This patch adds a few test cases for the XML parsing of STP filtering nodes.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch adds support for filtering of STP (spanning tree protocol) traffic
to the parser and makes us of the ebtables support for STP filtering. This code
now enables the filtering of traffic in chains with prefix 'stp'.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

With hunks borrowed from one of David Steven's previous patches, we now
add the capability of having a 'mac' chain which is useful to filter
for multiple valid MAC addresses.
Signed-off-by: NDavid L Stevens <dlstevens@us.ibm.com>
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

* docs/formatcaps.html.in: Avoid run-on sentence, wrap lines.

On Mingw32 the ffs() function was not declared due to missing header
include

* src/conf/capabilities.c: The ffs() function lives in strings.h

Add Chang Liu to the AUTHORS' list.

virStorageBackendLogicalDeleteVol() could not remove the lv with error
"could not remove open logical volume" sometimes. Generally it's caused
by the volume is still active, even if lvremove tries to remove it with
option "--force".

This patch is to fix it by disbale the lv first using "lvchange -aln"
and "lvremove -f" afterwards if the direct "lvremove -f" failed.

This patch exports KVM Host Power Management capabilities as XML so that
higher-level systems management software can make use of these features
available in the host.

The script "pm-is-supported" (from pm-utils package) is run to discover if
Suspend-to-RAM (S3) or Suspend-to-Disk (S4) is supported by the host.
If either of them are supported, then a new tag "<power_management>" is
introduced in the XML under the <host> tag.

However in case the query to check for power management features succeeded,
but the host does not support any such feature, then the XML will contain
an empty <power_management/> tag. In the event that the PM query itself
failed, the XML will not contain any "power_management" tag.

To use this, new APIs could be implemented in libvirt to exploit power
management features such as S3/S4.

None of the callers cared if str was updated to point to the next
byte after the parsed cpuset; simplifying this results in quite
a few code simplifications.  Additionally, virCPUDefParseXML was
strdup()'ing a malloc()'d string; avoiding a memory copy resulted
in less code.

* src/conf/domain_conf.h (virDomainCpuSetParse): Alter signature.
* src/conf/domain_conf.c (virDomainCpuSetParse): Don't modify str.
(virDomainVcpuPinDefParseXML, virDomainDefParseXML): Adjust
callers.
* src/conf/cpu_conf.c (virCPUDefParseXML): Likewise.
* src/xen/xend_internal.c (sexpr_to_xend_topology): Likewise.
* src/xen/xm_internal.c (xenXMDomainPinVcpu): Likewise.
* src/xenxs/xen_sxpr.c (xenParseSxpr): Likewise.
* src/xenxs/xen_xm.c (xenParseXM): Likewise.

For direct attach devices, in qemuBuildCommandLine, we seem to be freeing
actual device on error path (with networkReleaseActualDevice). But the actual
device is not deleted.

qemuProcessStop eventually deletes the direct attach device and releases
actual device. But by the time qemuProcessStop is called qemuBuildCommandLine
has already freed actual device, leaving stray macvtap devices behind on error.
So the simplest fix is to remove the networkReleaseActualDevice in
qemuBuildCommandLine. This patch does just that.
Signed-off-by: NRoopa Prabhu <roprabhu@cisco.com>

Now, when we support multiple consoles per domain,
the vm->def->console[0] can still remain an alias
for vm->def->serial[0]; However, we need to copy
it's source definition as well otherwise we'll regress
on virDomainOpenConsole.

* src/Makefile.am: Remove libvirt_bridge.syms and libvirt_macvtap.syms
  from EXTRA_DIST. Add libvirt_dbus.syms

Mingw32 complains if you request export of a symbol which does
not in fact exist.

* src/libvirt_bridge.syms, src/libvirt_macvtap.syms: Delete
  obsolete files
* src/libvirt_private.syms: Remove virNetServerGetDBusConn
* src/libvirt_dbus.syms: Add virNetServerGetDBusConn

lvs outputs "[$lvname_vorigin]" for the virtual snapshot lv
(created with "--virtualsize"), and the original device pointed
by "$lvname_vorigin" is just for lvm internal use, one should
never use it.

Per lvm's nameing rules, "[" is not valid as part of the vg/lv name.
(man 8 lvm).

<quote>
VALID NAMES
The following characters are valid for VG and LV names: a-z A-Z 0-9 + _
. -

VG and LV names cannot begin with a hyphen.   There  are  also  various
reserved  names that are used internally by lvm that can not be used as
LV or VG names.  A VG cannot be called anything that exists in /dev/ at
the time of creation, nor can it be called '.' or '..'.  A LV cannot be
called '.' '..' 'snapshot' or 'pvmove'. The LV name may also  not  con‐
tain the strings '_mlog' or '_mimage'
</quote>

So we can skip the set the lv's backingStore by checking if the name
begins with a "[".

