- 08 6月, 2011 1 次提交
-
-
由 Cole Robinson 提交于
Seems reasonable to have all command wrappers in the same place v2: Dont move SetInherit v3: Comment spelling fix Adjust WARN0 comment Remove spurious #include movement Don't include sys/types.h Combine virExec enums Signed-off-by: NCole Robinson <crobinso@redhat.com>
-
- 28 5月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch reorders the locks for the nwfilter updates and the access the nwfilter objects. In the case that the IP address learning thread was instantiating filters while an update happened, the previous order lead to a deadlock.
-
- 26 5月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
In most cases this affects flags parameters that are unsigned in the public and driver API but signed in the XDR protocol. Switch the XDR protocol to unsigned for those. A counterexample is virNWFilterGetXMLDesc. Its flags parameter is signed in the public API and XDR protocol, but unsigned in the driver API.
-
- 24 5月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch enables filtering of gratuitous ARP packets using the following XML: <rule action='accept' direction='in' priority='425'> <arp gratuitous='true'/> </rule>
-
- 16 5月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
Add many version number annotations to the internal driver tables, to allow hvsupport.html to display more accurate information
-
- 12 5月, 2011 2 次提交
-
-
由 Eric Blake 提交于
The public API and RPC over-the-wire format have no flags argument, so neither should the internal callback API. This simplifies the RPC generator. * src/driver.h (virDrvNWFilterDefineXML): Drop argument that does not match public API. * src/nwfilter/nwfilter_driver.c (nwfilterDefine): Likewise. * src/libvirt.c (virNWFilterDefineXML): Likewise. * daemon/remote_generator.pl: Drop special case.
-
由 Lai Jiangshan 提交于
These VIR_XXXX0 APIs make us confused, use the non-0-suffix APIs instead. How do these coversions works? The magic is using the gcc extension of ##. When __VA_ARGS__ is empty, "##" will swallow the "," in "fmt," to avoid compile error. example: origin after CPP high_level_api("%d", a_int) low_level_api("%d", a_int) high_level_api("a string") low_level_api("a string") About 400 conversions. 8 special conversions: VIR_XXXX0("") -> VIR_XXXX("msg") (avoid empty format) 2 conversions VIR_XXXX0(string_literal_with_%) -> VIR_XXXX(%->%%) 0 conversions VIR_XXXX0(non_string_literal) -> VIR_XXXX("%s", non_string_literal) (for security) 6 conversions Signed-off-by: NLai Jiangshan <laijs@cn.fujitsu.com>
-
- 11 5月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
This matches the public API and helps to get rid of some special case code in the remote generator. Rename driver API functions and XDR protocol structs. No functional change included outside of the remote generator.
-
- 07 5月, 2011 1 次提交
-
-
由 Eric Blake 提交于
HACKING already mentions that comparisons against literal 'true' are unsafe; for consistency, also shorten comparisons against 'false'. * src/conf/domain_conf.c (virDomainNetDefParseXML): Simplify. * src/nwfilter/nwfilter_gentech_driver.c (virNWFilterDomainFWUpdateCB): Likewise. * tools/virsh.c (cmdVolDownload, vshCommandRun, vshPrintExtra): Likewise.
-
- 06 5月, 2011 1 次提交
-
-
由 Eric Blake 提交于
We already have virAsprintf, so picking a similar name helps for seeing a similar purpose. Furthermore, the prefix V before printf generally implies 'va_list', even though this variant was '...', and the old name got in the way of adding a new va_list version. global rename performed with: $ git grep -l virBufferVSprintf \ | xargs -L1 sed -i 's/virBufferVSprintf/virBufferAsprintf/g' then revert the changes in ChangeLog-old.
-
- 30 4月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
Call shutdown functions for all subcomponents in nwfilterDriverShutdown. Make sure that this shutdown functions can safely be called multiple times and independent from the actual subcomponents state.
-
- 20 4月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
Ebtables filtering doesn't work on macvtap device. Remove support for direct type of interface.
