- 06 5月, 2011 1 次提交
-
-
由 Eric Blake 提交于
We already have virAsprintf, so picking a similar name helps for seeing a similar purpose. Furthermore, the prefix V before printf generally implies 'va_list', even though this variant was '...', and the old name got in the way of adding a new va_list version. global rename performed with: $ git grep -l virBufferVSprintf \ | xargs -L1 sed -i 's/virBufferVSprintf/virBufferAsprintf/g' then revert the changes in ChangeLog-old.
-
- 30 4月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
Call shutdown functions for all subcomponents in nwfilterDriverShutdown. Make sure that this shutdown functions can safely be called multiple times and independent from the actual subcomponents state.
-
- 25 2月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
Relax the restriction that the hash table key must be a string by allowing an arbitrary hash code generator + comparison func to be provided * util/hash.c, util/hash.h: Allow any pointer as a key * internal.h: Include stdbool.h as standard. * conf/domain_conf.c, conf/domain_conf.c, conf/nwfilter_params.c, nwfilter/nwfilter_gentech_driver.c, nwfilter/nwfilter_gentech_driver.h, nwfilter/nwfilter_learnipaddr.c, qemu/qemu_command.c, qemu/qemu_driver.c, qemu/qemu_process.c, uml/uml_driver.c, xen/xm_internal.c: s/char */void */ in hash callbacks
-
由 Daniel P. Berrange 提交于
Since the deallocator is passed into the constructor of a hash table it is not desirable to pass it into each function again. Remove it from all functions, but provide a virHashSteal to allow a item to be removed from a hash table without deleteing it. * src/util/hash.c, src/util/hash.h: Remove deallocator param from all functions. Add virHashSteal * src/libvirt_private.syms: Add virHashSteal * src/conf/domain_conf.c, src/conf/nwfilter_params.c, src/nwfilter/nwfilter_learnipaddr.c, src/qemu/qemu_command.c, src/xen/xm_internal.c: Update for changed hash API
-
- 21 2月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Two-argument free functions are uncommon; match the style elsewhere by caching the callback at creation. * src/util/hash.h (virHashCreate, virHashFree): Move deallocator argument to creation. * cfg.mk (useless_free_options): Add virHashFree. * src/util/hash.c (_virHashTable): Track deallocator. (virHashCreate, virHashFree): Update to new signature. * src/conf/domain_conf.c (virDomainObjListDeinit) (virDomainObjListInit, virDomainDiskDefForeachPath) (virDomainSnapshotObjListDeinit, virDomainSnapshotObjListInit): Update callers. * src/conf/nwfilter_params.c (virNWFilterHashTableFree) (virNWFilterHashTableCreate): Likewise. * src/conf/nwfilter_conf.c (virNWFilterTriggerVMFilterRebuild): Likewise. * src/cpu/cpu_generic.c (genericHashFeatures, genericBaseline): Likewise. * src/xen/xm_internal.c (xenXMOpen, xenXMClose): Likewise. * src/nwfilter/nwfilter_learnipaddr.c (virNWFilterLearnInit) (virNWFilterLearnShutdown): Likewise. * src/qemu/qemu_command.c (qemuDomainPCIAddressSetCreate) (qemuDomainPCIAddressSetFree): Likewise. * src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Likewise.
-
- 18 2月, 2011 1 次提交
-
-
由 Christophe Fergeau 提交于
Now that the virHash handling functions call virReportOOMError by themselves when needed, users of the virHash API no longer need to do it by themselves. Since users of the virHash API were not consistently calling virReportOOMError after memory failures from the virHash code, this has the added benefit of making OOM reporting from this code more consistent and reliable.
-
- 29 1月, 2011 1 次提交
-
-
由 Matthias Bolte 提交于
Pure cosmetic change.
-
- 22 10月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
The inet_pton and inet_ntop functions are obsolete, replaced by getaddrinfo+getnameinfo with the AI_NUMERICHOST flag set. These can be accessed via the virSocket APIs. The bridge.c code had methods for fetching the IP address of a bridge which used inet_ntop. Aside from the use of inet_ntop these methods are broken, because a NIC can have multiple addresses and this only returns one address. Since the methods are never used, just remove them. * src/conf/network_conf.c, src/nwfilter/nwfilter_learnipaddr.c: Replace inet_pton and inet_ntop with virSocket APIs * src/util/bridge.c, src/util/bridge.h: Remove unused methods which called inet_ntop.