Add documentation for the VLAN filtering support. Describe the XML attributes
that are supported.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch adds a few test cases for the XML parsing of VLAN filtering nodes.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch adds support for filtering of VLAN (802.1Q) traffic to the
parser and makes us of the ebtables support for VLAN filtering. This code
now enables the filtering of traffic in chains with prefix 'vlan'.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Xen4.1 initializes some unspecified sexpr config items to an empty
string, unlike previous Xen versions that would leave the item unset.
E.g. the kernel item for an HVM guest (non-direct kernel boot):

Xen4.0 and earlier
  ...
  (image
    (hvm
      (kernel )
  ...

Xen4.1
  ...
  (image
    (hvm
      (kernel '')
  ...

The empty string for kernel causes some grief in subsequent parsing
where existence of specified kernel is checked, e.g.

  if (!def->os.kernel)
  ...

This patch solves the problem in sexpr_node_copy() by not copying
a node containing an empty string.

I installed the xen development packages on my non-Xen F16 machine
in order to compile-test xen code and ensure we don't break things
on that front, but being a non-xen machine, /usr/sbin/xend is
obviously not running.  Unfortunately, xen-4.1.2-1.fc16 has a bug
where merely trying to probe xend status on a non-xen kernel causes
xend to issue an ABRT crash report:

https://bugzilla.redhat.com/show_bug.cgi?id=728696

Even though libvirt (correctly) skips the test, the xend crash report
is unnecessary noise.  Fix this by first filtering out non-xen
kernels even before attempting to probe xend.  The test still runs
and passes on a RHEL 5 xen kernel after this patch.

* tests/reconnect.c (mymain): Skip xend probe on non-xen kernel.
* tests/statstest.c (mymain): Likewise.

Since commit 6ec8288a, compilation has failed on RHEL 5:

util/virnetdevmacvlan.c:672: error: conflicting types for 'virNetDevMacVLanCreateWithVPortProfile'

* src/util/virnetdevmacvlan.c
(virNetDevMacVLanCreateWithVPortProfile): Add missing parameter.

This prepares for subsequent patches which introduce dependence
on cgroup cpuset. Enable cgroup cpuset by default so users don't
have to modify configuration file before encountering a cpuset
error.

The original patch for commit 4789fb2e considered renaming a file,
then backed out the name change, but forgot to back out the POTFILES.in
change, resulting in 'make syntax-check' failure.

Excercise the new hash API, to ensure we avoid regressions.

* tests/hashtest.c (testHashGetItems): New test.

This patch adds test cases for parsing of parameters with
multiple occurrances of the same name.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch modifies the NWFilter parameter parser to support multiple
elements with the same name and to internally build a list of items.
An example of the XML looks like this:

        <parameter name='TEST' value='10.1.2.3'/>
        <parameter name='TEST' value='10.2.3.4'/>
        <parameter name='TEST' value='10.1.1.1'/>

The list of values is then stored in the newly introduced data type
virNWFilterVarValue.

The XML formatter is also adapted to print out all items in alphabetical
order sorted by 'name'.

This patch also fixes a bug in the XML schema on the way.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch extends the NWFilter driver for Linux (ebiptables) to create
rules for each member of a previously introduced list. If for example
an attribute value (internally) looks like this:

IP = [10.0.0.1, 10.0.0.2, 10.0.0.3]

then 3 rules will be generated for a rule accessing the variable 'IP',
one for each member of the list. The effect of this is that this now
allows for filtering for multiple values in one field. This can then be
used to support for filtering/allowing of multiple IP addresses per
interface.

An iterator is introduced that extracts each member of a list and
puts it into a hash table which then is passed to the function creating
a rule. For the above example the iterator would cause 3 loops.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

NWFilters can be provided name-value pairs using the following
XML notation:

      <filterref filter='xyz'>
        <parameter name='PORT' value='80'/>
        <parameter name='VAL' value='abc'/>
      </filterref>

The internal representation currently is so that a name is stored as a
string and the value as well. This patch now addresses the value part of it
and introduces a data structure for storing a value either as a simple
value or as an array for later support of lists.

This patch adjusts all code that was handling the values in hash tables
and makes it use the new data type.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch adds several aspects of documentation about the network filtering
system:

- chains, chains' priorities and chains' default priorities
- talks about lists of elements, i.e., a variable assigned multiple values
  (part of already ACK-ed series)
- already mentions the vlan, stp and mac chains added later on
  (https://www.redhat.com/archives/libvir-list/2011-October/msg01238.html)
- mentions limitations of vlan filtering (when sent by VM) on Linux systems
 

Add test case for the chain names with known prefixes and the chain
priority.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

The previous patch extends the priority of filtering rules into negative
numbers. We now use this possibility to interleave the jumping into
chains with filtering rules to for example create the 'root' table of
an interface with the following sequence of rules:

Bridge chain: libvirt-I-vnet0, entries: 6, policy: ACCEPT
-p IPv4 -j I-vnet0-ipv4
-p ARP -j I-vnet0-arp
-p ARP -j ACCEPT 
-p 0x8035 -j I-vnet0-rarp
-p 0x835 -j ACCEPT 
-j DROP 