-
- 15 4月, 2011 1 次提交
-
-
由 Christophe Fergeau 提交于
gcc 4.6 warns when a variable is initialized but isn't used afterwards: vmware/vmware_driver.c:449:18: warning: variable 'vmxPath' set but not used [-Wunused-but-set-variable] This patch fixes these warnings. There are still 2 offending files: - vbox_tmpl.c: the variable is used inside an #ifdef and is assigned several times outside of #ifdef. Fixing the warning would have required wrapping all the assignment inside #ifdef which hurts readability. vbox/vbox_tmpl.c: In function 'vboxAttachDrives': vbox/vbox_tmpl.c:3918:22: warning: variable 'accessMode' set but not used [-Wunused-but-set-variable] - esx_vi_types.generated.c: the name implies it's generated code and I didn't want to dive into the code generator esx/esx_vi_types.generated.c: In function 'esxVI_FileQueryFlags_Free': esx/esx_vi_types.generated.c:1203:3: warning: variable 'item' set but not used [-Wunused-but-set-variable]
-
- 08 4月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds support for the evaluation of TCP flags in nwfilters. It adds documentation to the web page and extends the tests as well. Also, the nwfilter schema is extended. The following are some example for rules using the tcp flags: <rule action='accept' direction='in'> <tcp state='NONE' flags='SYN/ALL' dsptportstart='80'/> </rule> <rule action='drop' direction='in'> <tcp state='NONE' flags='SYN/ALL'/> </rule>
-
- 25 3月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Child processes don't always reach _exit(); if they die from a signal, then any messages should still be accurate. Most users either expect a 0 status (thankfully, if status==0, then WIFEXITED(status) is true and WEXITSTATUS(status)==0 for all known platforms) or were filtering on WIFEXITED before printing a status, but a few were missing this check. Additionally, nwfilter_ebiptables_driver was making an assumption that works on Linux (where WEXITSTATUS shifts and WTERMSIG just masks) but fails on other platforms (where WEXITSTATUS just masks and WTERMSIG shifts). * src/util/command.h (virCommandTranslateStatus): New helper. * src/libvirt_private.syms (command.h): Export it. * src/util/command.c (virCommandTranslateStatus): New function. (virCommandWait): Use it to also diagnose status from signals. * src/security/security_apparmor.c (load_profile): Likewise. * src/storage/storage_backend.c (virStorageBackendQEMUImgBackingFormat): Likewise. * src/util/util.c (virExecDaemonize, virRunWithHook) (virFileOperation, virDirCreate): Likewise. * daemon/remote.c (remoteDispatchAuthPolkit): Likewise. * src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesExecCLI): Likewise.
-
- 05 3月, 2011 1 次提交
-
-
由 Phil Petty 提交于
Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 25 2月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
Relax the restriction that the hash table key must be a string by allowing an arbitrary hash code generator + comparison func to be provided * util/hash.c, util/hash.h: Allow any pointer as a key * internal.h: Include stdbool.h as standard. * conf/domain_conf.c, conf/domain_conf.c, conf/nwfilter_params.c, nwfilter/nwfilter_gentech_driver.c, nwfilter/nwfilter_gentech_driver.h, nwfilter/nwfilter_learnipaddr.c, qemu/qemu_command.c, qemu/qemu_driver.c, qemu/qemu_process.c, uml/uml_driver.c, xen/xm_internal.c: s/char */void */ in hash callbacks
-
由 Daniel P. Berrange 提交于
Since the deallocator is passed into the constructor of a hash table it is not desirable to pass it into each function again. Remove it from all functions, but provide a virHashSteal to allow a item to be removed from a hash table without deleteing it. * src/util/hash.c, src/util/hash.h: Remove deallocator param from all functions. Add virHashSteal * src/libvirt_private.syms: Add virHashSteal * src/conf/domain_conf.c, src/conf/nwfilter_params.c, src/nwfilter/nwfilter_learnipaddr.c, src/qemu/qemu_command.c, src/xen/xm_internal.c: Update for changed hash API
-
- 21 2月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Two-argument free functions are uncommon; match the style elsewhere by caching the callback at creation. * src/util/hash.h (virHashCreate, virHashFree): Move deallocator argument to creation. * cfg.mk (useless_free_options): Add virHashFree. * src/util/hash.c (_virHashTable): Track deallocator. (virHashCreate, virHashFree): Update to new signature. * src/conf/domain_conf.c (virDomainObjListDeinit) (virDomainObjListInit, virDomainDiskDefForeachPath) (virDomainSnapshotObjListDeinit, virDomainSnapshotObjListInit): Update callers. * src/conf/nwfilter_params.c (virNWFilterHashTableFree) (virNWFilterHashTableCreate): Likewise. * src/conf/nwfilter_conf.c (virNWFilterTriggerVMFilterRebuild): Likewise. * src/cpu/cpu_generic.c (genericHashFeatures, genericBaseline): Likewise. * src/xen/xm_internal.c (xenXMOpen, xenXMClose): Likewise. * src/nwfilter/nwfilter_learnipaddr.c (virNWFilterLearnInit) (virNWFilterLearnShutdown): Likewise. * src/qemu/qemu_command.c (qemuDomainPCIAddressSetCreate) (qemuDomainPCIAddressSetFree): Likewise. * src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Likewise.