-
- 28 9月, 2010 1 次提交
-
-
由 Justin Clift 提交于
This reverses commit 04c3704e, which added a define to nwfilter to allow libvirtd compilation on Mac OS X. Stefan Bergers commit, 2e7294df, is the proper solution, removing the requirement for nwfilter on non-Linux.
-
- 27 9月, 2010 1 次提交
-
-
由 Justin Clift 提交于
The nwfilter code uses ETH_ALEN, which isn't defined on MacOS X. This is a simple workaround, to add it when missing.
-
- 17 8月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
In this patch I am extending and fixing the nwfilter module's reload support to stop all ongoing threads (for learning IP addresses of interfaces) and rebuild the filtering rules of all interfaces of all VMs when libvirt is started. Now libvirtd rebuilds the filters upon the SIGHUP signal and libvirtd restart. About the patch: The nwfilter functions require a virConnectPtr. Therefore I am opening a connection in qemudStartup, which later on needs to be closed outside where the driver lock is held since otherwise it ends up in a deadlock due to virConnectClose() trying to lock the driver as well. I have tested this now for a while with several machines running and needing the IP address learner thread(s). The rebuilding of the firewall rules seems to work fine following libvirtd restart or a SIGHUP. Also the termination of libvirtd worked fine.
-
- 14 8月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
When sniffing the network traffic, discard class D and E IP addresses when sniffing traffic. This was a reason why filters were not correctly rebuilt on VMs on the local 192.* network when libvirt was restarted and those VMs did not use a DHCP request to get its IP address.
-
- 30 4月, 2010 3 次提交
-
-
由 Stefan Berger 提交于
Introduce a function to notify the IP address learning thread to terminate and thus release the lock on the interface. Notify the thread before grabbing the lock on the interface and tearing down the rules. This prevents a 'virsh destroy' to tear down the rules that the IP address learning thread has applied.
-
由 Stefan Berger 提交于
The functions invoked by the IP address learning thread that apply some basic filtering rules did not clean up any previous filtering rules that may still be there (due to a libvirt restart for example). With the patch below all the rules are cleaned up first. Also, I am introducing a function to drop all traffic in case the IP address learning thread could not apply the rules.
-
由 Stefan Berger 提交于
The local DHCP server on virtbr0 sends DHCP ACK messages when a VM is started and requests an IP address while the initial DHCP lease on the VM's MAC address hasn't expired. So, also pick the IP address of the VM if that type of message is seen. Thanks to Gerhard Stenzel for providing a test case for this. Changes from V1 to V2: - cleanup: replacing DHCP option numbers through constants
-
- 23 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
- using INT_BUFSIZE_BOUND() to determine the length of the buffersize for printing and integer into - not explicitly initializing static var threadsTerminate to false anymore, since that's done automatically Changes after V2: - removed while looks in case of OOM error - removed on ifaceDown() call - preceding one ifaceDown() call with an ifaceCheck() call Since the name of an interface can be the same between stops and starts of different VMs I have to switch the IP address learning thread to use the index of the interface to determine whether an interface is still available or not - in the case of macvtap the thread needs to listen for traffic on the physical interface, thus having to time out periodically to check whether the VM's macvtap device is still there as an indication that the VM is still alive. Previously the following sequence of 2 VMs with macvtap device virsh start testvm1; virsh destroy testvm1 ; virsh start testvm2 would not terminate the thread upon testvm1's destroy since the name of the interface on the host could be the same (i.e, macvtap0) on testvm1 and testvm2, thus it was easily race-able. The thread would then determine the IP address parameter for testvm2 but apply the rule set for testvm1. :-( I am also introducing a lock for the interface (by name) that the thread must hold while it listens for the traffic and releases when it terminates upon VM termination or 0.5 second thereafter. Thus, the new thread for a newly started VM with the same interface name will not start while the old one still holds the lock. The only other code that I see that also needs to grab the lock to serialize operation is the one that tears down the firewall that were established on behalf of an interface. I am moving the code applying the 'basic' firewall rules during the IP address learning phase inside the thread but won't start the thread unless it is ensured that the firewall driver has the ability to apply the 'basic' firewall rules.
-
- 21 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
I am moving some of the eb/iptables related functions into the interface of the firewall driver and am making them only accessible via the driver's interface. Otherwise exsiting code is adapted where needed. I am adding one new function to the interface that checks whether the 'basic' rules can be applied, which will then be used by a subsequent patch.