The '-p ARP -j ACCEPT' rule now appears between the jumps.
Since the 'arp' chain has been assigned priority -700 and the 'rarp'
chain -600, the above ordering can now be achieved with the following
rule:

  <rule action='accept' direction='out' priority='-650'>
    <mac protocolid='arp'/>
  </rule>

This patch now sorts the commands generating the above shown jumps into
chains and interleaves their execution with those for generating rules.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

So far rules' priorities have only been valid in the range [0,1000].
Now I am extending their priority into the range [-1000, 1000] for subsequently
being able to sort rules and the access of (jumps into) chains following
priorities.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch enables chains that have a known prefix in their name.
Known prefixes are: 'ipv4', 'ipv6', 'arp', 'rarp'. All prefixes
are also protocols that can be evaluated on the ebtables level.

Following the prefix they will be automatically connected to an interface's
'root' chain and jumped into following the protocol they evaluate, i.e.,
a table 'arp-xyz' will be accessed from the root table using

ebtables -t nat -A <iface root table> -p arp -j I-<ifname>-arp-xyz

thus generating a 'root' chain like this one here:

Bridge chain: libvirt-O-vnet0, entries: 5, policy: ACCEPT
-p IPv4 -j O-vnet0-ipv4
-p ARP -j O-vnet0-arp
-p 0x8035 -j O-vnet0-rarp
-p ARP -j O-vnet0-arp-xyz
-j DROP 

where the chain 'arp-xyz' is accessed for filtering of ARP packets.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch extends the filter XML to support priorities of chains
in the XML. An example would be:

<filter name='allow-arpxyz' chain='arp-xyz' priority='200'>
[...]
</filter>

The permitted values for priorities are [-1000, 1000].
By setting the priority of a chain the order in which it is accessed
from the interface root chain can be influenced.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Use the name of the chain rather than its type index (enum).
This pushes the later enablement of chains with user-given names
into the XML parser. For now we still only allow those names that
are well known ('root', 'arp', 'rarp', 'ipv4' and 'ipv6').
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Use scripts for the renaming and cleaning up of chains. This allows us to get
rid of some of the code that is only capable of renaming and removing chains
whose names are hardcoded.

A shell function 'collect_chains' is introduced that is given the name
of an ebtables chain and then recursively determines the names of all
chains that are accessed from this chain and its sub-chains using 'jumps'.

The resulting list of chain names is then used to delete all the found
chains by first flushing and then deleting them.

The same function is also used for renaming temporary filters to their final
names.

I tested this with the bash and dash as script interpreters.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Use the previously introduced chain priorities to sort the chains for access
from an interface's 'root' table and have them created in the proper order.
This gets rid of a lot of code that was previously creating the chains in a 
more hardcoded way.

To determine what protocol a filter is used for evaluation do prefix-
matching, i.e., the filter 'arp' is used to filter for the 'arp' protocol,
'ipv4' for the 'ipv4' protocol and 'arp-xyz' will also be used to filter
for the 'arp' protocol following the prefix 'arp' in its name.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

For better handling of the sorting of chains introduce an internally used
priority. Use a lookup table to store the priorities. For now their actual
values do not matter just that the values cause the chains to be properly
sorted through changes in the following patches. However, the values are
chosen as negative so that once they are sorted along with filtering rules
(whose priority may only be positive for now) they will always be instantiated
before them (lower values cause instantiation before higher values). This
is done to maintain backwards compatibility.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

Add a function to the virHashTable for getting an array of the hash table's
key-value pairs and have the keys (optionally) sorted.
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>

This patch adds support for a systemd init service for libvirtd
and libvirt-guests. The libvirtd.service is *not* written to use
socket activation, since we want libvirtd to start on boot so it
can do guest auto-start.

The libvirt-guests.service is pretty lame, just exec'ing the
original init script for now. Ideally we would factor out the
functionality, into some shared tool.

Instead of

  ./configure --with-init-script=redhat

You can now do

  ./configure --with-init-script=systemd

Or better still:

  ./configure --with-init-script=systemd+redhat

We can also now support install of the upstart init script

* configure.ac: Add systemd, and systemd+redhat options to
  --with-init-script option
* daemon/Makefile.am: Install systemd services
* daemon/libvirtd.sysconf: Add note about unused env variable
  with systemd
* daemon/libvirtd.service.in: libvirtd systemd service unit
* libvirt.spec.in: Add scripts to installing systemd services
  and migrating from legacy init scripts
* tools/Makefile.am: Install systemd services
* tools/libvirt-guests.init.sh: Rename to tools/libvirt-guests.init.in
* tools/libvirt-guests.service.in: systemd service unit

Support creation of macvlan devices for LXC containers. Do not
allow setting of bandwidth controls or vport profiles due to the
complication that there is no host side visible device to work
with.

* src/lxc/lxc_driver.c: Support type=direct interfaces