* configure.ac: Remove redundant checks.

* configure.ac (AC_CHECK_FUNCS_ONCE, AC_SYS_LARGEFILE): Rely on
gnulib for strtok_r and large file support.
(AC_OBJEXT): Drop call now done by AC_PROG_CC.
(m4_foreach_w): Drop macro guaranteed by gnulib.
(AC_C_CONST): Drop call declared obsolete by autoconf.
Signed-off-by: NEric Blake <eblake@redhat.com>

* configure.ac: Drop sys/wait.h check.
* src/libvirt.c (includes): Use header unconditionally.
* src/remote/remote_driver.c (includes): Likewise.
* src/storage/storage_backend.c (includes): Likewise.
* src/util/ebtables.c (includes): Likewise.
* src/util/hooks.c (includes): Likewise.
* src/util/iptables.c (includes): Likewise.
* src/util/util.c (includes): Likewise.

* bootstrap.conf (gnulib_modules): Add uname.
* configure.ac: Drop uname and sys/utsname.h checks.
* src/nodeinfo.c (nodeGetInfo): Use uname unconditionally.

Gnulib can guarantee that pthread.h exists, but for now, it is a dummy
header with no support for most pthread_* functions.  Modify our
use of pthread to use function checks, rather than header checks,
to determine how much pthread support is present.

* bootstrap.conf (gnulib_modules): Add pthread.
* configure.ac: Drop all pthread.h checks.  Optimize function
checks.  Add check for pthread functions.
* src/Makefile.am (libvirt_lxc_LDADD): Ensure proper link.
* src/remote/remote_driver.c (remoteIOEventLoop): Depend on
pthread_sigmask, now that gnulib guarantees pthread.h.
* src/util/util.c (virFork): Likewise.
* src/util/threads.c (threads-pthread.c): Depend on
pthread_mutexattr_init, as a witness of full pthread support.
* src/util/threads.h (threads-pthread.h): Likewise.

When cross-compiling on Linux, configure will misdetect the target as
Linux because it uses uname instead of relying on the $host variable.
This results in including libvirt_linux.syms into libvirt.syms and
therefore trying to export undefined symbols.

Replace uname checks with $host checks to fix this.

In commit 98fb83ce I changed the
version script handling. But it seems that I didn't test this properly
and broke it. The .def file is passed to the compiler directly, but it
should get passed to the linker instead.

Set VERSION_SCRIPT_FLAGS to -Wl, to pass the .def file correctly to
the linker.

This fixes the undefined symbol errors while linking virsh.

* configure.ac docs/news.html.in libvirt.spec.in: updates for release
* po/*.po*: updated localizations and regenerated

Let configure detect ld instead of hardcoding /usr/bin/ld, because
MinGW may have ld in /bin.

Only use a .def file to export symbols on MinGW. Cygwin's ld supports
the normal .syms file used on Linux.

as their drivers requires linux only headers

Cygwin's XDR implementation defines xdr_u_int64_t instead of
xdr_uint64_t and lacks IXDR_PUT_INT32/IXDR_GET_INT32.

Alter the IXDR_GET_LONG regex in rpcgen_fix.pl so it doesn't destroy
the #define IXDR_GET_INT32 IXDR_GET_LONG in remote_protocol.x.

Also fix the remote_protocol.h regex in rpcgen_fix.pl.

Also move the equivalent checks for LXC and UML before their header
checks. This way configure doesn't check for the headers when the driver
gets disabled anyway.

* configure.ac: Avoid syntax error.

Under cygwin, winsock2.h is intentionally incompatible with,
<sys/socket.h>, and checking for existence is wrong.

Under mingw, HAVE_WINSOCK2_H is defined on our behalf by
gnulib, in a way that does not interfere with cygwin.

* configure.ac: Drop unnecessary header check.
Reported by Matthias Bolte.

* Fix a logic error in configure.ac that prevented --with-selinux=no
  from being used with --with-secdriver-selinux=no.

* Fix some strings to clarify the difference between --with-selinux
  and --with-secdriver-selinux.
Signed-off-by: NSpencer Shimko <sshimko@tresys.com>
Signed-off-by: NEric Blake <eblake@redhat.com>

* configure.ac (STATIC_ANALYSIS): Define when run via clang's
scan-build or coverity-prevent's cov-build.
Use the CLANG_CC and COVERITY_BUILD_COMMAND envvars as witnesses.

