From b86524e8d56c8e507dd41fa5b648d23b8d641ee3 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 7 Jun 2011 14:29:08 +0100
Subject: [PATCH] Add support for network filter code in LXC driver

The LXC driver networking uses veth device pairs. These can
be easily hooked into the network filtering code.

* src/lxc/lxc_driver.c: Add calls to setup/teardown nwfilter
---
 src/lxc/lxc_driver.c | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index a9156f4473..3b0d2a6d8d 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -52,7 +52,7 @@
 #include "hooks.h"
 #include "files.h"
 #include "fdstream.h"
-
+#include "domain_nwfilter.h"
 
 #define VIR_FROM_THIS VIR_FROM_LXC
 
@@ -1027,6 +1027,8 @@ static void lxcVmCleanup(lxc_driver_t *driver,
         vethDelete(vm->def->nets[i]->ifname);
     }
 
+    virDomainConfVMNWFilterTeardown(vm);
+
     if (driver->cgroup &&
         virCgroupForDomain(driver->cgroup, vm->def->name, &cgroup, 0) == 0) {
         virCgroupRemove(cgroup);
@@ -1146,6 +1148,10 @@ static int lxcSetupInterfaces(virConnectPtr conn,
 
         if (vethInterfaceUpOrDown(parentVeth, 1) < 0)
             goto error_exit;
+
+        if (def->nets[i]->filter &&
+            virDomainConfNWFilterInstantiate(conn, def->nets[i]) < 0)
+            goto error_exit;
     }
 
     rc = 0;
@@ -1642,8 +1648,10 @@ cleanup:
             vethDelete(veths[i]);
         VIR_FREE(veths[i]);
     }
-    if (rc != 0)
+    if (rc != 0) {
         VIR_FORCE_CLOSE(priv->monitor);
+        virDomainConfVMNWFilterTeardown(vm);
+    }
     VIR_FORCE_CLOSE(parentTty);
     VIR_FORCE_CLOSE(handshakefds[0]);
     VIR_FORCE_CLOSE(handshakefds[1]);
@@ -2842,6 +2850,33 @@ cleanup:
     return ret;
 }
 
+static int
+lxcVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
+                   virHashIterator iter, void *data)
+{
+    virHashForEach(lxc_driver->domains.objs, iter, data);
+
+    return 0;
+}
+
+static void
+lxcVMDriverLock(void)
+{
+    lxcDriverLock(lxc_driver);
+}
+
+static void
+lxcVMDriverUnlock(void)
+{
+    lxcDriverUnlock(lxc_driver);
+}
+
+static virNWFilterCallbackDriver lxcCallbackDriver = {
+    .name = "LXC",
+    .vmFilterRebuild = lxcVMFilterRebuild,
+    .vmDriverLock = lxcVMDriverLock,
+    .vmDriverUnlock = lxcVMDriverUnlock,
+};
 
 /* Function Tables */
 static virDriver lxcDriver = {
@@ -2913,5 +2948,6 @@ int lxcRegister(void)
 {
     virRegisterDriver(&lxcDriver);
     virRegisterStateDriver(&lxcStateDriver);
+    virNWFilterRegisterCallbackDriver(&lxcCallbackDriver);
     return 0;
 }
-- 
GitLab