->pools.objs[i]);
+        if (!(names[got] = strdup(driver->pools.objs[i]->def->name))) {
+             virNWFilterPoolObjUnlock(driver->pools.objs[i]);
+             virReportOOMError();
+             goto cleanup;
+        }
+        got++;
+        virNWFilterPoolObjUnlock(driver->pools.objs[i]);
+    }
+    nwfilterDriverUnlock(driver);
+    return got;
+ cleanup:
+    nwfilterDriverUnlock(driver);
+    for (i = 0 ; i < got ; i++)
+        VIR_FREE(names[i]);
+    memset(names, 0, nnames * sizeof(*names));
+    return -1;
+}
+static virNWFilterPtr
+nwfilterDefine(virConnectPtr conn,
+               const char *xml,
+               unsigned int flags ATTRIBUTE_UNUSED) {
+    virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
+    virNWFilterDefPtr def;
+    virNWFilterPoolObjPtr pool = NULL;
+    virNWFilterPtr ret = NULL;
+    nwfilterDriverLock(driver);
+    if (!(def = virNWFilterDefParseString(conn, xml)))
+        goto cleanup;
+    if (!(pool = virNWFilterPoolObjAssignDef(conn, &driver->pools, def)))
+        goto cleanup;
+    if (virNWFilterPoolObjSaveDef(conn, driver, pool, def) < 0) {
+        virNWFilterPoolObjRemove(&driver->pools, pool);
+        def = NULL;
+        goto cleanup;
+    }
+    def = NULL;
+    ret = virGetNWFilter(conn, pool->def->name, pool->def->uuid);
+cleanup:
+    virNWFilterDefFree(def);
+    if (pool)
+        virNWFilterPoolObjUnlock(pool);
+    nwfilterDriverUnlock(driver);
+    return ret;
+}
+static int
+nwfilterUndefine(virNWFilterPtr obj) {
+    virNWFilterDriverStatePtr driver = obj->conn->nwfilterPrivateData;
+    virNWFilterPoolObjPtr pool;
+    int ret = -1;
+    nwfilterDriverLock(driver);
+    pool = virNWFilterPoolObjFindByUUID(&driver->pools, obj->uuid);
+    if (!pool) {
+        virNWFilterReportError(obj->conn, VIR_ERR_INVALID_NWFILTER,
+                              "%s", _("no nwfilter pool with matching uuid"));
+        goto cleanup;
+    }
+    if (virNWFilterTestUnassignDef(obj->conn, pool)) {
+        virNWFilterReportError(obj->conn, VIR_ERR_INVALID_NWFILTER,
+                               "%s",
+                               _("nwfilter is in use"));
+        goto cleanup;
+    }
+    if (virNWFilterPoolObjDeleteDef(obj->conn, pool) < 0)
+        goto cleanup;
+    VIR_FREE(pool->configFile);
+    virNWFilterPoolObjRemove(&driver->pools, pool);
+    pool = NULL;
+    ret = 0;
+cleanup:
+    if (pool)
+        virNWFilterPoolObjUnlock(pool);
+    nwfilterDriverUnlock(driver);
+    return ret;
+}
+static char *
+nwfilterDumpXML(virNWFilterPtr obj,
+                unsigned int flags ATTRIBUTE_UNUSED) {
+    virNWFilterDriverStatePtr driver = obj->conn->nwfilterPrivateData;
+    virNWFilterPoolObjPtr pool;
+    char *ret = NULL;
+    nwfilterDriverLock(driver);
+    pool = virNWFilterPoolObjFindByUUID(&driver->pools, obj->uuid);
+    nwfilterDriverUnlock(driver);
+    if (!pool) {
+        virNWFilterReportError(obj->conn, VIR_ERR_INVALID_NWFILTER,
+                              "%s", _("no nwfilter pool with matching uuid"));
+        goto cleanup;
+    }
+    ret = virNWFilterDefFormat(obj->conn, pool->def);
+cleanup:
+    if (pool)
+        virNWFilterPoolObjUnlock(pool);
+    return ret;
+}
+static virNWFilterDriver nwfilterDriver = {
+    .name = "nwfilter",
+    .open = nwfilterOpen,
+    .close = nwfilterClose,
+    .numOfNWFilters = nwfilterNumNWFilters,
+    .listNWFilters = nwfilterListNWFilters,
+    .nwfilterLookupByName = nwfilterLookupByName,
+    .nwfilterLookupByUUID = nwfilterLookupByUUID,
+    .defineXML = nwfilterDefine,
+    .undefine = nwfilterUndefine,
+    .getXMLDesc = nwfilterDumpXML,
+};
+static virStateDriver stateDriver = {
+    .name = "NWFilter",
+    .initialize = nwfilterDriverStartup,
+    .cleanup = nwfilterDriverShutdown,
+    .reload = nwfilterDriverReload,
+    .active = nwfilterDriverActive,
+};
+int nwfilterRegister(void) {
+    virRegisterNWFilterDriver(&nwfilterDriver);
+    virRegisterStateDriver(&stateDriver);
+    return 0;
+}
--- a/src/nwfilter/nwfilter_driver.h
+++ b/src/nwfilter/nwfilter_driver.h
+/*
+ * nwfilter_driver.h: core driver for nwfilter APIs
+ *                    (based on storage driver)
+ *
+ * Copyright (C) 2006-2008 Red Hat, Inc.