-
- 19 2月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch adds the possibility to not just drop packets, but to also have them rejected where iptables at least sends an ICMP msg back to the originator. On ebtables this again maps into dropping packets since rejecting is not supported. I am adding 'since 0.8.9' to the docs assuming this will be the next version of libvirt.
-
- 18 2月, 2011 1 次提交
-
-
由 Christophe Fergeau 提交于
Now that the virHash handling functions call virReportOOMError by themselves when needed, users of the virHash API no longer need to do it by themselves. Since users of the virHash API were not consistently calling virReportOOMError after memory failures from the virHash code, this has the added benefit of making OOM reporting from this code more consistent and reliable.
-
- 15 2月, 2011 1 次提交
-
-
由 Stefan Berger 提交于
This patch reorders the connlimit and comment match extensions relative to the state match (-m state); connlimit being most useful if found after a -m state --state NEW and not before it.
-
- 10 2月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
When run non-root the nwfilter driver logs error messages about being unable to find iptables/ebtables commands (they are in /sbin which isn't in $PATH). The nwfilter driver can't ever work as non-root, so simply skip it entirely thus avoiding the error messages * src/conf/nwfilter_conf.h, src/nwfilter/nwfilter_driver.c, src/nwfilter/nwfilter_gentech_driver.c, src/nwfilter/nwfilter_gentech_driver.h: Pass 'bool privileged' flag down to final driver impl * src/nwfilter/nwfilter_ebiptables_driver.c: Skip initialization if not privileged
-
- 29 1月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
Pure cosmetic change.
-
- 19 1月, 2011 2 次提交
-
-
由 Matthias Bolte 提交于
VIR_ERR_INVALID_* is meant for invalid pointers only.
-
由 Matthias Bolte 提交于
The public object is called NWFilter but the corresponding private object is called NWFilterPool. I don't see compelling reasons for this Pool suffix. One might argue that an NWFilter is a "pool" of rules, etc. Remove the Pool suffix from NWFilterPool. No functional change included.
-
- 20 11月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
The IP address learning thread was causing a deadlock when it instantiated a filter while a filter update/change was ongoing. The reason for this was the ordering of locks due to the following calls virNWFilterUnlockFilterUpdates() virNWFilterPoolObjFindByName() The below patch now puts the order of the locks in the above shown order when instantiating the filter from the IP address learning thread.
-
- 17 11月, 2010 2 次提交
-
-
由 Eric Blake 提交于
* bootstrap.conf (gnulib_modules): Add configmake. * daemon/Makefile.am (libvirtd_CFLAGS): Drop defines provided by gnulib. * src/Makefile.am (INCLUDES): Likewise. * tests/Makefile.am (INCLUDES): Likewise. * tools/Makefile.am (virsh_CFLAGS): Likewise. * daemon/libvirtd.c (qemudInitPaths, usage, main): Update clients. * src/cpu/cpu_map.c (CPUMAPFILE): Likewise. * src/driver.c (DEFAULT_DRIVER_DIR): Likewise. * src/internal.h (_): Likewise. * src/libvirt.c (virInitialize): Likewise. * src/lxc/lxc_conf.h (LXC_CONFIG_DIR, LXC_STATE_DIR, LXC_LOG_DIR): Likewise. * src/lxc/lxc_conf.c (lxcCapsInit, lxcLoadDriverConfig): Likewise. * src/network/bridge_driver.c (NETWORK_PID_DIR) (NETWORK_STATE_DIR, DNSMASQ_STATE_DIR, networkStartup): Likewise. * src/nwfilter/nwfilter_driver.c (nwfilterDriverStartup): Likewise. * src/qemu/qemu_conf.c (qemudLoadDriverConfig): Likewise. * src/qemu/qemu_driver.c (qemudStartup): Likewise. * src/remote/remote_driver.h (LIBVIRTD_PRIV_UNIX_SOCKET) (LIBVIRTD_PRIV_UNIX_SOCKET_RO, LIBVIRTD_CONFIGURATION_FILE) (LIBVIRT_PKI_DIR): Likewise. * src/secret/secret_driver.c (secretDriverStartup): Likewise. * src/security/security_apparmor.c (VIRT_AA_HELPER): Likewise. * src/security/virt-aa-helper.c (main): Likewise. * src/storage/storage_backend_disk.c (PARTHELPER): Likewise. * src/storage/storage_driver.c (storageDriverStartup): Likewise. * src/uml/uml_driver.c (TEMPDIR, umlStartup): Likewise. * src/util/hooks.c (LIBVIRT_HOOK_DIR): Likewise. * tools/virsh.c (main): Likewise. * docs/hooks.html.in: Likewise.