I am getting rid of determining the path to necessary CLI tools at
compile time. Instead, now the firewall driver has an initialization
function that uses virFindFileInPath() to determine the path to
necessary CLI tools and a shutdown function to free allocated memory.
The rest of the patch mostly deals with availability of the CLI tools
and to not call certain code blocks if a tool is not available and that
strings now have to be built slightly differently.

* configure.ac docs/news.html.in libvirt.spec.in src/libvirt_public.syms:
  updates for release of 0.8.0
* po/*.po po/libvirt.pot: updated a lar set of localizations, and merge
  the messages

The MinGW linker needs the libvirt.def file.

The network filter / snapshot / hooks code introduced some
non-portable pices that broke the win32 build

* configure.ac: Check for net/ethernet.h required by nwfile config
   parsing code
* src/conf/nwfilter_conf.c: Define ethernet protocol  constants
  if net/ethernet.h is missing
* src/util/hooks.c: Disable hooks build on Win32 since it lacks
  fork/exec/pipe
* src/util/threads-win32.c: Fix unchecked return value
* tools/virsh.c: Disable SIGPIPE on Win32 since it doesn't exist.
  Fix non-portable strftime() formats

Just checking for a windres tool might hit even on Linux systems when
building for Linux (e.g.: when using Gentoo and having built binutils
with multitarget support), and will then fail to link properly at the
end of the build.

* configure.ac: Avoid searching for windres on non windows target

This patch implements support for learning a VM's IP address. It uses
the pcap library to listen on the VM's backend network interface (tap)
or the physical ethernet device (macvtap) and tries to capture packets
with source or destination MAC address of the VM and learn from DHCP
Offers, ARP traffic, or first-sent IPv4 packet what the IP address of
the VM's interface is. This then allows to instantiate the network
traffic filtering rules without the user having to provide the IP
parameter somewhere in the filter description or in the interface
description as a parameter. This only supports to detect the parameter
IP, which is for the assumed single IPv4 address of a VM. There is not
support for interfaces that may have multiple  IP addresses (IP
aliasing) or IPv6 that may then require more than one valid IP address
to be detected. A VM can have multiple independent interfaces that each
uses a different IP address and in that case it will be attempted to
detect each one of the address independently.

So, when for example an interface description in the domain XML has
looked like this up to now:

    <interface type='bridge'>
      <source bridge='mybridge'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'>
        <parameter name='IP' value='10.2.3.4'/>
      </filterref>
    </interface>

you may omit the IP parameter:

    <interface type='bridge'>
      <source bridge='mybridge'/>
      <model type='virtio'/>
      <filterref filter='clean-traffic'/>
    </interface>

Internally I am walking the 'tree' of a VM's referenced network filters
and determine with the given variables which variables are missing. Now,
the above IP parameter may be missing and this causes a libvirt-internal
thread to be started that uses the pcap library's API to listen to the
backend interface  (in case of macvtap to the physical interface) in an
attempt to determine the missing IP parameter. If the backend interface
disappears the thread terminates assuming the VM was brought down. In
case of a macvtap device a timeout is being used to wait for packets
from the given VM (filtering by VM's interface MAC address). If the VM's
macvtap device disappeared the thread also terminates. In all other
cases it tries to determine the IP address of the VM and will then apply
the rules late on the given interface, which would have happened
immediately if the IP parameter had been explicitly given. In case an
error happens while the firewall rules are applied, the VM's backend
interface is 'down'ed preventing it to communicate. Reasons for failure
for applying the network firewall rules may that an ebtables/iptables
command failes or OOM errors. Essentially the same failure reasons may
occur as when the firewall rules are applied immediately on VM start,
except that due to the late application of the filtering rules the VM
now is already running and cannot be hindered anymore from starting.
Bringing down the whole VM would probably be considered too drastic.
While a VM's IP address is attempted to be determined only limited
updates to network filters are allowed. In particular it is prevented
that filters are modified in such a way that they would introduce new
variables.

A caveat: The algorithm does not know which one is the appropriate IP
address of a VM. If the VM spoofs an IP address in its first ARP traffic
or IPv4 packets its filtering rules will be instantiated for this IP
address, thus 'locking' it to the found IP address. So, it's still
'safer' to explicitly provide the IP address of a VM's interface in the
filter description if it is known beforehand.