+ * Copyright (C) 2006-2008 Daniel P. Berrange
+ * Copyright (C) 2010 IBM Corporation
+ * Copyright (C) 2010 Stefan Berger
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ *
+ * Author: Daniel P. Berrange <berrange@redhat.com>
+ *         Stefan Berger <stefanb@us.ibm.com>
+ */
+#ifndef __VIR_NWFILTER_DRIVER_H__
+#define __VIR_NWFILTER_DRIVER_H__
+#include "nwfilter_params.h"
+#include "nwfilter_conf.h"
+int nwfilterRegister(void);
+#endif /* __VIR_NWFILTER_DRIVER_H__ */
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
--- a/src/nwfilter/nwfilter_ebiptables_driver.h
+++ b/src/nwfilter/nwfilter_ebiptables_driver.h
+/*
+ * nwfilter_ebiptables_driver.h: ebtables/iptables driver support
+ *
+ * Copyright (C) 2010 IBM Corporation
+ * Copyright (C) 2010 Stefan Berger
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ */
+#ifndef VIR_NWFILTER_EBTABLES_DRIVER_H__
+#define VIR_NWFILTER_EBTABLES_DRIVER_H__
+#define MAX_CHAINNAME_LENGTH  32 /* see linux/netfilter_bridge/ebtables.h */
+typedef struct _ebiptablesRuleInst ebiptablesRuleInst;
+typedef ebiptablesRuleInst *ebiptablesRuleInstPtr;
+struct _ebiptablesRuleInst {
+    char *commandTemplate;
+    enum virNWFilterChainSuffixType neededProtocolChain;
+    char chainprefix;    // I for incoming, O for outgoing
+    unsigned int priority;
+};
+extern virNWFilterTechDriver ebiptables_driver;
+#define EBIPTABLES_DRIVER_ID "ebiptables"
+#endif
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
--- a/src/nwfilter/nwfilter_gentech_driver.h
+++ b/src/nwfilter/nwfilter_gentech_driver.h
+/*
+ * nwfilter_gentech_driver.h: generic technology driver include file
+ *
+ * Copyright (C) 2010 IBM Corp.
+ * Copyright (C) 2010 Stefan Berger
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+ *
+ * Author: Stefan Berger <stefanb@us.ibm.com>
+ */
+#ifndef __NWFILTER_GENTECH_DRIVER_H
+#define __NWFILTER_GENTECH_DRIVER_H
+virNWFilterTechDriverPtr virNWFilterTechDriverForName(const char *name);
+int virNWFilterRuleInstAddData(virConnectPtr conn,
+                               virNWFilterRuleInstPtr res,
+                               void *data);
+enum instCase {
+    INSTANTIATE_ALWAYS,
+    INSTANTIATE_FOLLOW_NEWFILTER,
+};
+int virNWFilterInstantiateFilter(virConnectPtr conn,
+                                 const virDomainNetDefPtr net);
+int virNWFilterUpdateInstantiateFilter(virConnectPtr conn,
+                                       const virDomainNetDefPtr net);
+int virNWFilterRollbackUpdateFilter(virConnectPtr conn,
+                                    const virDomainNetDefPtr net);
+int virNWFilterTearOldFilter(virConnectPtr conn,
+                             const virDomainNetDefPtr net);
+int virNWFilterTeardownFilter(const virDomainNetDefPtr net);
+virNWFilterHashTablePtr virNWFilterCreateVarHashmap(virConnectPtr conn,
+                                                     char *macaddr);
+#endif