-
由 Stefan Berger 提交于
Rather than only cleaning any remaining ebtables rules, also clean those applied to iptables and ip6tables when detecting the IP address of an interface. Previous applied iptables rules may hinder DHCP packets.
-
- 16 11月, 2010 2 次提交
-
-
由 Eric Blake 提交于
* src/nwfilter/nwfilter_ebiptables_driver.c (CMD_EXEC): Fix syntax error in previous patch. Reported by Stefan Berger.
-
由 Eric Blake 提交于
* src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesWriteToTempFile): Use /bin/sh. (bash_cmd_path): Delete. (ebiptablesDriverInit, ebiptablesDriverShutdown): No need to search for bash. (CMD_EXEC): Prefer $() over ``, since we can assume POSIX. (iptablesSetupVirtInPost): Use portable 'test' syntax. (iptablesLinkIPTablesBaseChain): Use POSIX $(()) syntax.
-
- 10 11月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
Using automated replacement with sed and editing I have now replaced all occurrences of close() with VIR_(FORCE_)CLOSE() except for one, of course. Some replacements were straight forward, others I needed to pay attention. I hope I payed attention in all the right places... Please have a look. This should have at least solved one more double-close error.
-
- 22 10月, 2010 3 次提交
-
-
由 Daniel P. Berrange 提交于
The inet_pton and inet_ntop functions are obsolete, replaced by getaddrinfo+getnameinfo with the AI_NUMERICHOST flag set. These can be accessed via the virSocket APIs. The bridge.c code had methods for fetching the IP address of a bridge which used inet_ntop. Aside from the use of inet_ntop these methods are broken, because a NIC can have multiple addresses and this only returns one address. Since the methods are never used, just remove them. * src/conf/network_conf.c, src/nwfilter/nwfilter_learnipaddr.c: Replace inet_pton and inet_ntop with virSocket APIs * src/util/bridge.c, src/util/bridge.h: Remove unused methods which called inet_ntop.
-
由 Daniel P. Berrange 提交于
The getnameinfo() function is more flexible than inet_ntop() avoiding the need to if/else the code based on socket family. Also make it support UNIX socket addrs and allow inclusion of a port (service) address. Finally do proper error reporting via normal APIs. * src/conf/domain_conf.c, src/nwfilter/nwfilter_ebiptables_driver.c, src/qemu/qemu_conf.c: Fix error handling with virSocketFormat * src/util/network.c: Rewrite virSocketFormat to use getnameinfo and cope with UNIX socket addrs.
-
由 Daniel P. Berrange 提交于
The nwIPAddress was simply a wrapper about virSocketAddr. Just use the latter directly, removing all the extra field de-references from code & helper APIs for parsing/formatting. Also remove all the redundant casts from strong types to void * and then immediately back to strong types. * src/conf/nwfilter_conf.h: Remove nwIPAddress * src/conf/nwfilter_conf.c, src/nwfilter/nwfilter_ebiptables_driver.c: Update to use virSocketAddr and remove void * casts.