-
- 13 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
Changes from v1 to v2: - changed function name prefixes to 'iface' from previous 'Iface' - Further to make make syntax-check pass: - indentation fix in interface.h - added entry to POTFILES.in I am consolidating network interface related functions used in nwfilter and macvtap code in utils/interface.c. All function names are prefixed with 'Iface'. The following functions are now available through interface.h: int ifaceCtrl(const char *name, bool up); int ifaceUp(const char *name); int ifaceDown(const char *name); int ifaceCheck(bool reportError, const char *ifname, const unsigned char *macaddr, int ifindex); int ifaceGetIndex(bool reportError, const char *ifname, int *ifindex); I added 'int ifindex' as parameter to ifaceCheck to the original function and modified the code accordingly.
-
- 10 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
I mistakenly took the op field in the DHCP message as the DHCP_OFFER type. Rather than basing the decision to read the VM's IP address on that field, process the appended DHCP options where option 53 indicates the actual type of the packet. I am also reading the broadcast address of the VM, but don't use it so far.
-
- 08 4月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
This patch implements support for learning a VM's IP address. It uses the pcap library to listen on the VM's backend network interface (tap) or the physical ethernet device (macvtap) and tries to capture packets with source or destination MAC address of the VM and learn from DHCP Offers, ARP traffic, or first-sent IPv4 packet what the IP address of the VM's interface is. This then allows to instantiate the network traffic filtering rules without the user having to provide the IP parameter somewhere in the filter description or in the interface description as a parameter. This only supports to detect the parameter IP, which is for the assumed single IPv4 address of a VM. There is not support for interfaces that may have multiple IP addresses (IP aliasing) or IPv6 that may then require more than one valid IP address to be detected. A VM can have multiple independent interfaces that each uses a different IP address and in that case it will be attempted to detect each one of the address independently. So, when for example an interface description in the domain XML has looked like this up to now: <interface type='bridge'> <source bridge='mybridge'/> <model type='virtio'/> <filterref filter='clean-traffic'> <parameter name='IP' value='10.2.3.4'/> </filterref> </interface> you may omit the IP parameter: <interface type='bridge'> <source bridge='mybridge'/> <model type='virtio'/> <filterref filter='clean-traffic'/> </interface> Internally I am walking the 'tree' of a VM's referenced network filters and determine with the given variables which variables are missing. Now, the above IP parameter may be missing and this causes a libvirt-internal thread to be started that uses the pcap library's API to listen to the backend interface (in case of macvtap to the physical interface) in an attempt to determine the missing IP parameter. If the backend interface disappears the thread terminates assuming the VM was brought down. In case of a macvtap device a timeout is being used to wait for packets from the given VM (filtering by VM's interface MAC address). If the VM's macvtap device disappeared the thread also terminates. In all other cases it tries to determine the IP address of the VM and will then apply the rules late on the given interface, which would have happened immediately if the IP parameter had been explicitly given. In case an error happens while the firewall rules are applied, the VM's backend interface is 'down'ed preventing it to communicate. Reasons for failure for applying the network firewall rules may that an ebtables/iptables command failes or OOM errors. Essentially the same failure reasons may occur as when the firewall rules are applied immediately on VM start, except that due to the late application of the filtering rules the VM now is already running and cannot be hindered anymore from starting. Bringing down the whole VM would probably be considered too drastic. While a VM's IP address is attempted to be determined only limited updates to network filters are allowed. In particular it is prevented that filters are modified in such a way that they would introduce new variables. A caveat: The algorithm does not know which one is the appropriate IP address of a VM. If the VM spoofs an IP address in its first ARP traffic or IPv4 packets its filtering rules will be instantiated for this IP address, thus 'locking' it to the found IP address. So, it's still 'safer' to explicitly provide the IP address of a VM's interface in the filter description if it is known beforehand. * configure.ac: detect libpcap * libvirt.spec.in: require libpcap[-devel] if qemu is built * src/internal.h: add the new ATTRIBUTE_PACKED define * src/Makefile.am src/libvirt_private.syms: add the new modules and symbols * src/nwfilter/nwfilter_learnipaddr.[ch]: new module being added * src/nwfilter/nwfilter_driver.c src/conf/nwfilter_conf.[ch] src/nwfilter/nwfilter_ebiptables_driver.[ch] src/nwfilter/nwfilter_gentech_driver.[ch]: plu the new functionality in * tests/nwfilterxml2xmltest: extend testing
-