* configure.ac: detect libpcap
* libvirt.spec.in: require libpcap[-devel] if qemu is built
* src/internal.h: add the new ATTRIBUTE_PACKED define
* src/Makefile.am src/libvirt_private.syms: add the new modules and symbols
* src/nwfilter/nwfilter_learnipaddr.[ch]: new module being added
* src/nwfilter/nwfilter_driver.c src/conf/nwfilter_conf.[ch]
  src/nwfilter/nwfilter_ebiptables_driver.[ch]
  src/nwfilter/nwfilter_gentech_driver.[ch]: plu the new functionality in
* tests/nwfilterxml2xmltest: extend testing

* cfg.mk (sc_prohibit_test_minus_ao): Also check for [.
* docs/Makefile.am (%.html, html/index.html): Avoid non-portable
test usage.
* libvirt.spec.in (%post): Likewise.
* tools/virt-pki-validate.in (servercert.pem): Likewise.
* configure.ac (LOGNAME): Use test, not [, in files processed by
autoconf.
Detected by Matthias Bolte.

This patch adds IPv6 filtering support for the following protocols:
- tcp-ipv6
- udp-ipv6
- udplite-ipv6
- esp-ipv6
- ah-ipv6
- sctp-ipv6
- all-ipv6
- icmpv6

Many of the IPv4 data structure could be re-used for IPv6 support.
Since ip6tables also supports pretty much the same command line parameters
as iptables does, also much of the code could be re-used and now
command lines are invoked with the ip(6)tables tool parameter passed
through the functions as a parameter.

This patch adds some example filters to libvirt. They are automatically
installed into the proper directory for libvirt to pick them up.

This patch adds support for L3/L4 filtering using iptables. This adds
support for 'tcp', 'udp', 'icmp', 'igmp', 'sctp' etc. filtering.

As mentioned in the introduction, a .c file provided by this patch
is #include'd into a .c file. This will need work, but should be alright
for review.
Signed-off-by: NStefan Berger <stefanb@us.ibm.com>

This patch implements the core driver and provides
- management functionality for managing the filter XMLs
- compiling the internal filter representation into ebtables rules
- applying ebtables rules on a network (tap,macvtap) interface
- tearing down ebtables rules that were applied on behalf of an
interface
- updating of filters while VMs are running and causing the firewalls to
be rebuilt
- other bits and pieces
Signed-off-by: NStefan Berger <stefanb@us.ibm.com>

* configure.ac: Use "test cond1 || test cond2" instead.
* m4/compiler-flags.m4 (gl_COMPILER_FLAGS): Likewise.
* tests/test-lib.sh (verbose): Likewise.

* configure.ac: Use "test cond1 && test cond2" instead.

Use the __declspec(dllexport/dllimport) stuff to export the symbol,
otherwise accessing virConnectAuthPtrDefault triggers a segfault.

* configure.ac: fix the header test used for macvtap availability
  detection

* configure.ac libvirt.spec.in: update with new version
* docs/news.html.in: add list of changes in 0.7.7
* po/*po*: updated spanish and russian localisations, rebuilt

With the recent changes to the linking defaults in Fedora 13 (namely
enabling --no-add-needed behaviour by default), we have to pass the
dlopen()-providing libraries directly at the link of the module; use the
same AC_SEARCH_LIBS function as used before to look for it and add it to
the Makefile.

Instead of using AC_CHECK_LIB and hardcoding -ldl, search for the library
needed to get dlopen() and then use the cached value.

* We are reverting this patch pending a discussion of the right way to implement.

* configure.ac: Fix typos:
s/DRIVER_MODULES_CFLAGS/DRIVER_MODULE_CFLAGS/
s/DRIVER_MODULES_LIBS/DRIVER_MODULE_LIBS/

since we're using gettext-0.14.1, which uses that now-obsolete
automake symbol.  Otherwise, make distcheck would fails like this:

    make[2]: Entering directory `/t/libvirt-0.7.6/_build/po'
    /bin/sh @MKINSTALLDIRS@ /t/libvirt-0.7.6/_inst/share
    /bin/sh: @MKINSTALLDIRS@: No such file or directory
    make[2]: *** [install-data-yes] Error 127

* configure.ac (MKINSTALLDIRS): Define.
For reference, we're currently hamstrung by our desire
to support RHEL5, which still uses gettext-0.14:
http://bugzilla.redhat.com/523713