-
- 20 10月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
Avoid the enforcement of direction if - icmp rules specify the type/code information - the 'skipMatch' variable is set to 'true'
-
- 19 10月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
In the table built for traffic coming from the VM going to the host make the following changes: - don't ACCEPT the packets but do a 'RETURN' and let the host-specific firewall rules in subsequent rules evaluate whether the traffic is allowed to enter - use the '-m state' in the rules as everywhere else
-
- 14 10月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
The following filter transition from a filter allowing incoming TCP connections <rule action='accept' direction='in' priority='401'> <tcp/> </rule> <rule action='accept' direction='out' priority='500'> <tcp/> </rule> to one that does not allow them <rule action='drop' direction='in' priority='401'> <tcp/> </rule> <rule action='accept' direction='out' priority='500'> <tcp/> </rule> did previously not cut off existing (ssh) connections but only prevented newly initiated ones. The attached patch allows to cut off existing connections as well, thus enforcing what the filter is showing. I had only tested with a configuration where the physical interface is connected to the bridge where the filters are applied. This patch now also solves a filtering problem where the physical interface is not connected to the bridge, but the bridge is given an IP address and the host routes between bridge and physical interface. Here the filters drop non-allowed traffic on the outgoing side on the host.
-
- 13 10月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
This is from a bug report and conversation on IRC where Soren reported that while a filter update is occurring on one or more VMs (due to a rule having been edited for example), a deadlock can occur when a VM referencing a filter is started. The problem is caused by the two locking sequences of qemu driver, qemu domain, filter # for the VM start operation filter, qemu_driver, qemu_domain # for the filter update operation that obviously don't lock in the same order. The problem is the 2nd lock sequence. Here the qemu_driver lock is being grabbed in qemu_driver:qemudVMFilterRebuild() The following solution is based on the idea of trying to re-arrange the 2nd sequence of locks as follows: qemu_driver, filter, qemu_driver, qemu_domain and making the qemu driver recursively lockable so that a second lock can occur, this would then lead to the following net-locking sequence qemu_driver, filter, qemu_domain where the 2nd qemu_driver lock has been ( logically ) eliminated. The 2nd part of the idea is that the sequence of locks (filter, qemu_domain) and (qemu_domain, filter) becomes interchangeable if all code paths where filter AND qemu_domain are locked have a preceding qemu_domain lock that basically blocks their concurrent execution So, the following code paths exist towards qemu_driver:qemudVMFilterRebuild where we now want to put a qemu_driver lock in front of the filter lock. -> nwfilterUndefine() [ locks the filter ] -> virNWFilterTestUnassignDef() -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() -> nwfilterDefine() -> virNWFilterPoolAssignDef() [ locks the filter ] -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() -> nwfilterDriverReload() -> virNWFilterPoolLoadAllConfigs() ->virNWFilterPoolObjLoad() -> virNWFilterPoolAssignDef() [ locks the filter ] -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() -> nwfilterDriverStartup() -> virNWFilterPoolLoadAllConfigs() ->virNWFilterPoolObjLoad() -> virNWFilterPoolAssignDef() [ locks the filter ] -> virNWFilterTriggerVMFilterRebuild() -> qemudVMFilterRebuild() Qemu is not the only driver using the nwfilter driver, but also the UML driver calls into it. Therefore qemuVMFilterRebuild() can be exchanged with umlVMFilterRebuild() along with the driver lock of qemu_driver that can now be a uml_driver. Further, since UML and Qemu domains can be running on the same machine, the triggering of a rebuild of the filter can touch both types of drivers and their domains. In the patch below I am now extending each nwfilter callback driver with functions for locking and unlocking the (VM) driver (UML, QEMU) and introduce new functions for locking all registered callback drivers and unlocking them. Then I am distributing the lock-all-cbdrivers/unlock-all-cbdrivers call into the above call paths. The last shown callpath starting with nwfilterDriverStart() is problematic since it is initialize before the Qemu and UML drives are and thus a lock in the path would result in a NULL pointer attempted to be locked -- the call to virNWFilterTriggerVMFilterRebuild() is never called, so we never lock either the qemu_driver or the uml_driver in that path. Therefore, only the first 3 paths now receive calls to lock and unlock all callback drivers. Now that the locks are distributed where it matters I can remove the qemu_driver and uml_driver lock from qemudVMFilterRebuild() and umlVMFilterRebuild() and not requiring the recursive locks. For now I want to put this out as an RFC patch. I have tested it by 'stretching' the critical section after the define/undefine functions each lock the filter so I can (easily) concurrently execute another VM operation (suspend,start). That code is in this patch and if you want you can de-activate it. It seems to work ok and operations are being blocked while the update is being done. I still also want to verify the other assumption above that locking filter and qemu_domain always has a preceding qemu_driver lock.
-
- 09 10月, 2010 1 次提交
-
-
由 Guido Günther 提交于
to avoid long timeouts waiting for DNS servers
-